Date post: | 16-Aug-2018 |
Category: |
Documents |
Upload: | truongkhanh |
View: | 219 times |
Download: | 0 times |
The Function of Corporate Security within
Large Organisations
The Interrelationship between Information Security
and Business Strategy
Laura Georg
Thèse publiée avec le soutien des formations continues universitaires en sécurité des systèmes
d'information, Université de Genève, HEC-Genève
Publié dans la même série :
DE BLASIS, Jean-Paul (2004), Dictionnaire illustré de la sécurité des systèmes d’information, HEC-Genève, Université de Genève, octobre 2004, 312 p.
Section HEC
The Function of Corporate Security within Large Organisations:
The Interrelationship between Information Security
and Business Strategy
Thèse présentée à la Faculté des Sciences Économiques et Sociales
de l'Université de Genève
par
Laura GEORG
Pour l'obtention du grade de
Docteur ès Sciences Économique et Sociales
Mention Gestion d'entreprise
Membres du jury de thèse :
Prof. Dr. Jean-Paul DE BLASIS, Genève, Directeur de thèse Prof. Dr. Dimitri KONSTANTAS, Genève, Président Prof. Dr. Gilbert PROBST, Genève Dr. Lorenzo VALERI, Rome
Thèse n° 629 Genève, 2007
La Faculté des sciences économiques et sociales, sur préavis du jury, a autorisé l’impression de la présente thèse, sans entendre, par là, émettre aucune opinion sur les propositions qui s’y trouvent énoncées et qui n’engagent que la responsabilité de leur auteur. Genève, le 23 mars 2007 Le doyen Pierre ALLAN
Impression d’après le manuscrit de l’auteur
© Laura Georg/ Editions, Genève, Mai 2007
ISBN 978-3-033-01230-1
Acknowledgements
A number of people have contributed to this thesis. For their support, trust, and advice I am thoroughly thankful. They have not only helped the completion of this research work but also influenced my personal understanding of academics, information security, and business.
First of all, I would like to thank my supervisor Prof. Dr. Jean-Paul De Blasis. He gave me
the theoretical basis for my thesis and provided me with the knowledge on all for my research relevant information security issues. Throughout the research he supported me in every aspect and I hope to have earned the trust he put in me when I first arrived at the University of Geneva.
Dr. James Backhouse opened to me the research world of the London School of Economics and Political Science that gave me directions in my research and a profound understanding of academic research work.
To Dr. Lorenzo Valeri I owe constant and most constructive advice on how to manage and resolve the obstacles of a doctorate. I am very grateful for his engagement and belief in me.
For her support in the initial phase of my thesis, I would like to thank Doris Pack, MEP, who allowed me to use contacts and facilities of the European Parliament for my thesis research.
With Prof. Dr. Gilbert Probst I had most valuable discussions on all strategic questions that turned up throughout the research. Dr. Robert Coles gave me insights into the research of information security management. Dr. Jonathan Liebenau’s great academic experience and insights impressed me and influenced my research. Prof. Dr. Larry Gordon and Prof. Dr. Martin Loeb at the University of Maryland widened my academic background in the field of information security economics. Prof. Jean Bloch provided me with all information I needed on information security governance and has been a vivid discussion partner throughout my research.
I especially would like to thank my contacts in Bank A, Bank B, TelCo C and SoftCo D as
well as the interviewees in the healthcare, e-commerce and pharmaceutical sector. I had very interesting and most valuable conversations that were indispensable for my thesis’ research and gave me great insights into information security practice. In all organisations I received outstanding help and met most knowledgeable experts in their field.
For his ringing endorsement, most valuable critique, and endless patience, I would like to
thank Jakub Krawczyk. Throughout all my student years my parents Gisela & Wolfgang Georg were always there
for support and helped me through the up and downs of this journey. Thank you for giving me this opportunity.
Last but not least, I would like to thank Katja Stumpf for her oh so valuable comments when proof reading this thesis.
Executive Summary
The empirical research in this thesis demonstrates that a shift in the information security paradigm took place, in which information security turns from being a defensive to becoming a progressive, value-adding management tool. Twenty-three interviews conducted in a qualitative study of four cases in the UK, Switzerland and Germany in the banking, telecommunications and software development sectors provide empirical validation for the Internal/ External Function of Corporate Security (IFCS/EFCS) theory. The theory is based on the observation that the function of corporate security has been undergoing important changes due to new possibilities of processing, safeguarding and accessing information, constantly newly emerging risks and technologies, standards and regulations, and an increasing public attention to security issues. A consequence of these changes, the thesis argues, leads to an interrelationship between information security and business strategy.
The IFCS/EFCS theory introduces the concept of an internal function and an external function of corporate security using the conceptual framework of responsibility modelling. The internal function comprises what is understood to relate to the classical information risk management that is concerned with defending the existing assets of the organisation. Only the Basel II framework establishes a correlation between operational risk and performance in the financial service industry. The external function circumscribes the technical interface between the internal function and the organisation’s external stakeholders. Organisations use trust and reputation to attract investors and customers and create revenue, gain competitive advantage and improve their performance by marketing information security products and services to their customers. The research further shows that a revenue possibility for organisations emerges when customers perceive security to be within their own responsibility. This perception is determined by legal requirements and the customer’s knowledge, and ethical and cultural background. Different standards and expectations apply to business and retail customers that have different levels of expertise and technical capabilities as well as different security concerns. Additionally, the threat of new entrants, peer group pressure and the internalisation of assets were found to determine the business strategy in the four cases. Against prior assumption, certification was not found to create an added value for organisations. Finally, the theory provides an attribution of the three information security principles - confidentiality, integrity and availability - according to their business related function inside the organisation.
Key Words: Information security management, business strategy, strategic alignment,
boundaries of responsibility, international information security standards, IT governance, information risk assessment.
I
Table of Contents
Table of Contents ......................................................................................................................... .I
List of Figures................................................................................................................................V
List of Tables................................................................................................................................VI
List of Acronyms........................................................................................................................ VII
Introduction...................................................................................................................................1
Part I: Theoretical Aspects of Information Security ....................................................................11
Chapter 1: The Technological (R)Evolution ...............................................................................13
a) Information and Business Intelligence............................................................................14 b) Dimension of Time .........................................................................................................16 c) Going Global ...................................................................................................................17 d) Information Security within Large Organisations and Critical Industries .....................18 e) Operational Dependence: Integrating IT into Business..................................................21 f) Portable Computing Devices...........................................................................................23 Conclusion...............................................................................................................................24
Chapter 2: Information Security: A Holistic Approach ..............................................................25
a) The Principles of Information Security ...........................................................................26 i) Confidentiality, Integrity and Availability (CIA).........................................................26 ii) Additional Principles...................................................................................................28
b) Information Security Strategy..........................................................................................30 i) Formal Measures..........................................................................................................31 ii) Informal Measures.......................................................................................................36
Conclusion...............................................................................................................................41
Chapter 3: Legal Compliance and International Information Security Standards.....................43
a) The Legal Aspects of Information Security .....................................................................43 i) Sarbanes-Oxley Act (SoX) ............................................................................................44 ii) EU Legislation .............................................................................................................45 iii) Jurisdiction and Information Security ........................................................................46
b) De Facto and De Jure Standards .....................................................................................47 c) IT Governance: Enabler of Information Security ...........................................................60 Conclusion...............................................................................................................................62
Chapter 4: Risk Analysis and Risk Assessment ...........................................................................63
a) The Evaluation of Information Systems Risk..................................................................64 b) Critique of Risk Evaluation.............................................................................................66 c) Alternative Possibilities of Quantifying Risk...................................................................67 d) Management of Security Risk..........................................................................................68 e) Information Security and Operational Risk....................................................................69 f) Reputation Risk and Trust ..............................................................................................73
II
Conclusion...............................................................................................................................75
Chapter 5: The Concept of Business Strategy .............................................................................77
a) Approaches to Constructing Business Strategy ...............................................................77 i) External and Internal Shaping of Business Strategy....................................................78 ii) The Process and Content Approach ...........................................................................79
b) Business Strategy Evaluation ...........................................................................................80 i) Distinctive Competences and Value Added Chain ....................................................81 ii) Enterprise Performance and Alignment......................................................................83 iii) Reputation and Performance ......................................................................................84 iv) Competitive Advantage in Information Security Research.........................................86
Conclusion...............................................................................................................................88
Chapter 6: Theoretical Concepts: Information Security Management in the Need of Control
and Design ...................................................................................................................................91
a) The Four Generations of IS Security Development Approaches....................................91 b) The Conceptual Framework of Responsibility Modelling ..............................................93 c) Theoretical Concepts from Security Risk Management to Information Security Governance..............................................................................................................................95
i) Security Risk Planning Model .....................................................................................95 ii) Organisational Chain Framework...............................................................................96 iii) Hybrid Security Method..............................................................................................98 iv) Generally Accepted Information Security Principles (GAISP) ...................................99 v) Crime Specific Opportunity Structure......................................................................100 vi) Security Knowledge Management System .................................................................102 vii) Von Solms Frameworks: from ISM to ISG ...............................................................103 viii) Corporate Governance Task Force ISG Programme ................................................106
d) Theories of Newly Emerging Concepts .........................................................................107 i) Business Process: Information Risk Management Model .........................................107 ii) Multi-Perspective Information Assurance Strategy Framework (MPIAS) .................111
Conclusion.............................................................................................................................113
Conclusion Part I.......................................................................................................................115
Part II: Empirical Research and Analysis...................................................................................119
Chapter 7: Applied Research Methodology ..............................................................................121
a) Positivistic Philosophy ...................................................................................................121 b) A Qualitative Type of Evidence.....................................................................................124 c) Building Theory.............................................................................................................125 d) Case Study Methodology ...............................................................................................128 e) Research Method...........................................................................................................131
i) Unit of Analysis .........................................................................................................131 ii) Data Collection .........................................................................................................132 iii) Data Analysis .............................................................................................................134
Conclusion.............................................................................................................................135
Chapter 8: Case Study Analysis .................................................................................................137
a) Case Study of Bank A....................................................................................................138
III
i) Environmental Assessment of Bank A ......................................................................138 ii) Role of IT Security.....................................................................................................139 iii) Governance ...............................................................................................................142 iv) Corporate Security Functions in Bank A..................................................................144 v) Characteristics and Development of Product α ........................................................147 vi) Information Security and Measures of Business Strategy .........................................150 Conclusion ........................................................................................................................154
b) Case Study of Bank B ....................................................................................................156 i) Environment of Bank B ............................................................................................156 ii) Role of IT Security.....................................................................................................157 iii) Governance ...............................................................................................................159 iv) Organisational Approach to Information Security ...................................................162 v) Characteristics of Project χ........................................................................................164 vi) Information Security and Measures of Business Strategy .........................................164 Conclusion ........................................................................................................................166
c) Case Study of Telecommunications Company C .........................................................168 i) Environmental Assessment of the TelCo C..............................................................168 ii) Role of Information and Communication Technology (ICT) Security ....................169 iii) Governance ...............................................................................................................170 iv) Organisational Growth and Strategic Alignment of Information Security...............172 v) Characteristics and Development of Product β ........................................................174 vi) Information Security and Business Strategy..............................................................178 Conclusion ........................................................................................................................183
d) Case Study of Software Development Corporation D..................................................184 i) Environmental Assessment .......................................................................................184 ii) Role of IT Security.....................................................................................................185 iii) Governance ...............................................................................................................187 iv) Organisational Approach to Information Security ...................................................189 v) Information Security Solutions and Products...........................................................189 vi) Information Security and Business Strategy..............................................................193 Conclusion ........................................................................................................................200
e) Other Expert Interviews ................................................................................................202 i) Healthcare Sector ......................................................................................................202 ii) Pharmaceutical Sector ...............................................................................................206 iii) E-commerce ...............................................................................................................207 Conclusion ........................................................................................................................208
f) Cross-Case Analysis .......................................................................................................210 Conclusion ........................................................................................................................220
Conclusion Part II .....................................................................................................................222
Chapter 9: Discussion and Theory ............................................................................................223
a) Discussion of Findings in Conjunction with the Enfolding Literature ........................223 b) Developed Hypothesis and Theory ...............................................................................235 c) Embedding of Theory in Other Information Security Management Concepts............242 Conclusion.............................................................................................................................246
General Conclusion...................................................................................................................247
a) Overview of the Thesis ..................................................................................................247
IV
b) Contributions ................................................................................................................249 i) Theoretical Contributions.........................................................................................249 ii) Methodological Contributions..................................................................................250 iii) Practical Contributions .............................................................................................251
c) Implications of the Research Approach ........................................................................253 i) Adequacy of the Research Framework ......................................................................253 ii) Research Design Limitations.....................................................................................253
d) Areas of Further Research .............................................................................................254 Epilogue .................................................................................................................................256
References ..................................................................................................................................259
Annex.........................................................................................................................................281
Annex 1: DTI Information Classification: Protection and Control .....................................281 Annex 2: Business Lines and Beta Factors in the Standardized Approach to Calculate Operational Risk ...................................................................................................................289 Annex 3: ISO 27001 Certification Process ..........................................................................290 Annex 4: Number of ISO 27001 Certified Organisations per Country ..............................291 Annex 5: Management of IT Security....................................................................................292 Annex 6: The Communities (and Schools of Thought) Behind IS Security Approaches ...292 Annex 7: Interview Questions used in Semi-structured Interviews for Case Studies............293 Annex 8: List of Documents and Research Interviews Conducted.......................................294 Annex 9: Bank A’s approach to Information Assurance (IA) ...............................................296
V
List of Figures Figure 1: Initial Construct of the Function of Corporate Security ...............................................5
Figure 2: What drives information security expenditure? .............................................................7
Figure 3: Total Incidents Reported 1995 - 2003 .........................................................................19
Figure 4: Shain: Impacts Resulting from Information Security Breaches ...................................27
Figure 5: De Jure and De Facto Standards: Classification of Guidance .....................................49
Figure 6: Plan-Do-Check-Act Model ............................................................................................51
Figure 7: ISO/IEC 15408: Standards Influences ........................................................................54
Figure 8: Component of the COSO ERM Model.......................................................................57
Figure 9: Typical Loss Distribution for Operational Risk losses .................................................70
Figure 10: Conceptual Domain of Business Policy and Strategy.................................................83
Figure 11: Probabilities on Perceived Organisational Reputation and Organisational
Performance.........................................................................................................................86
Figure 12: An Overview of Approaches for Secure IS Development ..........................................92
Figure 13: Example of Ontology Chart for a Secure Hospital Environment..............................94
Figure 14: Framework Definition from the Organizational Chain.............................................97
Figure 15: Crime Specific Opportunity Structure .....................................................................101
Figure 16: A Structural Model of IS Security Knowledge .........................................................103
Figure 17: Posthumus/Von Solms Information Security Governance Framework ..................105
Figure 18: BPIRM: Process Model ............................................................................................108
Figure 19: BPIRM: Content Model...........................................................................................110
Figure 20: Multi-perspective information assurance strategy framework ..................................112
Figure 21: Initial Construct of the Function of Corporate Security Revisited .........................115
Figure 22: Classification of Information Security Approaches into the Interpretivistic ...........123
Figure 23: The Function of Corporate Security of Bank A.......................................................155
Figure 24: The Function of Corporate Security of Bank B .......................................................167
Figure 25: Organisation Chart of Telecommunication Company C........................................173
Figure 26: Customer Responsibility for Information Security Protection ................................176
Figure 27: Characteristics of Product β .....................................................................................177
Figure 28: Product β Customer Commitment Analysis ............................................................181
Figure 29: The Function of Corporate Security of Telecommunication Company C..............183
VI
Figure 30: The Function of Corporate Security of Software Development Corporation D.....201
Figure 31: Telematic and Health Card Scheme ........................................................................203
Figure 32: Results on the Function of Corporate Security from Expert Interviews..................209
Figure 33: Internal and External Function of Corporate Security ............................................238
Figure 34: The Role of Business and Retail Customers in the IFCS/EFCS Framework ........240
Figure 35: CIA Principles in the IFCS/EFCS Framework.......................................................241
List of Tables Table 1: Overview De-Jure Standards ..........................................................................................56
Table 2: Overview De-Facto Standards........................................................................................59
Table 3: Qualitative and Quantitative Risk Prioritization Example............................................65
Table 4: Description of Phases in the Security Risk Planning Model .........................................96
Table 5: Cross-Impact Matrix Relating BFP's to PP's.................................................................100
Table 6: Roadmap for Building Theory from Case Study Research .........................................127
Table 7: Summary Research Methodology ................................................................................135
Table 8: Cross-Case Analysis......................................................................................................219
Table 9: Summary of Case Study Findings................................................................................221
Table 10: Summary Thesis' Contributions................................................................................252
Table 11: Summary of Implications of Research Approach......................................................254
Table 12: Areas of Further Research .........................................................................................255
VII
List of Acronyms
ALE Annual Loss Expectancy
AMA Advanced Measurement Approach
BCP Business Continuity Plan
BFP Broad Functional Principles
BI Business Intelligence
BPIRM Business Process: Information Risk Management
BS British Standard
BSI Bundesamt für Sicherheit in der Informationstechnik
B2B Business-To-Business
B2C Business-To-Customer
CC Common Criteria
CCTA Central Computing and Telecommunications Agency
CEO Chief Executive Officer
CFB Commission Féderale des Banques
CIA Confidentiality, Integrity, Availability
CIGREF Club Informatique des Grandes Entreprises Françaises
CIO Chief Information Officer
CobiT Control Objectives for Information and Related Technology
COO Chief Operations Officer
COSO Committee of Sponsoring Organizations of the Treadway Commission
CR Corporate Responsibility
CRM Customer Relationship Management
CSTS Comité de Sécurité de Territoire Suisse
DPA Data Protection Act
DPI Differentiation Potential Index
DTI Department of Trade and Industry
EAL Evaluation Assurance Level
E-Com E-commerce
EFCS External Function of Corporate Security
ERM Enterprise Risk Management
VIII
ERP Enterprise Resource Planning
EU European Union
FIPS Federal Information Processing Standard
FRS Fraud, Risk, and Security
GAISP Generally Accepted Information Security Principles
GASSP Generally Accepted System Security Principles
HC Health Card
IA Information Assurance
ICT Information and Communication Technology
IDS Intrusion Detection System
IES Intelligence Économique et Stratégique
IEC International Electrotechnical Commission
IFCS Internal Function of Corporate Security
IPSec Internet Protocol Security
IS Information Systems
ISACA Information Systems Audit and Control Association
ISF Information Security Forum
ISG Information Security Governance
ISM Information Security Management
ISMS Information Security Management System
ISO International Organisation for Standardization
ISP Information Security Policy
ISS Information Systems Security
ISSA Information Systems Security Association
IT Information Technology
ITSEC Information Technology Security Evaluation Criteria
ITIL Information Technology Infrastructure Library
KPI Key Performance Indicator
MPIAS Multi-Perspective Information Assurance Strategy
NIST National Institute of Standards and Technology
OE Operational Effectiveness
OECD Organisation for Economic Co-operation and Development
OGC Office of Government Commerce
IX
OpCos Operation Companies
OpVaR Operational Value at Risk
OSE Operational Security Environment
OTP One-Time-Password
PCD Portable Computing Device
PDCA Plan-Do-Check-Act
PDA Personal Digital Assistant
PharmaCo Pharmaceutical Corporation
PP Pervasive Principles
RDR Risk Data Repository
RITE Responsibility, Integrity, Trust, and Ethicality
ROI Return on Investment
SBU Strategic Business Unit
SEC US Security and Exchange Commission
SLA Service Level Agreement
SoftCo Software Development Corporation
SoX Sarbanes-Oxley Act
STOA Scientific and Technological Options Assessment
TCSEC Trusted Computer Security Evaluation Criteria
TelCo Telecommunication Company
TOE Targets of Evaluation
TVS Technology Value Selling
UK United Kingdom
US(A) United States of America
VPN Virtual Private Network
VSM Viable System Model
VoIP Voice-over-Internet Protocol
Introduction
1
Introduction
Information technologies, developed in the past decade, have changed business significantly.
Virtually every industry, from banking and security trading to manufacturing, had to experience
an evolution towards more effective and efficient organisation, production, and trading. New
telecommunication systems (e.g. video conferences, VoIP) opened up enormous opportunities
and led to a world without geographical boundaries. Telecommunications reach virtually every
aspect of business, so that companies are increasingly dependent on computers and networks.1
New applications are created, growing more complex systems which are often too complex for
gaining a reasonable return on investment as they mean extra training for users and can cause
interferences with other programs; hence new vulnerabilities continue to appear faster without
old ones being fixed. If information technology (IT) management and security was not always of
great importance to business managers, it became a major topic due to an increasing number of
attacks and sometimes an exclusive dependence on IT technology like it is the case in e-
commerce, e-banking etc. Thus firms have to recognise and experience the dangerous sides of
this evolution. The security of information systems is often an underestimated risk, and losses
of business intelligence, in particular, have already caused great damage. A recent study shows
that fraud is a significant and growing threat: 45% of companies worldwide have fallen victim
to economic crime in the past two years. This is an eight percent increase compared to a
comparable study carried out in 2001 and 2003. In particular, there have been major increases
in the number reporting corruption & bribery, money laundering, and financial
misrepresentation. The average financial damage to companies from tangible frauds (i.e., asset
misappropriation, false pretences, and counterfeiting) is further estimated to be US$ 1.7
million.2
“‘Computer Security’ was originally the preserve of the military, whose concern was to ensure
the secrecy of information which might be helpful to an enemy. As a result, it was assumed that
the key requirements were to build strong defences around the information system, and to keep
the release of information to a minimum. It has taken some time for the commercial world to
shake off these assumptions and to develop new ones of its own”.3 Hawker makes out two
pertinent points about the understanding of security. The first is that objectives and views on 1 See Scientific and Technological Options Assessment, Development of Surveillance Technology and Risk of Abuse of Economic Information, 1999, p. 4. 2 See PricewaterhouseCoopers, Global Economic Crime Survey 2005, 2005, p. 2. 3 Hawker, A., Security and Control in Information Systems, 2000, p. 4.
Introduction
2
security change over time as the business environment and society changes. The second is that
security plays an integral role in protecting a corporation’s resources and the associated need for
controls and monitoring activities. These two premises build the foundation for this research
work. It shall be argued that the focal point of corporate security is moving away from physical
security and mere technology security towards information security. Target of attacks are
organisation’s information assets, hosting what became in the past decade for many
organisations a competitive advantage.4 Subsequently information security has changed and
inherited a new function within organisations. Cavanagh writes that “the process of security
management is beginning to evolve into a strategic business function”.5 What used to be
computer security became information systems security and information security. With the
diffusion of information security into the different departments, - operations, legal, human
resources and audit - information security had to become more understandable for technical
laypersons. To make it understandable to non-security-experts its language changed and became
much more business-adapted. Already the term information security shows the development
towards a more holistic approach in security, as the new focal point of corporate security. Other
synonyms used for information security today are: information assurance, business security6 or
enterprise/information security risk.
If lessons have been learnt, a good management of information security has become part of the
overall business objectives and has also led to organisational changes. Already in 1982 Rockard
wrote that “the ‘technically oriented’ information systems executive of the 1960 and 1970s is
rapidly being replaced by ‘managerially oriented’ executive of the 1980s”.7 A study published by
the Club Informatique des Grandes Entreprises Françaises8 (CIGREF) analyses the
relationships between information technology and economic intelligence and strategy.
According to this study, the person in charge of the Intelligence Économique et Stratégique (IES)
participates in defining information security policy, in 61% of the cases analysed. His role
increases with and is determined by the relative competitive advantage of the company and the
4 See Luftman, J., Competing in the information age, 2003, p.5; see Porter and Miller, How information gives you competitive advantage, 1985, p. 150. 5 Cavanagh, T., Corporate Security Management: Organization and Spending Since 9/11, 2003, p. 5. 6 The term business security is to ‘elevate’ information security to business security, so it “will get the extra focus and attention it needs, “as if “information security risks materialise, business as a whole will be affected”. See Von Solms, B., Von Soms, R., From information security to…business security?, 2005, p. 272. 7 Rockard, J., The Changing Role of the Information Systems Executive : A Critical Success Factors Perspective, 1982, p. 3. 8 See CIGREF, Intelligence économique et stratégique: Les systèmes d’information au cœur de la démarche, 2003, p. 17.
Introduction
3
number of attacks detected. 9 Further, according to a 2002 study by McKinsey, some Fortune
500 companies have added strategic, operational and organisational safeguards to the
responsibilities of security managers, complementing the technological measures currently
employed to protect corporate information.10
Management however tends to look rather at the direct consequences of information loss
whereas the ‘collateral damage’ is in many cases beyond the direct financial consequences of
security breaches:11
Media attention: Information security issues have continually been of special interest to
the press. Examples are virus attacks (“I love you” or “Witty”12) or credit card credential losses13.
Media coverage of these events is exhaustive and it has a significant influence on the
organisation’s environment later on. In the wake of fraud incidents, for example, 40% of
organisations indicate that they had suffered significant ‘collateral damage’, such as loss of
reputation, decreased staff motivation, and declining business relations. The impact of such
‘collateral damage’ is often perceived to be the strongest in cases where incidents were leaked to
customers or the media.14
External auditor comments: Because of the high impact information security breaches can
have on an organisation’s actual value, external audit firms pay increasingly attention to the
security of information systems. External auditors rely on the adequacy of information and its
integrity. Inconsistency of data and absence of sufficient information systems controls might
lead to negative auditor comments and might damage the organisation’s reputation.
Insurance premium rating: Insurance companies are increasingly offering major reductions
in premiums for policies related to computer security, if the insured meets certain minimum
security standards; these might be measured against business interruption or computer fraud.
Called ‘premium rating’ this practice reflects the lessened risk insurance companies face when
their customers opt for risk reduction rather than risk transfer.
9 The survey was carried out on behalf of the Cigref accumulating data from companies all over France with more than 200 employees: Cigref, Intelligence économique et stratégique: Les systèmes d’information au cœur de la démarche, 2003, p. 5. 10 See Lohmeyer, D.F., McCrory, J., Pogreb, S., Managing Information Security, 2002, pp. 12. 11 See PricewaterhouseCoopers, Global Economic Crime Survey 2005, 2005, p. 12. 12 See Schmundt, H., Verseuchter Seuchenschutz, 2005. 13 One of the biggest losses occurred in June 2005 when 40 million credit card numbers were hacked. Officials at Mastercard and Visa accused the operating company CardSystems Solutions Inc. of not meeting agreed-upon computer security standards. See Krim, J., Barbaro, M., 40 Million Credit Card Numbers Hacked: Data Breached at Processing Centre, Washington Post, 18 June 2005. 14 See PricewaterhouseCoopers, Global Economic Crime Survey 2005, 2005, p. 2.
Introduction
4
Personal liability leads very often to the assignment of responsibilities, even at corporate
level. Standards of due care have been developed and information security practitioners and their
managers may be held personally liable if they do not subscribe to the control practices found at
similar organisations.15 Managers also face prosecution by the law in case of wantonly negligent
acquaintance with informational assets or failure to assure the integrity of information in form
of internal controls.
Government laws and regulations: A lot of national and international de jure standards have
been produced in the past years, in compliance with government laws and regulations. These
help to foster security and present a major incentive for organisations to invest in information
security.16
Stakeholder interest: Internal as well as external stakeholders rely on and see the
responsibility of management to secure companies assets. This includes also the impact such
security events have on employees, clients or owners. Using the efficient markets hypothesis
developed by Fama et al.17 new publicly available information is received and immediately
absorbed by investors and incorporated into share prices. Studies prove that major impacts on
the shareholder value can be noticed and lead to major financial losses.18
Although the above arguments are beyond operational tasks and clearly show the organisation’s
interest in treating security breaches not as purely technical issues, management and the board
are believed to still underestimate the importance of information security. Two reasons can be
identified in theory.
Firstly, information security is a defensive instrument to secure organisation’s assets. The
entrepreneurial aspect is missing and successful management doesn’t show in monetary gains.
Managers are less likely to focus therefore on defending what they have than trying to open new
markets.19
Secondly, the effectiveness of techniques for information security, or in other words, the return
on investment on security measures is hard to quantify. Feedback to management stays
therefore rather on the non-predicative level that generally no major incident occurred.
Proactive management only becomes interesting when a security breach occurs, but also in
15 See Wood, C.C., Effective Information Security Management, 1991, p. 100. 16 Ibid, pp. 99. 17 See Fama, E.F., Fisher, L., Jensen, M. Roll, R. The adjustment of stock prices to new information, 1969, pp. 1. 18 See Garg, A., Curtis, J., Halper, H., Quantifying the financial impact of IT security breaches, 2003, p. 75. 19 See Birchall, D., Ezingeard, J., McFadzean, E., Howlin, N., Yoxall, D., Information assurance: Strategic alignment and competitive advantage, 2004, p. 6.
Introduction
5
these cases, no effective feedback can be received by management to indicate that the effort has
actually provided real security.20
In the following paragraph, the initial construct that shall be developed into a hypothesis in this
thesis will be presented. The driving question is, whether there is a genuine change in the
function of corporate security justifying the introduction of information security into business
strategy. For this reason various elements that constitute this function of corporate security
need to be analysed. After a thorough literature review an initial research construct has been
developed that describes the relationships that need to be taken into consideration from a
managerial perspective on information security.
Figure 1: Initial Construct of the Function of Corporate Security
In this initial construct, information security, before seen as part of the IT and Information
Systems (IS) department, is becoming a distinct discipline. It finds itself connected and in
relation to other factors and domains, as environmental and legal issues, functioning as a spiral,
incorporating inputs from the different departments and balancing them against possible trade-
offs.
The interrelationship between information security and business strategy shall be of particular
interest, which is assumed to draw on the above construct.
20 See Baskerville, R., Risk analysis: an interpretive feasibility tool in justifying information systems security, 1991, p. 123.
Business Strategy Content & Process
Competitive Advantage Trust
Environmental factors Time/Risk/Globalisation
Governance: Legal compliance
International standards
IT/IS & Behaviour
Corporate Security
Management Strategic Alignment
ISP, Outsourcing, Privacy
Information Assets
CIA & RITE Principles
Introduction
6
The logic of applying to research such an interrelationship is that information technology and
information systems became recognised components and drivers of business strategy.21 The
evolution in the past years emphasises a concentration of the security function on the one word
both terms have in common: information. Thus, as argued by Kaplan and Norton, the ability of
organisations to exploit intangible assets has become far more decisive than their ability to
invest in and manage physical assets, as companies around the world transform themselves for
competition that is based on information.22 Consequently if IT/IS systems, as the host of
business information, are strategic tools to support a company’s business strategy and
information as an intangible asset of strategic importance are critical for the competitiveness
and a company’s business success, the availability, integrity and confidentiality of the data that
the system protects should be as well. Furthermore, the loss of reputation due to information
security breaches is a risk factor for companies to lose customers and can result in significant
financial losses on the stock market.23 The Gartner Group research firm found that 28 % of
respondent banks said that online attacks are causing them to reduce their web-banking
activity.24 Information security becomes a question of organisations staying competitive in their
markets when using new means of technology such as the internet. But also previously ignored
external factors, including the stronger influence of shareholders and other business
stakeholders, now resulting in an increased attention towards corporate governance, need to be
taken into account and should be incorporated into strategy and risk management processes.
According to the latest Department of Trade and Industry (DTI) survey, a change of attitude
has taken place in organisations and the protection of customer data became the top priority
for organisations. However, the survey also shows that exclusively the protection of existing
assets is seen and researched as a reason for organisations to attribute and spend money on
information security.
21 See McFarlan, W., Information Technology changes the way you compete, 1984, p. 101; see Ward, J., Information Systems and Technology Application Portfolio Management- an Assessment of Matrix-Based Analyses, 1988, p. 206. 22 See Kaplan, R., Norton, D., Using the Balanced Scorecard as Strategic Management System, 1996, pp. 75. 23 See Garg, A., Curtis, J., Halper, H., Quantifying the financial impact of IT security breaches, 2003, pp. 80. 24 See Rombel, A., The World’s Best Internet Banks 2005, 2005, p. 31.
Introduction
7
Figure 2: What drives information security expenditure?25
For information security to become a part of business strategy it needs to go beyond mere
protection of crucial but already existing assets; the creation of trust might be such a decisive
factor. Trust as a natural basis between business partners (Business-To-Business (B2B) or
Business-To-Customer (B2C)) is also funded on the belief that shared information remains
confidential, available and integer. Customers and partners might make differences, especially
in critical industries, in their choice according to certain security criteria.
However, there are limitations to this initial research construct and these shouldn’t be
underestimated as information security, as a strategic task for good management and
governance, is a fairly unexplored topic.
In order to take appropriate measures to secure an organisation’s business intelligence, an
analysis of threats to the organisation’s information assets is necessary. Investments must be
allocated accordingly to the core issues of the organisation’s exigencies. As the importance of
business intelligence differs among sectors, there is only a number of especially sensitive sectors,
25 DTI/PricewaterhouseCoopers, Information Security Breaches Survey 2006, p. 12.
Introduction
8
where information security can and should be part of business strategy. The commercial space
in this sense is in its liability and commitment far from being uniform in its progress.26
Hence the function of information security in different sectors incorporates different strategies.
Maximum information security is not only impossible to achieve but can become even
counterproductive when unnecessary measures are taken that hinder efficient workflow. As the
author, not only because of these reasons, decided to conduct a qualitative research method,
organisations with a high probability that this interrelationship exists will be chosen and their
setting up of information security management is to be analysed.
In this thesis, current evolutions changing the function of corporate security within large
organisations will be reviewed according to what has been presented in Figure 1 as well as the
interrelationship between information security and business strategy. The thesis has therefore
been divided into two parts. Part I comprises the theoretical discussion of the topic, whereas
Part II deals with the conducted empirical research.
Part I starts with the evolution of management strategy connected to the technological
(r)evolution, which will be the topic of the first chapter of the present research work. Features
of this revolution will be analysed showing important technical but also social and
organisational developments. It gives an introduction to the change of the function of
corporate security in today’s organisations.
In the second chapter, principles of information security are assembled providing the base for a
sound information security strategy that should be integrated and aligned with business
objectives. Subsequently, formal as well as informal security measures will be presented.
The third chapter deals with legal requirements that are forced upon organisations but also
draw the attention of stakeholders towards information security. This attention led in the past
years to an increased voluntary dedication of organisations to carry out internal audits to prove
compliance with these laws and stakeholders expectations. Many international standards like
ISO/IEC 27001 or ISO 13333 developed by the International Organization of Standardization
(ISO) and the International Electrotechnical Commission (IEC), as well as other research
institutes are interested in combining good governance practice with these standards. So called
26 See Birchall, D., Ezingeard, J., McFadzean, E., Howlin, N., Yoxall, D., Information assurance: Strategic alignment and competitive advantage, 2004, p. vii.
Introduction
9
De Jure and De Facto standards give guidelines for auditing management of information and
related technology in companies.
In the fourth chapter, various methods about how to assess and analyse information security
risks in organisations are discussed. A particular focus is on operational risks that present a high
threat especially to financial service institutions.
In Chapter Five, components of business strategy are identified as well as possibilities on how
to analyse them. The concept of business strategy implies that a company only proactively
integrates into its strategy what helps it to gain distinct competences, a competitive advantage
and create an added-value to the business.
In the sixth chapter, various frameworks providing options for leveraging information security
to a management task will be presented and analysed. Social concepts as well as risk and
governance concepts can be employed to optimise information security management. Two
frameworks are of special importance for later research recognising the variable of strategy
process and content, and introducing the theory of strategic alignment.
A conclusion of Part I will summarise the most important findings of the theoretical part of the
present research and lead over to the empirical Part II.
In Chapter Seven an outline of the philosophical foundation, as well as the applied research
methodology, will be presented. It will be argued in favour of a positivistic ontological-
epistemological approach and a qualitative type of evidence. The methodology leading towards
shaping hypothesis and building theory will be explained as well as the case study research
method, describing the unit of analysis, data collection and data analysis.
The eighth chapter contains the within-analysis of each case study in which the findings will be
presented according to Figure 1. In the final paragraph of the chapter a cross-case analysis of the
cases will show commonalities and differences among cases.
After the conclusion of Part II, Chapter Nine contains the final discussion of the empirical
finding in conjunction with theory. This will lead to shaping the hypothesis and building the
theory which will be compared to the enfolding literature in a final step.
The final conclusion will discuss theoretical, methodological, and practical contributions of the
thesis, the implications of the research approach as well as areas of further research.
Note d’éditeur : [Les pages 10-222 de cette thèse sont absentes pour des raisons de confidentialité des données utilisées dans les études de cas]
Chapter 9: Discussion and Theory
223
Chapter 9: Discussion and Theory Chapter 9 synthesises Part 1 and Part II and embodies the results of the research. Its target is to
shape a hypothesis emerging on the empirical findings of Chapter 8. The thesis hypothesis is to
demonstrate that a changing function of corporate security took place leading to an
interrelationship between information security and business strategy. Once such an
interrelationship has been proved to exist the endeavour is to research its semantics and the
conditions that apply, which then form the thesis’ theory.
Chapter 9 is structured in three paragraphs. The first paragraph discusses the empirical findings
of Part II in conjunction with the enfolding literature of Part I. Commonalities, differences and
amendments of the initial construct are presented and provide a comprehensive understanding
of coherences of information security variables. This synthesis of theoretical and empirical data,
leads to the shaping of hypothesis in the second paragraph that further comprises the developed
theory of the dissertation. The final paragraph of Chapter 9 discusses the theory in conjunction
with the concepts of information security management analysed in Chapter 6.
a) Discussion of Findings in Conjunction with the Enfolding Literature
In the enfolding literature review in Part I some general tendencies have been outlined, that
have also been found in the empirical research conducted through the four case studies.571 An
enforced empirical validity of some of these tendencies can be concluded from the
commonalities found in the case studies; however some others could not be confirmed.
The subject of the preference of CIA principles hasn’t been treated in the initial case study
analysis as all three principles were given as answers and no clear pattern according to function
or industry could be established. However, a tendency in the explanation why a principle was
chosen could be found. Thus, most interviewees in the organisations that held personal data,
argued confidentiality to be the most important principle from a customer’s point of view.
571 When referring to “organisations” in the discussion of findings only the four main case studies are included. The additional cases will be mentioned explicitly.
Chapter 9: Discussion and Theory
224
Availability was judged to be most important for the immediate survival of the business, so that
services can be offered to the clients. Integrity was judged to be most important from a
regulatory point of view. A fourth principle was found to be added to the CIA at Bank B and
SoftCo D which is non-repudiation. However, in the context of the present study the function
of non-repudiation is closely related to the function of the integrity of data, as both threaten the
organisations’ reputation through non compliance with regulatory requirements.
Globalisation became both a boon and a bane for the organisations. All organisations were
winners in the global game, but increasing security threats led to a reorganisation of the security
function. A shift from the classical IT security function toward information risk management,
which included the classic IT function but also fraud, risk, and corporate alignment functions
such as strategic committees or departments of information assurance, took place. The
organisations aimed for a holistic approach, aligning the various variables of corporate security
to create synergies and bundle these in a coherent strategy.
Formal and informal measures in the information security strategy were found to be default
measures which means that they were acknowledged to be important to implement good
information security management, but not necessarily of high importance in the corporate
security alignment process. An ISP and privacy statement existed in every organisation; no
organisation outsourced any major security functions. Training and awareness programmes for
responsible staff were offered, or even made obligatory, in the organisations. These formal and
informal measures have slightly changed over the last years but weren’t at the core centre of the
organisations’ information security strategy. In the case studies it was found that organisations
invested rather in a business alignment of information security that focused on cost reduction
through greater efficiency, good governance of regulatory requirements and reputation, and a
new assessment of information security risks.
The risk assessment was confirmed to be more business-driven than this was the case a few
years ago. Thus, although Courtney’s equation is still used as a basic rule in the IT security
department, it doesn’t represent the full assessment of risks as it is carried out today. Additional
risks have been added to Courtney’s equation to complete a holistic risk analysis.
Particularly financial organisations were found to be concerned with operational risk.
Again, a reorganisation was discovered that took place in Bank B from a discontinued risk
assessment through internal audits, to a permanent assessment of operational risks. The new
permanent assessment of operational risk became a task for middle management in the
Chapter 9: Discussion and Theory
225
organisation. The responsibility for operational risks is hence shifted to those immediately
concerned by the threats. The management of operational risk was found in practice to be an
argument for the corporate security department to improve measures as it immediately impacts
the bank’s performance.
Finally, reputation risk became one of the most important variables in the organisations’
risk analysis. In the researched organisations it was identified as an effective tool to convince
the executive management of the importance of information security for the organisation. This
finding supports Baskerville’s572 hypothesis that risk analysis can be particularly useful as a
communication technique that provides a link between the security and management
professional.
The problem of the quantification of losses and threats was one which remained
throughout the cases, conceding Baskerville573 in his point that the risk assessment remains a
meta-control tool that rests in the subjective experience of the designer and is not an objective
prediction of any statistics. None of the organisations had for example only attempted to
quantify its reputation risk. In the researched organisations, approaches presented by Garg et
al.574 to count capital losses on the stock exchange price were judged as incorrect as the stock
market would recover after a few days and too many other influences could bias the results.
Thus, the quantification of information security threats and vulnerabilities continues to be
unsolved, but remains at the same time the holy grail of information security risk analysis.
The second stream of thought in the alignment of information security throughout all cases
was information security governance. Especially those organisations with access to personal
information suffered from high regulatory pressure. This pressure doesn’t only consist of data
protection issues such as EU legislation, but also the need to provide information for law
enforcement measures. Organisations then find themselves in a conflict of interest between
business and the law. This conflict makes information security also a political issue inside the
organisation that must be assessed by the management and cannot be managed solely with
technical expertise. However, the issue of highest importance for information security
governance was SoX. Its importance has already been mentioned in literature and it was
confirmed in the case studies. Apart from the heavy burden of proof that is very costly to the
organisations, it had a great impact on the perception of information security at senior
572 See Baskerville, R., Risk analysis: an interpretive feasibility tool in justifying information systems security, 1991, pp. 128. 573 See ibid, pp. 128. 574 See Garg, A., Curtis, J., Halper, H., Quantifying the financial impact of IT security breaches, 2003, p. 74.
Chapter 9: Discussion and Theory
226
management level. Good corporate governance became connected to the integrity of data.
Reporting lines were cut shorter to provide more direct information to top management and
information security grew in importance at all organisations’ audit departments. It is mostly de
jure standards that are used to assure compliance, de facto standards are often used to confirm
results of good information security management. The certification of these results represents
an extra cost and is perceived as unnecessary for the internal security function. The application
of a standard framework leading to regulatory compliance is the target for the organisations.
The third point leading to the alignment of corporate security with business is cost
reduction through gain of efficiency. With the extension of the information security risk
analysis, as well as increasing costs for ensuring information security governance, information
security gained notably in size and cost. As all case studies were carried out with large,
multinational organisations, different legislations and security environments made information
security an even more complex task for the organisations. Aligning also meant here
streamlining and creating synergies to gain operational benefits.
The reorganisation and alignment of the security function are internal tasks. Their
evolution has been subject of a number of articles and books. The internal function of corporate
security (IFCS) has been researched in the present research as it is the basis and is therefore
correlated to what will be called in the following the external function of corporate security (EFCS).
The EFCS comprises the area that is built around the IFCS and where corporate security
overlaps with the organisation’s stakeholders’ interests. In case breaches and failures occur,
customers, shareholders or other financial investors claim these interests and will punish bad
information security management. Thus, information security can become an asset to the
organisation.
As suggested by Eisenhardt575 an a priori construct with a formulated research question was
presented in the introduction of the present research and developed in detail in Part I. In this
construct a number of possible stakeholder interests in an organisation’s EFCS were
formulated. These are reputation, trust and certification.
At an earlier stage of this section, it was referred to reputation risk and the problems of its
quantification. Although no measures for quantification exist so far, without exception all
interviewees agreed to the importance of reputation risk for their business. The opportunity
embedded in this risk was hence recognised as well. One of the major findings of the cross-case
575 See Eisenhardt, K., Building Theories from Case Study Research, 1989, p. 533.
Chapter 9: Discussion and Theory
227
analysis was that organisations managed their reputation of being a secure company, through
targeted marketing campaigns, participation in survey journals, or the publication of corporate
responsibility reports. It was found that a good reputation shall attract the right investors for
the organisation, hence increase the provision of money. Also Product α and β were targeted to
improve the reputation of the organisation and create trust in the services delivered by Bank A
and TelCo C. If reputation and trust are important attributes to sell products and services to
customers, this importance increases with amount of personal information organisations hold
and with customers’ awareness. Generally this correlation was known to the organisations.
Visible differences were made between customer segments. Retail customers were judged to
have less knowledge about security issues and hence were believed to be less aware of security
threats. In contrast, business customers were perceived to be much more aware of security
threats, checking up on the security of products and services.
The third expected advantage gained through information security and one which
organisations could use to differentiate themselves from their competition, was certification.
Although certification can work as substitution for regulatory requirements and legal standards,
it wasn’t found to immediately add value to the organisations. The substitution works if
certification can provide proof points to management, customers and investors that proper
security measures have been put into place. This becomes unnecessary if the regulatory burden
is accordingly high, which is the case for organisations with a high amount of access to personal
and sensitive data. Certification in that sense can only assure the customer of standards, but
only becomes a competitive advantage where security products and services are traded in a
sensitive environment with little regulatory obligations.
For further research, it is important to define the boundary of responsibility. So far in
literature very little has been published on the importance of information security for
customers. When researchers published on the topic, they provided an assessment of
reputation, trust and certification, in demonstration of the importance of information security
to the business. What hasn’t been defined is the boundary of responsibility that answers the
question when organisations need to provide information security measures and when the
customer sees it as his/her responsibility or his/her duty of care. As analysed in Chapter 3
jurisdiction hasn’t found an answer to the question of duty of care yet.576 In the concept of
IFCS and EFCS, it is now that boundary in the EFCS artefact that needs to be defined.
576 See Lindup, K., Lindup, H., The Legal Duty of Care- A Justification for Information Security, 2003, pp. 21
Chapter 9: Discussion and Theory
228
Throughout the empirical research it became evident that there is a visible lack of
communication between the internal information risk function and the organisations’
marketing that could investigate this boundary. In fact, the external implications of information
security were found to be a virtually unresearched topic. The IT approach used before, merely
focused on security measures, has been exchanged for a more business-driven or risk-related
approach. However, the information security requirements are still analysed internally and do
not necessarily reflect what the market or, more specifically, the customers expect. Although in
all cases comprehensive marketing facilities were available to the organisations, these were
either not used or if results existed these were not communicated from marketing to the
internal information security experts. The organisation’s research and development teams are
still very much technically-oriented, with security experts developing features that they see as
necessary from their internal point of view. Bank A, which internally off-shored this function,
used focus groups to test the features of the final products, thus after their development, but
the initiatives so far have exclusively been developed inside the organisation without any input
coming from the organisation’s marketing department.
In the decision-making process of the organisations it was found that those in charge of the
IFCS, orientate themselves either directly according to technical market developments or
according to where they believe the market is going. Security defence even today is based on an
informal exchange of information between IT security experts. Industry committees have been
established to decide on industry-wide standards that again are based on technical requirements
but don’t reflect customer expectations and wishes.
The customer survey carried out by the marketing division of TelCo C however provides
concrete figures on this subject and shows that customers see it to a large extent as their
responsibility to actually protect their own devices and not as the duty of care of the
organisation. Hence, the protection of information assets is connected to the physical and
technical device on which the data is stored. For the IFCS of an organisation this means that
the responsibility to safeguard information assets that are stored internally remains solely with
the organisation. However, in the EFCS domain organisations can compete on reputation, trust
and to a certain degree on certification. On the outskirts of the boundary of the organisations’
responsibility and the perceived duty of care of the organisations’ customers, information
security products and services can be profitably sold to the customer. In the business customer
segment this boundary can even more clearly be drawn as it is in the customer’s own interest to
safeguard information. Information security then becomes an added value to the organisation,
Chapter 9: Discussion and Theory
229
albeit if it integrates information security features into its existing products and services or
offers it in a package or completely separate.
In the case of SoftCo D introducing security products to the market that shall most
importantly complement the existing product range, the focus was automating business,
especially on the client or employee level. Interviewees across all case studies repeatedly said that
it is less the challenge to avoid hackers penetrating their security technology but the
management of its customers and employees to avoid security breaches caused by them. Hence,
the products developed had to be built for non-security experts with the main target of the
security application being an easy-to-use approach to resolve any security problems. The
technical solutions and products researched in the case studies had in common that they were
built on application level and were therefore obvious and apparent to the user. The EFCS
therefore also has a different priority of the nature of products that is less technical and less
oriented to provide the highest level of security, but that is adjusted to the knowledge of
customers. To summarise the EFCS in the future will depend largely on customers’ awareness
and knowledge of information security measures and threats and hence develop with time.
A determinant factor to what extent an EFCS at an organisation exists is the nature of the
interface between organisation and customer. This interface changed fundamentally with the
arrival of the internet. The internet became the technical medium that replaces direct and
personal customer communication to a large extent. The experience with this medium and its
trustworthiness are essential for the organisations’ e-business. Bank B was an exception in this
respect and was therefore missing some fundamental external security functions that existed in
the other organisations, such as larger information security communication initiatives, or other
security products. Through the internet the customer has to relate to technical measures and
faces newly emerging threats that create a demand for more and better security.
In the additional cases researched, other determinant factors were found that can influence
organisations’ EFCS negatively or can influence in how far organisations can use the EFCS as
part of business strategy. Overregulation of the security market through the state is one of the
reasons found. If data security is so vital for the customers of products and services, and hence
leads to great regulatory attention to enhance consumerism, organisations don’t have any space
to compete on reputation and trust in that field. Although less distinct, a similar situation exists
when organisations obtain a dominant position on the market and become a market leader.
Because of their size and positions, these organisations have a head start in comparison to their
Chapter 9: Discussion and Theory
230
competitors to convince customers of their trustworthiness when it comes to data protection
issues. An entirely different situation presents itself when it is exclusively the intellectual
property that needs to be protected by the organisation. Information security is then purely of
importance for the organisation’s own survival, but not to its customers. The EFCS is in this
case non-existent and only the IFCS becomes of greatest importance for the organisation’s
survival.
In a final step it is important to see of what nature the interrelationship of information
security and business strategy is. Overall in all four cases an interrelationship could be
confirmed. The reasons for information security to become part of business strategy were
however notably different and will be analysed subsequently in conjunction with literature and
the internal and external function of corporate security.
Because of its unquantifiable value, it is difficult to show that good information security
management is part of an organisation’s reputation and hence of its business strategy. Thus, in
the empirical research it was found difficult to prove an investment that could demonstrate
organisations’ commitment to achieve a distinct competence in building up a reputation of a
safe company. At the same time a strong argument was made in literature by Carmeli and
Tishler577 who showed the impact reputation has on organisations’ financial performance.
According to the results recorded in interviews, reputation is an important issue and although
unquantifiable, has been used by all organisations for communication and marketing to the
organisations’ stakeholders. Information leaflets and newspaper articles have been published
and presentations were held at conferences. Product α, next to being a result of peer group
pressure, was used for marketing and communication purposes. In fact it replaced an up to a
hundred percent secure system for a product that was a novelty on the market, which hence
couldn’t guarantee to deliver an equally high standard. In its decision making process Bank A
was considering criteria belonging to the EFCS, and took customers perception as well as
market development and peer organisations into account. Criteria belonging to the IFCS such
as increased technical security of data only came second in the decision-making process.
Industry sectors in which organisations hold personal customer information were found
577 See Carmeli, A., Tishler, A., Perceived Organizational Reputation and Organizational Performance: An Empirical Investigation of Industrial Enterprises, 2005, p. 13.
Chapter 9: Discussion and Theory
231
however much more reliant on reputation and more in the centre of attention of the regulator
and the media.
Reputation interconnects here with legal requirements and standards. Deficient
information security management leading to deficient corporate governance was found to be a
threat to the organisations’ reputation. Good information security management through good
corporate governance exemplified by regulatory compliance, standards and certification was
shown to protect the organisations reputation, but couldn’t be shown to add extra value to the
organisation and hence wasn’t found to be part of business strategy. The reason is that
standards, just as regulations, only set benchmarks but don’t show any distinct competences.
Although certification might be helpful for achieving good information security management, it
cannot create certainty because of a fast-moving and risky environment. The trust in
certification is not so distinctive yet to justify the high costs and hence cannot be treated on its
own as an added value for the organisation.
An exception to this research finding is the direct linkage between business strategy and
operational risks that exists through the Basle II framework correlating operational losses to the
financial organisation’s equity capital. Hence the reduction of operational risks doesn’t only
result in an immediate reduction of costs but enables the financial organisation to raise equity
capital and hence improve its financial performance. The Basle II framework presents in such a
way an exception among all information security related legal requirements, as it links directly
good corporate governance to better business opportunities. The organisation’s stakeholders
profit from good information security management. The organisation-strategy-performance link
developed by Summer et al.578 applies, provided the assumption that more equity capital leads
to better performance. Furthermore, only financial institutions fall into this category. Although
many environmental factors can influence operational risks, they are part of the IFCS as they
can be treated independently of these. A good management of operational risks depends on
good internal management and good strategic alignment of the internal departments using
good formal and informal measures.
To achieve Consonance, a criteria defined in Chapter 4, business strategy must represent an
adaptive response to the external environment and to the critical changes occurring within it.
As argued earlier on, new information security threats have created new revenue potential for
organisations. The boundary of the EFCS illustrates where customers see the organisation in
578 See Summer, C., Bettis, R., Duhaime, I., Grant, J., Hambrick, D., Snow, C., Zeithaml, C., Doctoral Education in the Field of Business Policy and Strategy, 1990, p. 367.
Chapter 9: Discussion and Theory
232
the duty of care or are willing to pay for better information security themselves, hence see the
responsibility on their side. If organisations invest to research this boundary and find
opportunities to provide information security services on customer demand, information
security adds direct value to the organisation and becomes part of business strategy.
In the present research two cases, TelCo C and SoftCo D, researched this boundary and
demonstrate such an interrelationship between information security and business strategy.
Differences lie in their customer basis as well as the alignment between IFCS and EFCS.
The difference in the customer base influences the nature of the product or service offered
by the organisations. While retail customers are interested in safeguarding only their personal
information, businesses face much more complex security problems and look for an alignment
of security applications as well as timesaving streamlining of security products and services.
Furthermore, business customers showed a higher awareness of information security threats
and hence solutions. Security is either inherited in the security product or service offered or
must be purchased on top. Through regulatory requirements the pressure over the last years
further grew in this business segment. Retail customers are less aware of the real threat scenario
but are sensitive to the perceived threat environment that they engendered through personal
acquaintances or the media, which showed in the TelCo C survey. Both customer segments
have in common that they look for applications that are easy-to-use and expect the organisations
to extend their knowledge of IFCS and EFCS into the offered information security products
and services.
Differences between the two cases lie further in the degree that IFCS and EFCS are aligned.
At TelCo C although minor communication between the group’s IFCS and the EFCS took
place to assure the technical integration of the solution into the corporate information security
infrastructure, no results of the customer survey were communicated between the two
functions; thus, the Head for FRS at TelCo C wasn’t aware of the investigated customer
expectations on information security products and services at TelCo C. Furthermore, for the
development and subsequent maintenance of Product β, TelCo C relied on external expertise
and didn’t use its internal research and development department.
In contrast SoftCo D’s information security products and services mirrored internal
processes and solutions. Emphasis was put on the integrity of the organisation’s reputation and
the provision of proof points such as information security standards. SoftCo D further
incorporated all of its products and services offered. The organisation’s CSO was further
marketing SoftCo D’s security products and services, as she deployed them and was hence
Chapter 9: Discussion and Theory
233
acquainted with them. The organisation’s IFCS and EFCS were hence strongly interacting,
leading to good corporate alignment.
Of all cases SoftCo D integrated information security most clearly into its business strategy,
however the three other cases also contribute in the final paragraph of the discussion where this
interrelationship will be discussed in conjunction with the different concepts of business
strategy that have been found in literature.
Firstly, this analysis focuses on the internal and external shaping of business strategy
discussed in Chapter 4. For SoftCo D one of the threats on the market was that a number of
smaller security organisations were about to move into the market providing more flexible
solutions than SoftCo D could. The threat of new entrants, one criteria argued by Porter579 to
shape business strategy externally, was therefore a powerful reason for SoftCo D to incorporate
information security into its business strategy at this point. At Bank A and TelCo C it was the
anticipation of market development that led these organisations to invest and potentially profit
from their information security products in the future. In all three organisations the
“bargaining power of customers”580 described by Porter, put pressure on, or in a more positive
light, created opportunities for better security services and products. This bargaining power is
determined by the level of knowledge customers have and hence their awareness and the
situation of the boundary of responsibility between organisation and customer. Hence these
three external forces, market development, threat of new entrants and bargaining power of
customers act upon the EFCS of an organisation.
The second stream of thought in strategy literature focuses on the internal capabilities of a
company and the appropriation and internalisation of assets. At SoftCo D an internalisation of
assets took place through the acquisition of a number of smaller organisations specialised in
information security. These were chosen according to their level of expertise and utility for
SoftCo D. This expertise was then adapted to SoftCo D’s own product and services, creating a
new knowledge base that is unique to the appropriating organisation. In Bank A, particular
focus was put on the internal development of Product α. Bank A claims Product α to be an in-
house development that was initialised by Bank A and developed by BankA.com. Thus, Product
α is so far unique on the market putting Bank A in a technologically advanced position. Bank B
aligned its security function and introduced a permanent operational risk assessment function.
579 See Porter, M. E., How competitive forces shape strategy, 1979, p. 137. 580 Ibid, p. 140.
Chapter 9: Discussion and Theory
234
The Basel II requirements linking operational losses to disposable equity capital scheduled to
kick in during 2007, will show how competitive Bank B solution is. Despite the very valuable
information collected for the development of Product β, TelCo C didn’t communicate and
internalise this information, which hence remains limited to the project. TelCo C’s lack of
alignment between its IFCS and EFCS led to an isolation of the knowledge and not the
appropriation wanted by Loveridge.581 Customer knowledge is however used to create value for
TelCo C in the sense of Probst et al.’s concept of Customer Knowledge Management.582
Elements of the content and process of business strategy are more difficult to juxtapose
between cases as information security products and projects were in different phases of their
development. While SoftCo D had already started selling its security products, TelCo C was
still in the phase of discussing a marketing strategy. Bank B will need to adapt to the Basel II
requirements on operational risk in 2007 and Bank A had launched Product α to its business
customers and didn’t have any marketing data available yet.
Strategy contents which are “fundamental positions or results on which the organisation
has made commitments to achieve”583 were various amongst cases. SoftCo D called its
fundamental position to increase its revenue and return through information security solutions
back to bigger market shares on the software market. Bank B has to systematically assess its risks
under the Basel II framework and decrease them, in order to improve its performance long-
term through higher equity capital. Managers at Bank A were primarily concerned about the
bank’s reputation and staying in the market. TelCo C invests into information security for
revenue and to gain a competitive advantage through a faster and possibly better response to
newly emerging information security threats.
The strategy process is concerned with the organisational structure, planning, control,
incentives, human resource management, and value systems of a firm but also how effective
strategies are shaped within the firm and then validated and implemented efficiently.584
Organisational restructuring became necessary in Bank B. The management profits from lower
operational losses through higher share of equity capital, hence responsibilities were introduced
where business incentives emerged. Product β at TelCo C was the result of a marketing
initiative based on customer surveys, while Product α at Bank B was the effect of a long internal
discussion among responsible managers at Bank A on the organisation’s future security strategy. 581 See Loveridge, R., Institutional Approaches to Business Strategy, 2003, p. 99. 582 582 See Probst, G., Gibbert, M., Leibold, M., Five Styles of Customer Knowledge Management , and How Smart Companies Use Them To Create Value, 2002, pp. 459. 583 See Fahey, L., Christensen, H. K., Evaluating the research of strategy content, 1986, p. 168. 584 See Chakravarthy, B., Doz, Y., Strategy process research: Focusing on corporate self-renewal, 1992, p. 5.
Chapter 9: Discussion and Theory
235
In both organisations critics feared media attention that could lead to an overestimation of risks
in the industry and more attention to information security threats in the industry. Both
organisations hence chose a moderate marketing campaign. SoftCo D could successfully
integrate the acquired organisations into its strategy process. The knowledge and expertise won
through the acquisitions was integrated into the organisation’s own solutions enriching SoftCo
D’s own solutions. The organisation’s executive board communicated the new holistic security
concept to the regional entities for market introduction. The technical background of most
employees in the organisation facilitated the internal communication. Difficulties were only
encountered in creating trust for SoftCo D’s security solutions and hence selling it to
customers. It is the overlap between customers and the EFCS that poses problems to
organisations communicating their newly acquired competencies and hence creates new
liabilities.
In case of Bank A, Bank B and TelCo C the incorporation of information security into the
organisation’s business strategy can be described as an emergent strategy that hasn’t been set-up
beforehand, but that developed over necessity in recent years.585 At SoftCo D on the other
hand, a clear revenue opportunity has been identified that profits from developments on the
governmental agenda as well as newly emerging risks. However, in all cases information security
has become a commodity that can add to the business development.
b) Developed Hypothesis and Theory
The initial construct developed in the present research work includes variables that
constitute the function of corporate security with the organisation’s informational assets at their
heart (see Figure 1): environmental factors, governance, IT/Behaviour, and information
security management. The empirical case study could show that these variables led to an
internal shift of the information security paradigm in all four cases. The organisational
alignment was the main focus of this shift making internal information security management
easier, facilitating compliance with an increasing amount of regulatory requirements and coping
with an increasing number of threats. These internal and external security threats against the
internal information assets in the organisation are met through technical measures but also
behavioural measures, formal and informal.
585 See Kay, John, Foundations of corporate success: How business strategies add value, 1993, p. 337.
Chapter 9: Discussion and Theory
236
Nevertheless, during the analysis of the interrelationship between information security and
business strategy, a new construct emerged that suggested the differentiation between an
internal function and an external function of corporate security. These two functions can be
defined in terms of patterns, of actions, of behaviours and of responsible agents.
The internal function is charged with the security of the data that is legally in the possession
of the organisation and is hence protected by its internal security. This data includes the
organisation’s intellectual property but also customer data that the organisation possesses due
to business or legal requirements.
Elements of the IFCS are the risk assessment of newly emerging security threats e.g. internal
fraud or hackers trying to enter the organisations network as well as formal and informal
security measures. Furthermore, governance is a part of the IFCS; standards and certification
are guidelines and proof points to the management and the organisation’s stakeholders that
information inside the organisation is managed with due diligence. Regulatory requirements
fulfil a similar function for the state.
The alignment of these IFCS elements can lead to a more efficient information security
management and hence to cost reductions for the organisation. However, throughout the
investigation for this research only one example could be found where an interrelationship
between information security and business strategy existed, that lied actually within the IFCS
and only applied to organisations in the banking sector. This interrelationship exists in form of
the Basel II framework that links operational losses to the amount of equity capital available to
the organisation and hence the possibility for the organisation to improve its performance.
Other possibilities for information security to become part of business strategy, however,
showed that a new external function was necessary for information security to create an added
value for the organisation.
The external security function creates the fringe area between internal security and the
environment of the organisation. It is characterised by newly emerging technical artefacts that
enable the customer to establish direct contact with the organisation. This interface shapes the
experience of the customer with the organisation. Moreover the technology enables a - virtual -
direct contact link between the customer and the organisation. For the customer to be able to
use this contact he needs a personal device that enables this virtual link. This personal device
can be a personal computer or other mobile telecommunications device such as a mobile
phone.
Chapter 9: Discussion and Theory
237
The determining question for the research, whether information security can become part
of business strategy and hence a source of revenue for the organisation, depends on how the
customer evaluates his/her duty of care. If this perceived duty of care (εc) is greater than zero a
revenue opportunity for the organisation theoretically exists; if it is zero, thus no duty of care
lies in the opinion of the customer within his/her own responsibility, no revenue can be
generated for the organisation.
εc > 0 Revenue Potential (3)
εc = 0 No Revenue Potential
Determining factors that might influence this boundary can be regulatory requirements,
ethics and culture. If the state takes a particular interest in the security of the medium or
interface, regulatory requirements can oblige the organisations or the customer to guarantee a
security service. Additionally, ethical values and cultures influence the perception of
responsibility in such a way that customers feel they can rely on business partners or prefer to
insure themselves.
Additionally to the direct sales of security products and services, two other elements leading
to increased competitive advantage and added value were identified: reputation and trust.
These elements do not generate any direct revenue for the organisation but increase the usage
of the technology through the interface as customers are more likely to use it and hence this
increased usage contributes indirectly to business development, its revenue, and
competitiveness.
Other elements in the realm of information security and influencing Organisation X’s
business strategy are the threat of new entrants, peer group pressure and the internalisation of
assets. The threat of new entrants influences information security strategy if an organisation
already has information security services and products in place and sees several new competitors
entering the same domains, threatening to destroy Organisation X’s distinctive competence.
Peer group pressure leads to innovation in information security to remain competitive on the
market. Such innovation requires the anticipation of where the market might go and hence
requires analytical judgement of customer needs and internal technical capabilities. Analytical
judgement and technical capabilities are assets that, if they are internalised into the function of
corporate security, further determine Organisation X’s business strategy.
Chapter 9: Discussion and Theory
238
Figure 33: Internal and External Function of Corporate Security
Furthermore, the IFCS/EFCS theory suggests an alignment of the internal and external
function of corporate security creating a pattern of communication between customers and the
before defined internal corporate security function. Good strategic alignment between IFCS
and EFCS can generate a better information risk management as the company has better
insight into customer security concerns and can hence adapt its vulnerability assessment
accordingly. The more customers consider a security breach to be important, the more the
organisation should try to avoid such a scenario in order to avoid higher reputation damage. At
the same time an alignment between IFCS and EFCS can provide proof points to the
customers of Organisation X that good internal management reflects also in good information
security products and services.
In a second step, two customer segments are introduced into the framework - business and
retail customers - that have commonalities but also notable differences in their behaviours and
actions; the main issues are security concerns, technical capabilities, expertise and interests.
Both segments expect personal or confidential information to be safe to a highest degree in the
IFCS. However, in case a security breach in the organisation’s IFCS occurs and data is lost,
EFCS Information Security Products & Services
Reputation and Trust
Interface /Medium
Organisation X
IFCS
Information Risk Management
Operational Risk Security Standards/ Certification
IT & Behaviour
Regulatory Requirements
Intellectual Property Customer Data
εc > 0 εc = 0
Internalisation of assets
Peer group pressure
Threat of new entrants
Chapter 9: Discussion and Theory
239
altered or was assessed by an unauthorised person, customers have very little influence and can
only ask for compensation and/or change the service provider. Differences exist in the EFCS of
the organisation. The influence customers have on Organisation X’s business strategy relates to
their bargaining power adverse the organisation.
In comparison with retail customers, business clients feature much higher technical
capabilities, security expertise and have greater security concerns regarding the loss, disclosure
or alteration of information. Thus, the threat of competitive intelligence leads to a higher
awareness of information security risks. Furthermore, business customers share similar concerns
with the service provider as they possess their own IFCS that is subject to regulatory
requirements. Last but not least, business customers possess through their IFCS much higher
technical capabilities and business expertise that puts them into a much better bargaining
position than retail customers.
In contrast, retail customers only very rarely possess similar expertise and technical
capabilities and are therefore more reliant on their perception, media coverage or politics to
provide sufficient assurance of good information security management. The retail market is
much more heterogenic and must therefore be assessed individually by the organisation.
Tendencies must be watched carefully as newly emerging security threats might cause reputation
damage to the organisation as well as offer revenue opportunities for the organisation.
In consequence of these differences between business and retail customers, the expectations
of solutions provided in the EFCS by the organisation are different and are hence also treated
differently by the organisation. Because of their advantage in technology and expertise business
clients receive far more advanced solutions that they are potentially also willing to pay a
premium for. Products and services must also fit into the existing IT architecture of the
business client. In the retail customer segment differences can be noticed according to age and
background of the customer. Generally customers expect a holistic information security risk
protection and are focused on easy-to-use solution and products to safeguard their personal
devices and information.
Other responsible agents are potential investors that provide financial assets to
Organisation X but expect good information security governance in return. These financial
assets contribute to Organisation X’s performance and to its competitiveness. Trust and
reputation are essential patterns here that encourage good investment, reciprocally bad
information security governance discourages such good investment.
Chapter 9: Discussion and Theory
240
Figure 34: The Role of Business and Retail Customers in the IFCS/EFCS Framework
In a third step, the theory is further extended with the three CIA principles attributing
these to a number of patterns in the IFCS/EFCS theory. Originally meant to explain the
reasons why organisations engage in information security, they rather fulfil various functions in
the organisation’s IFCS and EFCS. In the here developed theory it shows that availability is in
the centre of the IFCS, thus the operational ability to continue the business after a major
security fraud that causes a severe disruption or denial of service. The integrity of data is crucial
in conjunction with regulatory requirements and showed to be just as important to the business
clients and to investors as to Organisation X. Business clients in many cases have to meet
similar legal requirements for their IFCS as Organisation X and investors are interested in the
demonstration of good corporate governance at Organisation X. The confidentiality of data is
crucial to business and retail customers and is the principle which raises most concerns in the
EFCS. Business customers fear competitive intelligence that intrudes their system. Retail
customers fear the disclosure of personal and sensitive data that is stored inside the company, as
well as it being intercepted during the use of products and services that Organisation X
EFCS Information Security Products & Services
Business Clients
Organisation X
IFCS
Information Risk Management
Operational Risk Security Standards/ Certification
IT & Behaviour
εc > 0
Competitive Intelligence
εc = 0
Investors
Regulatory Requirements
Corporate Responsibility
Retail Customers
Access to IFCS
Personal Data
Bargaining Power of Customers
Chapter 9: Discussion and Theory
241
provides. All principles however interrelate and must be applied in conjunction with each other
in the IFCS/EFCS framework.
Figure 35: CIA Principles in the IFCS/EFCS Framework
Finally, it is important to discuss the conditions for the IFCS/EFCS theory to apply. A first
prerequisite is the existence of a technical medium or interface such as the internet or other
PCDs that the organisation uses to communicate with its customers, or that customers
themselves are reliant on information security in their IFCS so that they have overlapping
interests with Organisation X. A second prerequisite is the existence of free market in the area,
which means that a predominant role of the state that leads to an overregulation of the market,
leaves no space for Organisation X to compete with its peer organisations and prefixes the
organisation and customer’s responsibility for security and duty of care (εc). A similar effect
results if Organisation X achieves a predominant or leading position on the market leading to
such a significant size that customers trust the reputation of the organisation per se. A last
prerequisite is that the IFCS is of such importance to the organisation that information security
affects the organisation’s survival and leads to a predetermination of εc.
A
EFCS Information Security Products & Services
Business Clients
Organisation X
IFCS
Information Risk Management
Operational Risk Security Standards/ Certification
IT & Behaviour
εc > 0
Competitive Intelligence
Retail Customers
Personal Data
εc = 0
C
Investors I
Regulatory Requirements
Access to IFCS
Chapter 9: Discussion and Theory
242
In summary, the theory introduces the concept of an internal function and an external
function of corporate security that is based on the conceptual framework of responsibility
modelling creating and artefact of patterns, actions, behaviours and responsible agents. The
internal function comprises what is understood to relate to the classical information risk
management. The external function circumscribes the technical interface of the internal
function with the customer and investor. According to legal requirements, ethical values and
culture customers are willing to pay for security services that they accept as their personal
responsibility. Investors are attracted through good information security governance. The
bargaining power of customers, the threat of new entrants, peer group pressure and the
internalisation of assets were found to further determine the business strategy of Organisation
X. Different standards and expectations apply to business and retail customers that have
different levels of expertise and technical capabilities as well as different security concerns. The
theory further provides an attribution of the three information security principles -
confidentiality, integrity and availability - according to their function inside Organisation X.
The theory argues for a fundamental shift in the information security paradigm.
Information security so far has been found in research to be an exclusively defensive measure
that protects the already existing assets of the organisation. In this artefact advantages could
only be generated through cost reductions by streamlining processes and aligning duties. The
theory generated in the present research work shows that information security can add value to
the organisation through increased performance, competitive advantage, increased trust and
reputation, and higher revenue. Information security can be used as an offensive tool on the
market.
c) Embedding of Theory in Other Information Security Management Concepts
In Chapter 6 several theoretical concepts of information security have been discussed. The
diagram of information security approaches developed by Siponen suggests that information
security research will increasingly focus on governance and management issues. On a
conceptual basis the author applied the Responsibility Modelling framework developed by
Backhouse and Dhillon that focuses on distributing responsibilities between agents, “eliciting
and assigning structures of responsibility”.586 The IFCS/EFCS framework belongs into this
586 Backhouse, J., Dhillon, G., Structures of responsibilities and security of information systems, 1996, pp. 4.
Chapter 9: Discussion and Theory
243
category of research as it advances the existing theories and frameworks by providing insight
into responsibilities shared between the organisation and its customers. It further specifies
Liebenau et al.’s587 boundaries of responsibilities and the impact of these boundaries on
information security management and particularly business strategy. Behavioural patterns,
perceptions as well as communication between agents are crucial to improve the existing
information security management.
However, Backhouse and Dhillon take in their research an ontological-epistemological
approach that is based on understanding the social norms and individual affordances. Their
framework is built on the assumption that “reality is the outcome of human interactions which
generates shared norms and experiences”.588 They take an interpretivistic point of view and
hence use a different philosophical stance, than the positivistic philosophy used in the present
thesis. They further apply their framework to the inner-organisational behavioural patterns of a
non-commercial entity, the British National Health Service Hospital Trust. In contrast the
IFCS/EFCS theory uses a different approach by showing managerial impacts of responsibilities
and behavioural patterns such as trust and reputation on the performance and competitiveness
of organisations thus the impact of social norms and behaviour on organisational commercial
structures.
It is important to note that organisation and customers share information security concerns
through a technical interface or medium. Thus, the IFCS/EFCS theory also figures under the
socio-technical approach described by Siponen.589
In Chapter 6 concepts stretching from information risk management, over hybrid
information security methods to information security governance frameworks were described
and discussed. None of these concepts takes the organisation’s customers into consideration to
shape information security management. Thus, Willison’s and Backhouse’s Crime Specific
Opportunity Structure590 focuses on attackers’ profile and processes how to avoid information
security breaches. Governance frameworks such as the GAISP591 or the Corporate Governance
Task Force ISG Programme592 aim to systematically structure the information security
management in order to render the organisation more transparent. Baskerville’s Security Risk
587 See Liebenau, J., Kärrberg, P., International Perspectives on Information Security Practices, 2006, p. 4. 588 Backhouse, J., Dhillon, G., Structures of responsibilities and security of information systems, 1996, pp. 5. 589 See Siponen, M., Analysis of Modern IS Security Development Approaches: Towards the next generation of social and adaptable ISS methods, 2005, p. 370. 590 See Willison, R., Backhouse, J., Re-conceptualising IS security: Insights from a criminological perspective, 2005. 591 See Information Systems Security Association, GAISP Version 3.0, 2004. 592 See Corporate Governance Task Force, Information Security Governance: A Call to Action, 2003.
Chapter 9: Discussion and Theory
244
Planning Model593 helps in the process of assessing and managing security risks. Von Solms
developed a series of frameworks that deal with the technical importance of information
security in Porter’s value chain, the benchmarking of security levels and the role of standards
and regulatory requirements in organisations594, but do not contribute in understanding the
external shaping of the information security strategy.
An exception is the knowledge management based system developed by Belsis, Kokolakis
and Kiountouzis, which is an interesting aspect to the IFCS/EFCS theory. Belsis et al. consider
their theory to be able to support information security management as it aims to “bring to light
the knowledge dimension of IS security and to determine what constitutes IS security
knowledge and where it originates from”.595 There idea to consider the organisational
environment to provide insight into new security threats is validated in the present research.
Knowledge that they describe as “codified information with a high proportion of human value
added including insight, interpretation, context, experience, wisdom and so forth”596 adds to
good information security management. The present thesis specifies the organisational
relationships of this system. The different levels of knowledge existing among organisation’s
stakeholders, thus also the organisation’s customers must be considered when collecting
information but also when implementing security measures.
Finally, in Chapter 6 two concepts were identified as being of particular interest to the
present research work because of their close relation to business strategy concepts.
The BPIRM model developed by Coles and Moulton597 uses the process and content
approach to circumscribe the ideal information security management framework and adapts
two theoretical models - Deming’s PDCA and Porter’s value chain - to current information
593 See Baskerville, R., Risk analysis: an interpretive feasibility tool in justifying information systems security, 1991, p. 123. 594 See Halliday, S., Badenhorst, K., Von Solms, R., A business approach to effective information technology risk analysis and management, 1996, pp. 25; see Von Solms, R., Von Solms, S.H., Caelli, W.J., Information Security Management: A Framework for Effective Management Involvement, 1990, pp. 217; see Von Solms, R., Von Solms, S.H., Caelli, W.J., A Model for Information Security Management, 1993, pp. 12; see Van de Haar, H., Von Solms, R., A Tool for Information Security Management, 1993, pp. 7; see Vermeulen, C., Von Solms, R., The information security management toolbox- taking the pain out of security management, 2002, p. 124; See von Solms, R., Information Security Management (1): why information security is so important, 1998, pp. 174-177; Information Security Management(2): guidelines to the management of information technology security (GMITS), 1998, pp. 221-223; Information security management (3): the Code of Practice for Information Security Management (BS 7799), 1998, pp. 224-225; Information security management: why standards are important, 1999, pp. 50-57; see Posthumus, S., Von Solms, R., A framework for the governance of information security, 2004, pp. 644. 595 See Belsis, P., Kokolakis, S., Kiountouzis, E., Information systems security from a knowledge management perspective, 2005, pp. 196. 596 See Davenport, T., Volpel, S., The rise of knowledge towards attention management, Journal of Knowledge Management 5, No. 3, pp. 212-221. 597 See Coles, R., Moulton, R., Operationalizing IT risk management, 2003, p. 491.
Chapter 9: Discussion and Theory
245
security management. The process framework is very close to Deming’s PDCA model and is
oriented towards the optimisation of the internal information risk management of an
organisation. More importantly for the present research is their content framework that is based
on Porter’s value chain and leads to good performance through good IT leadership, good
corporate governance, and increased brand reputation. The BPIRM model suggestions could be
confirmed for the IFCS in the present research. Information risk management moves in the
centre of attention due to a higher business alignment and new security functions.
Furthermore, the chain of good “process leadership of people and resources” leading to good
corporate governance, better reputation, higher brand value and better performance, was found
to be a logic also followed in the cases studies for the present research. An empirical validity of
the frameworks content model can hence be confirmed.
However, in comparison with the IFCS/EFCS theory the BPIRM framework lacks taking
the external influences into account that can and should complement the internal information
security management of an organisation. It suggests that through business process leadership of
people and resources good governance, thus brand value, can be generated. Hence the external
shaping of business strategy through customers as it is described by the IFCS/EFCS model is
not included. The IFCS/EFCS model explains the external requirements for an organisation to
make use of their reputation and enhance its IFCS. The BPIRM is further misses to take
operational risks and their potential benefits for the organisation into account.
The MPIAS framework developed by Birchall et al.598 takes this external dimension into
consideration by adding “internal/external stakeholder requirements” to their framework.
However, also Birchall et al. judge exclusively the internal alignment of information security to
lead to a competitive advantage for the organisation. It is hence a defensive measure of
streamlining that leads to cost reductions and operational benefits and not proactive measures
that add value to the organisation. Birchall et al. further organise around this alignment a
mechanism of board, strategic and operational action that is controlled through audits and the
attribution of responsibilities in the organisation and is hence more holistic than Moulton and
Coles BPIRM model. Their contribution that strategic alignment leads to an improvement of
the organisation information security management could also be confirmed in the present
research. In addition to the elements comprised in the MPIAS framework the IFCS/EFCS
theory suggests an alignment of the internal and external function of corporate security, hence
598 See Birchall, D., Ezingeard, J., McFadzean, E., Howlin, N., Yoxall, D., Information assurance: Strategic alignment and competitive advantage, 2004.
Chapter 9: Discussion and Theory
246
takes customer concerns into consideration in order to either proactively provide proof points
or adjust to the customer risk perception.
Both frameworks focus on the internal network, but mention new technology mediums
such as the internet or new technology interfaces such as the usage of portable computer
devices only as threat to the organisation’s IFCS. The IFCS/EFCS theory demonstrates under
what circumstances information security can be value adding to the organisation and what the
conditions are for information security to become a source of revenue to the organisation.
The IFCS/EFCS theory enlarges existing information security literature building on a
number of thoughts developed in information security concepts such as the responsibility
modelling developed by Backhouse and Dhillon, the Security Knowledge Management System
developed by Belsis, Kokolakis and Kiountouzis, the BPIRM model developed by Coles and
Moulton, and the MPIAS framework by Birchall et al. The IFCS/EFCS theory however
contributes to literature with its provision of a non-defensive security framework that
demonstrates information security as being an asset to an organisation and that takes the
external dimension of the information security function into account.
Conclusion Chapter 9 contains the theory and hence contribution of the dissertation to existing literature.
The empirical findings have been juxtaposed with the theoretical findings in Part I,
emphasising commonalities and differences.
The theory builds on the previous level of abstraction and summarises the thesis contribution.
The function of corporate security was found to have changed from a defensive instrument of
organisations to an instrument that can contribute to the organisation’s success through better
performance, distinctive competence and/or a competitive advantage. In order for information
security to become such a key element in an organisation’s business strategy, internal as well as
external variables must be considered. These key elements were further found to distinguish the
theory from other security frameworks demonstrating a new approach to analyse and research
information security organisation.
General Conclusion
247
General Conclusion
The purpose of this research was to understand the current function of corporate security
within large organisations. Particular interest lied in the investigation whether an
interrelationship between information security and business strategy exists and, as this could be
verified, of what nature this interrelationship is. This shift of the paradigm of information
security leads to a new understanding of such, within information security research.
In this thesis’ general conclusion, a short overview is given of the topics addressed as well as the
empirical research conducted and the final discussion of findings. In a second paragraph, the
thesis’ contributions to theory, methodology and practice will be summarised. In a third
paragraph the implication of the research approach will be discussed, thus its limitations and
the adequacy of the research framework. In a final paragraph, areas of further research will be
identified that can build on the present research work.
a) Overview of the Thesis
In the introduction of the dissertation an initial theoretical construct was presented,
providing a guideline on what constitutes in literature the function of corporate security. Its
variables have been identified theoretically in the first part of the dissertation. Environmental
factors such as time/risk or globalisation and the technical development were found to
influence the corporate security function (Chapter 1). The technological improvement has led
to a sophistication of attacks but also to increased possibilities to gain control and automate
security processes to provide confidentiality, integrity and availability. The strived holistic
approach that takes a comprehensive point of view also includes behavioural security threats
that can originate from the outside the company as well as the inside (Chapter 2). Important
developments have also taken place in the domain of information security governance.
Regulatory requirements became more confining for organisations. Varieties of information
security standards emerged and provide guidelines of best practice and benchmarking for
organisations (Chapter 3). Last but not least, risk management has to adjust to regulations, the
nature of threats and the business environment. The assessment of security risks is one of the
General Conclusion
248
central themes in information security literature and shaped the new information security term
information risk management (Chapter 4).
In Chapter 6 an overview of information security concepts, models and frameworks has
been given to analyse existing theories and research on the topic. Finally three frameworks were
found to contribute to the IFCS/EFCS theory developed in the present research: a knowledge
management-based approach that encourages the collection of external data to improve
information security knowledge, an adoption of Porter’s value chain arguing that good
corporate governance leads to a higher brand value, better reputation and hence better
performance. Thirdly, the MPIAS framework argues that strategic alignment can create a
competitive advantage as well as operational benefits. Overall the thesis was placed in the
conceptual framework of responsibility modelling, acknowledging the fact that if information
security is a part of an organisation’s business strategy, agents such as customers and investors
must be taken into account.
The research question formulated in the introduction was whether there is an
interrelationship between information security and business strategy, and if yes what is the
nature of this interrelationship. Chapter 5 therefore analyses the concept of business strategy to
provide a qualification for the empirical research in Part II. The methodology was hence
adjusted to the research question and the variables identified in Part I which suggested an in
depth analysis of multiple case studies. The methodology developed by Eisenhardt to build
theory on case study research was further used to carry out the empirical analysis of four case
studies in the banking, telecommunications and software development sector. These were
carried out in three European countries - the UK, Switzerland and Germany - with large
multinational organisations. Chapter 8 contains an in-depth analysis of these four cases studies
and additional interviews with other multinational organisations that helped shaping the
hypothesis and theory. The individual case studies are structured according to the initial
construct (Figure 1) presented in Part I. Findings are compared and summarised in the final
cross-case analysis of Chapter 8. Based on these results, Chapter 8 cedes for the first time a
differentiation of the internal and the external function of corporate security. Findings from
both the in-depth analysis as well as the cross-case analysis are discussed in conjunction with
literature and information security frameworks in Chapter 9.
Chapter 9 further contains the developed hypothesis and theory of the dissertation which is
introduced in three levels. First, the notion of an internal and external function of corporate
security is put forth extending the existing literature on how information security relates with
General Conclusion
249
its internal function to the outside. Definitions of the IFCS and the EFCS are given. In a
second step the role of customers in the framework is defined. A distinction is made between
business and retail customers as they possess different levels of expertise, technical capabilities
and security concerns. Thirdly, the CIA security principles are attributed to different functions
in the IFCS/EFCS framework.
In summary, the thesis demonstrates how the change in the function of corporate security
leads to a shift of the information security paradigm, becoming of reputation and also financial
value to an organisation.
b) Contributions
Overall the present research work shall lead to a better understanding of the information
security artefact. The thesis is to bridge an existing gap between technical construct,
behavioural-driven interpretive research and management literature. Theoretical,
methodological and practical contributions have been made and will be presented in the
following section.
i) Theoretical Contributions
The thesis’ overall theoretical contribution is that to organisation theory literature. The
organisation is in the centre of research and is analysed as an artefact to help understanding the
variables and interrelationships that influence the function of corporate security. Different
variables influence the perception and knowledge of agents - here organisations. Organisations
take responsibility according to their social role that is either determined by legal obligations or
the personal judgement of their customers.
Within the information security research domain the IFCS/EFCS theory contributes to
the responsibility modelling research stream as well as the information security management
research. A novelty is the introduction of the customer as an agent in information security
research. While the importance of reputation and trust on customer action has been a topic of
a number of articles, the influence of customers on organisation strategy and theory remained a
black hole in literature. The IFCS/EFCS model is the first theory in which a direct correlation
has been established between the external environment and the function of corporate security
General Conclusion
250
and that provides a theoretical framework for the organisation how to improve its information
security management under new environmental and competitive circumstances. The thesis
further gives detailed information about the process how and the reasoning why organisations
have established an external function of information security. The thesis is a contribution to
the theoretical artefact concerned with the interrelationships of information security
technicality and strategic management. The technical interface emerging as a new interactive
medium between organisation and customer makes trust and reputation in this interface
increasingly important. By researching the organisations’ translation of security concerns into
technology the thesis contributes to a socio-technical approach.
ii) Methodological Contributions
The present research work makes a number of methodological contributions to the
information security literature.
Its first methodological contribution lies in the empirical research and validation of
findings of the IFCS/EFCS theory. So far in information security literature very few
organisational theories exist and again only a small proportion of these can claim empirical
validation. Most information security frameworks have been developed on a theoretical basis
such as Hong et al.’s Integrated System Theory of Information Security Management599, Von
Solm’s Information Security Management Model and Information Security Governance
Framework600, or have been adapted from other management frameworks such as Porter’s
Value Chain601, Clark’s Opportunity Structure for Crime602 or Gao et al.’s Knowledge Creation
Theory603. The empirical approach in this thesis can hence be argued to contribute to the
limited empirical research in this field.
599 See Hong, K., Chi, Y., Chao, L., Tang, J., An integrated system theory of information security management, 2003, pp. 243. 600 See Von Solms, R., Von Solms, S.H., Caelli, W.J., A Model for Information Security Management, 1993, pp. 12; see Posthumus, S., Von Solms, R., A framework for the governance of information security, 2004, pp. 644. 601 See Halliday, S., Badenhorst, K., Von Solms, R., A business approach to effective information technology risk analysis and management, 1996, pp. 25, see Coles, R., Moulton, R., Operationalizing IT risk management, 2003, pp. 491. 602 See Willison, R., Backhouse, J., Re-conceptualising IS security: Insights from a criminological perspective, 2005, pp. 24. 603 See Belsis, P., Kokolakis, S., Kiountouzis, E., Information systems security from a knowledge management perspective, 2005, pp. 196.
General Conclusion
251
It further distinguishes itself in its research method. Birchall et al. use a Delphi
method604, hence expert rounds and interviews to provide empirical evidence. Gurpreet
Dhillon established his thesis on two case studies in the public sector: the Sunrise NHS Trust
and the Southam Borough Council.605 The present research is based on multiple case studies in
the commercial field, in different sectors and countries. It therefore provides detailed insight
into organisational structures and processes and gives at the same time insight into cross-
sectoral and cultural commonalities and differences. Next to twenty-three interviews, data
triangulation, thus the usage of multiple research methods, has been used aiming to achieve
quantitative validation of the research findings. The research methodology functions hence as a
bridge between qualitative interpretive research on the one hand and quantitative positivistic
research on the other hand. The methodological contribution of the present research work is
hence the advancement of the research strategy utilised so far in information security research
and specifically information security management.
iii) Practical Contributions
The present research work delivers empirical evidence on how organisations can, under
given prerequisites, use information security in favour for their business. Primarily, the
IFCS/EFCS theory provides an extension to existing organisational information risk
management structures that includes the internal alignment of information security
governance, IT security, formal and informal measures and risk assessment by adding an
external dimension to it. This external dimension helps organisations to adjust their security
priorities not only to the level of the attackers and the regulator but to what customers expect
from their service or product provider. The alignment between internal and external corporate
security contributes to adjust priorities and use information security more effectively.
The thesis further gives practical information on the boundary that determines when
customers are willing to pay for security products and services hence how organisations can
determine that information security becomes a source of revenue for them. This boundary is of
course dependent on legal requirements, but also depends on the cultural and ethical
background of the customers.
604 See Birchall, D., Ezingeard, J., McFadzean, E., Howlin, N., Yoxall, D., Information assurance: Strategic alignment and competitive advantage, 2004, p. 2. 605 Dhillon, G. S., Interpreting the Management of Information Systems Security, 1995, pp. 2.
General Conclusion
252
Practical contributions further include high level information on organisational and
business strategy, thus how organisations can use information security to improve their
performance, competitive standing or increase their revenue not only through cost reduction
but by adjusting their priorities, and consequently their spending, to the demand and to their
competitors.
In summary, the following contributions are made through the research of this thesis:
Thesis Contributions
Theoretical
- Verification of an interrelationship between information security and business strategy: bargaining power of customers, threat of new entrants, peer group pressure and internalisation of assets have been identified as the major drivers
- Emergence of a new approach in information security research by considering information security as a value-adding and not as a preserving/defensive measure: better performance and competitive advantage are the critical variables
- Development of the IFCS/EFCS theory introducing the concept of boundaries of responsibility and an external function of corporate security
- Classification of CIA principles according to their role in the organisation
- Introduction of customers and investors as agents in the responsibility modelling framework
- IFCS/EFCS theory contributes to organisation theory using a socio-technical approach
Methodological
- Contribution to empirical data in information security research
- Usage of multiple case studies based on qualitative and quantitative data to build information security management theory
Practical
- The thesis provides high level information on organisation and business strategy identifying threats and opportunities in the context of information security
- The thesis gives detailed information on regulations, organisational structures and processes in order to improve the management, performance and competitiveness of an organisation through a holistic information security management framework
Table 10: Summary Thesis' Contributions
General Conclusion
253
c) Implications of the Research Approach
Although the author believes that for the purpose of the present research work the best
choice of research approach was made, this approach led to a number of implications resulting
in research design limitations. Furthermore, the adequacy of the research approach shall be
evaluated here in the final conclusion.
i) Adequacy of the Research Framework
The author judges theory building through multiple case studies as best choice for the
research purposes of the thesis. The fact that the topic of information security strategy has
found so little attention in security literature yet, leads to a lack of existing research results and
theories to build on or extend. Empirical data in information security research is still rarely
generated and if so then not in large quantities. The information security community still
struggles between technical-positivistic and interpretive-behavioural research. The wide and
important field of information security management and information security strategy has so
far only been picked up by economic researchers attempting to quantify the ideal investment on
information security in organisations by calculating expenses against potential losses. The
present research work opens a new dimension for further research. In order to claim this
fundamental shift in research the solidity of the research methodology and results was the
priority. Paying tribute to the advantages and disadvantages of qualitative and quantitative
research discussed before, this research framework bundles the advantage of significant depth
with a sufficient width, in order to produce enough details to explain the “why” but also to
claim analytical generalisation over different industries and cultural backgrounds. The research
framework however only provides first evidence for the existence of such a paradigm shift and
what its basic components are. Further research has to provide evidence in form of statistical
generalisation building on the thesis findings and theory.
ii) Research Design Limitations
In order to gain sufficient empirical evidence to create a substantial ground for a
hypothesis and theory, only a limited number of four cases was chosen which is at the same
time the main limitation of the research design. The most fundamental decision was hence to
General Conclusion
254
conduct a qualitative instead of quantitative study. Although quantitative elements exist in the
research design through the number of interviews and additional quantitative primary sources,
a number of four case studies can only provide limited evidence. No statistical generalisation
for the theoretical construct can be claimed which makes it hence difficult to argue for the
general replication of results in other industries.606
Another limitation of the research design is that the time spent within each
organisation was confined until the researcher felt saturation of information. However, the
researcher could not gain an independent view on the long-term process leading to the change
of the function of corporate security within the organisations. The author’s observations
therefore only give a snapshot view on current evolutions and the process is reconstructed
according to information gained from interviewees. A longitudinal study could have provided
further evidence on the process angle.
Implications of Research Approach
Adequacy of Research
Framework
- The research framework complies with the need to create a sufficient depth and width to research the phenomenon in question and in order to claim analytical generalisation for the IFCS/EFCS theory.
Research Design Limitations
- No statistical generalisation can be claimed
- No longitudinal observation of the researched processes has been carried out
Table 11: Summary of Implications of Research Approach
d) Areas of Further Research
The thesis purpose was an exploratory study of the function of corporate security and the
interrelationship between information security and business strategy. The thesis provides
evidence of such an interrelationship that has developed in recent years and becomes part of
the function of corporate security especially within large organisations. Several areas of further
research develop by building on this cognition.
606 At the same time it must be considered that the IFCS/EFCS theory picks up a fairly recent phenomenon in industry. Although there is little doubt that the role of information security and of customer awareness will rise in the future, a quantitative study must consider the awareness among agents in the IFCS/EFCS framework to produce significant results.
General Conclusion
255
In first place a quantitative cross industry analysis, researching the existence of an EFCS
across sectors, would give further insights into evolutions on the market, thus in which industry
sectors are customers particularly interested in information security measures and in which
industry sectors organisations believe that they can gain a competitive advantage through
enhanced information security. This would lead to a statistical generalisation of the
IFCS/EFCS theory.
A further enhancement of the IFCS/EFCS theory would be to investigate the boundary of
responsibilities in further detail, hence the perceived duty of care between the organisations
and their business and retail customers. Especially in the field of social sciences it would be of
interest to research the personal value of security to customers and if the customer’s
understanding of technicality and security risk awareness influences this value. Moreover, it is
important to investigate how customers evaluate reputation and trust and when they see it as
their personal responsibility to secure access to their personal information.
A third area of further research is the extension of the IFCS/EFCS theory with the Security
Knowledge Management System developed by Belsis, Kokolakis and Kiountouzis. Such an
extension would provide further insight into how the knowledge previously gained on customer
concerns and priorities could be used inside the organisation to improve information security
management. This amendment of the IFCS/EFCS theory would then also contribute to
organisation theory.
Areas of Further Research
IFCS/EFCS Theory
- A quantitative cross-industry analysis of the here researched results might lead to a statistical generalisation of the IFCS/EFCS theory elements
- Research of the variables that determine the boundary of responsibility and the perceived duty of care for security between organisations and customers
- Extension of the IFCS/EFCS theory with Belsis et al. Security Knowledge Management System
Table 12: Areas of Further Research
General Conclusion
256
Epilogue Information security is of growing importance because of the increased storage of information
as data on technical devices and its transmission over technical mediums. The need for security
however seems to be growing with a lack of interpersonal contact, and technical security
measures must be inspired with trust. Despite all benchmarks, security is a matter of personal
judgement and should be treated as such. With a lack of liability and uncertainty of risks,
customers decide on the level of risk they are willing to take and create a market for
competition. Some customers are willing to contribute to their security, creating revenue
potential for producers and service providers.
Organisations must become aware of the importance of security in the transaction with their
customers and/or their peer organisations. Security has become more than a purely defensive
measure and expense to the organisation that can only contribute to the business through the
reduction of costs. Information security in banking translates into a reduction of operational
loss in return for more equity capital. In service industries it translates into better reputation, a
competitive advantage and potentially higher revenue. For corporations in general it translates
into more risk-aware and responsible investors. It is the bargaining power of customers, peer
group pressure and the threat of new entrants that influence business strategy through a change
in the function of corporate security. These variables were found to constitute the
interrelationship between information security and business strategy.
The thesis argues and provides evidence for a new understanding of information security and
provides the basis for further research in this field.
References
259
References A Adams, Anne, Sasse, Martina Angela, Privacy in Multimedia Communications: Protecting Users, Not Just Data, In: People and Computers XV - Interaction without frontiers, Blandford, A., Vanderdonkt, J., Gray, P., Springer, Lille, 2001, pp. 49-64. Allen, Linda, Boudoukh, Jacob, Saunders, Anthony, Understanding market, credit, and operational risk: the value at risk approach, Chapter five: Extending the VaR approach to operational risks, Blackwell, Malden, 2004, pp. 158-199. Althaus, K., Backhouse, James, An expert system for the modelling of legal norms, In: Knowledge-Bases Management Support Systems, Coukidis, G., Land, F., Miller G. , Ellis Horwood Books, Chichester, 1989, pp. 313-325. Andersen, T.J., Information technology, strategic decision making approaches and organizational performance in different industrial settings, The Journal of Strategic Information Systems 10, No. 2, 2001, pp. 101-119. Anderson, James M., Sockol, David, International Outsourcing: An Effective Security Enhancement, Information Security Bulletin 9, May 2004, pp. 131-138. Anderson, James M., Why we need a new definition of information security, Computers & Security 22, No. 4, 2003, pp. 308-313. Andrews, Kenneth R., The Concept of Corporate Strategy, 3rd Ed., Homewood, 1987, pp. 132. Audit Commission, Opportunity Makes a Thief: An Analysis of Computer Abuse, London, Audit Commission Publications, 1994, pp. 27. B Backhouse, James, Dhillon, Gurpreet, Structures of responsibilities and security of information systems, European Journal of Information Systems 5, No. 1, 1996, pp. 2-10. Backhouse, James, Silva, Leiser, Hsu, W.Y., Circuits of Power in Creating de Jure Standards: Shaping the International IS Security Standard, Management of Information Systems Quarterly (forthcoming special issue on Standards 2006), pp. 16. Bahli, Bouchaib, Benlimane, Younes, An exploration of wireless computing risks: Development of a risk taxonomy, Information Management & Computer Security 12, No. 3, Emerald Press, 2004, pp. 245-254.
References
260
Barnes, Didi, Portable Computing Devices: New Risks – New Remedies, Information Security Bulletin, March 2004, pp. 57-66. Bartlett, Christopher A., Ghoshal, Sumantra, Matrix management: Not a structure, a frame of mind, Harvard Business Review 68, No. 4, 1990, pp. 138-145. Basel Committee on Banking Supervision, International Convergence of Capital Measurement and Capital Standards, Revised Framework (Basel II), 2004, pp. 251. Baskerville, R., Risk analysis: an interpretive feasibility tool in justifying information systems security, European Journal of Information Systems 1, No. 2, 1991, pp. 121-130. Baskerville, Richard, Designing Information Systems Security, John Wiley Information Systems Series, Chichester, 1988, pp. 247. Bauer Martin W., Gaskell, George, Qualitative researching with text, image and sound - a practical handbook, 2000, London, Sage Publications, pp. 384. Belanger, France, Hiller, Janine, S., Smith, Wanda J., Trustworthiness in electronic commerce: the role of privacy, security, and site attributes, Journal of Strategic Information Systems 11, No. 4, Elsevier, 2002, pp. 245-270. Belcher, Tim, Yoran, Elad, Riptech Internet Security Threat Report, Vol.II, Riptech Inc., July 2002, pp. 43. Belsis, Petros, Kokolakis, Spyros, Kiountouzis, Evangelos, Information systems security from a knowledge management perspective, Information Management & Computer Security 13, No. 3, Emerald Press, 2005, pp. 189-202. Benbasat, Izak, Goldstein, David K., Mead, Melissa, The Case Research Strategy in Studies of Information Systems, MIS Quarterly 11, No. 3, 1987, pp. 369-386. Bennett, Roger, Gabriel, Helen, Reputation, Trust and Supplier Commitment: the case of shipping company/seaport relations, Journal of Business & Industrial Marketing 16, No. 6, 2001, pp. 424-438. Bequai, August, Safeguards for IT managers and staff under the Sarbanes-Oxley Act, Computers & Security 22, No. 2, 2003, Elsevier, pp. 124-127. Bernstein, Peter L., Against the gods: The remarkable story of risk, John Wiley & Sons Inc, New York, 1998, pp. 383. Bharadwaj, A., A resource-based perspective on information technology capability and firm performance: an empirical investigation, MIS Quarterly 24, No. 1, 2000, pp. 169-196. Bhimani, Alnoor, Expenditures on Competitor Analysis and Information Security A Managerial Accounting Perspective, pp. 95-111, In: Management Accounting in the Digital Economy, edited by Bhimani, Alnoor, Oxford University Press, 2003, pp. 299.
References
261
Birchall, David, Ezingeard, Jean-Noel, McFadzean, Elspeth, Howlin, Neil, Yoxall, David, Information assurance: Strategic alignment and competitive advantage, Henley Management College and QinetiQ, Grist, London, 2004, pp. 73. Birman, KP, The next-generation internet: unsafe at any speed, IEEE Computer 33, No.8, 2000, pp. 54-60. Blakey, Bob, McDermott, Ellen, Geer, Dan, Information Security is Information Risk Management, ACM New Security Paradigm Workshop, Conference Paper, ACM Press, New York, 2001, pp. 97-104. Bombel, Adam, The World’s Best Internet Banks 2005, Global Finance 19, No. 8, 2005, pp. 31-33. Bouchard, Thomas J., Jr., Unobtrusive measures: An inventory of uses, Sociological Methods and Research 4, No. 3, 1976, pp. 267-300. Bourgeois, L. S. III, Toward a Method of Middle-Range Theorizing, Academy of Management Review 4, No. 3, 1979, pp. 443-447. British Standard Institute (BSI), BS 7799: A Code of Practice for Information Security Management, 1st & 2nd ed., 1993/1995, pp. 108/35. Buffa, Elwood Spencer, Modern Production Management, 4th Ed., John Wiley & Sons Ltd, New York, 1973, pp. 704. Bundesamt für Sicherheit in der Informationstechnik, IT Security Guidelines, 2000, pp. 48. Bundesrepublik Deutschland, Strafgesetzbuch, 1871, in the version of 2006. Burrell, Gibson, Morgan, Gareth, Sociological Paradigms and Organisational Analysis: Elements of the Sociology of Corporate Life, Heinemann Educational, London, 1979, pp. 432. C Carmeli, Abraham, Tishler, Asher, Perceived Organizational Reputation and Organizational Performance: An Empirical Investigation of Industrial Enterprises, Corporate Reputation Review 8, No. 1, Henry Stewart Publications, 2005, pp. 13-30. Caudill, E.M., Murphy, P.E., Consumer Online Privacy: Legal and Ethical Issues, Journal of Public Policy and Marketing 19, No. 1, 2000, pp. 7-19. Cavanagh, Thomas E., Corporate Security Management: Organization and Spending Since 9/11, The Canadian Conference Board, Survey 2003, pp. 55. CERT/ Coordination Center, Software Engineering Institute, Carnegie Mellon University, Overview Incident and Vulnerability Trends, Survey Module 1, 2003, pp. 32.
References
262
Chakravarthy, Balaji, Doz, Yves, Strategy Process Research: Focusing on Corporate Self-Renewal, Strategic Management Journal 13, Special Issue, 1992, pp. 5-14. Chan, Yolande E., Huff, Sid L., Barclay, Donald W., Copeland, Duncan G., Business Strategic Orientation, Information Systems Strategic Orientation, and Strategic Alignment, Information Systems Research 8, No. 2, 1997, pp. 125-150. Chan, Yolande, Competing Through Information Privacy, In: Competing in the Information Age: Align in the Sand, Luftman, Jerry N., 2nd Ed., Oxford University Press, 2003, pp. 350-361. Charette, R.N., Application Strategies for Risk Analysis, McGraw-Hill, 1990, pp. 210. Club Informatique des grandes enterprises francaises CIGREF, Intelligence économique et stratégique : Les systèmes d’information au cœur de la démarche, 2003, http://www.cigref.fr/cigref/livelink.exe/fetch/-9159/27381/IES-web2.pdf?nodeid=27382&vernum=0, visited on 16. 11. 2004, pp. 131. CLUSIS- Maury, Claude, Comparaison succincte entre les normes ISO/IEC 17799:2000 et ISO/IEC 17799 :2005, Lausanne, July 2005, pp. 11. Coles, Robert and Moulton, Rolf, Operationalizing IT risk management, Computers & Security 22, No. 6, 2003, Elsevier, pp. 487-493. Coles, Robert Stephen, Organizational perceptions of information and IT risk: an investigation of task and institutional influences on cognition over time, University of Leeds, PhD Thesis, 2003, pp. 293. Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management- Integrated Framework, Executive Summary, 2004, http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf, visited on 16. 8. 2005, pp. 16. Computer Security Institute/FBI, 2005 Computer Crime and Security Survey, 2005, pp. 26. Corporate Governance Task Force, Information Security Governance: A Call to Action, released April 2003, http://www.cyberpartnership.org/InfoSecGov4_04.pdf, visited on 14. 8. 2005, pp. 49. Cottings, Doug, Annual Online Banking Survey, Ipsos Insight, 2005. Creswell, John W., Qualitative Inquiry and Research Design: Choosing Among Five Traditions, SAGE Publications, London, 1998, pp. 402. Creswell, John W., Research design: Qualitative and quantitative approaches, SAGE Publications London, 1994, pp. 228. Crotty, Michael, The Foundations of Social Research: Meaning and Perspective in the Research Progress, SAGE Publications, London, 2003, pp. 248.
References
263
D Daniels, Caroline, Information Technology: The Management Challenge, Addison-Wesley Economist Intelligence Unit, 1993, pp. 199. Daniels, John L. and Daniels, N. Caroline, Global Vision: Building New Models for the Corporation of the Future, McGraw-Hill, 1993, pp. 224. Das, Sidhartha R., Zahra, ShakerA., Warkentin, Merrill E., Integrating the content and process of strategic MIS planning with competitive strategy, Decision Sciences 22, No. 5, 1991, pp. 953-984. DASC Gold Practices, Formal Risk Management, http://www.goldpractices.com/practices/frm/index.php, visited on 20. 6. 2005. De Blasis, Jean-Paul, Fondements de la sécurité des systèmes d'information, Documentation Formation Continue CSSI, Geneva, 2004, pp. 42. De Blasis, Jean-Paul, Le défi de la mise en conformité (Compliance) pour les systèmes d'information, Séminaire Sécurité d’Xpert Solutions S.A., Geneva, 2006, pp. 7. De La Fuente Sabate, Juan Manuel, De Quevedo Puente, Esther, Empirical Analysis of the Relationship Between Corporate Reputation and Financial Performance: A Survey of the Literature, Corporate Reputation Review 6, No. 2, Henry Stewart Publications, 2003, pp. 161-177. Denzin, Norman K., Lincoln,Y.S., Handbook of Qualitative Research, SAGE Publications, Thousand Oaks, 1994, pp. 643. Denzin, Norman K., The Research Act: A Theoretical Introduction to Sociological Methods, 2nd edition, McGraw-Hill, New York, 1978, pp. 370. Department of Trade and Industry, Information Security Breaches Survey, 2004, pp. 36. Department of Trade and Industry, Information Security: Hard Facts, 2004, pp. 11. Department of Trade and Industry, Information Security: Protecting Your Business Assets, 2004, pp. 30. Department of Trade and Industry, Outsourcing IT-Based services for Small and Medium Enterprises: Security Issues, 2004, pp. 5. Department of Trade and Industry/ PricewaterhouseCoopers, Information Security Breaches Survey, 2006, pp. 36. Dhillon, Gurpreet S., Interpreting the Management of Information Systems Security, London School of Economics and Political Science, Ph.D. Thesis, 1995, pp. 288.
References
264
Dhillon, Gurpreet, Backhouse, James, Current directions in IS security research: towards socio-organizational perspectives, Information Systems Journal 11, No.2, 2001, pp. 127-153. Dhillon, Gurpreet, Backhouse, James, Information System Security Management in the New Millenium, Communication of the ACM 43, No. 7, 2000, pp. 125-128. Dhillon, Gurpreet, Challenges in Managing Information Security in the New Millennium, In: Information Security Management: Global Challenges in the New Millennium, edited by Dhillon, Gurpreet, Idea Group Publication, 2001, pp. 1-9. Dhillon, Gurpreet, Principles for Managing Information Security in the New Millennium, In: Information Security Management: Global Challenges in the New Millennium, edited by Dhillon, Gurpreet, Idea Group Publication, 2001, pp. 173-177. Dowling, Graham, Corporate Reputation: Should you compete on yours?, California Management Review 46, No. 3, 2004, pp. 19-37. Dowling, Graham, Reputation risk: it is the board’s ultimate responsibility, Journal of Business Strategy 27, No. 2, Emerald Publishing, 2006, pp. 59-68. E Earl, Michael, Knowledge management strategies: toward a taxonomy, Journal of Management Information Systems 18, No. 1, 2001, pp. 215-233. Eisenhardt, Kathleen M., Building Theories from Case Study Research, Academy of Management Review 14, No. 4, 1989, pp. 532-550. Eloff, Jan H. P., Eloff, Mariki, Information Security Management: A New Paradigm, Proceedings of the 2003 annual research conference of the South African institute of computer scientists and information technologists on Enablement through technology SAICSIT '03, Conference Paper, 2003, pp. 130-136. Ensor, Benjamin, Forrester Phishing Report: What UK Net Users Think About Phishing, Forrester Research Publications, Cambridge M.A., 2005, pp. 14. Ernst & Young, Global Information Security Survey 2002, Presentation Services, 2002, pp. 20. Ernst & Young, Global Information Security Survey 2004, Presentation Services, 2004, pp. 28. European Parliament and Council, Directive on privacy and electronic communications, 2002/58/EC, Official Journal of the European Communities, 2002, pp. 11.
References
265
F Fahey, Liam, Christensen, H.Kurt, Evaluating the research of strategy content, Journal of Management 12, No. 2, 1986, pp. 167-183. Fama, E.F., Fisher, L., Jesen, M., Roll, R., The adjustment of stock prices to new information, International Economic Review 10, No.1, 1969, pp. 1-21. Fawzi, Riad, Evaluating Organisational Privacy Policy Implementation, London School of Economics and Political Science, Ph.D. Thesis, 2004, pp. 284. Feeny, D., Ives, B., In search of sustainability: reaping long-term advantage from investment in information technology, Journal of Management Information Systems 7, No. 1, 1990, pp. 27-46. Fombrun, Charles J., Reputation: Realizing Value from the Corporate Image, Harvard Business School Press, Boston, 1996, pp. 441. Fombrun, Charles J., Foss, Christopher, Business Ethics: Corporate Responses to Scandal, Corporate Reputation Review 7, No. 3, Henry Stewart Publications, 2004, pp. 284-288. Fombrun, Charles J., Shanley, Mark, What’s in a Name? Reputation Building and Corporate Strategy, Academy of Management Journal 33, No. 2, 1990, pp. 233-258. Freeman, R. Edward, Strategic Management: A Stakeholder Approach, Pitman Publishers, 1984, pp. 276. G Galbreath, Jeremy, An overview of the role of information technology in strategic management: Part 1, International Journal of Information Technology Management 2, No. 4, Inderscience Enterprises, 2003, pp. 291-311. Galliers, Robert, Choosing Information Systems Research Approaches, In: Information systems research: issues, methods and practical guidelines, Robert Galliers, Blackwell Scientific, London, 1992, pp. 144-162. Garg, Ashish, Curtis, Jeffrey, Halper, Hilary, Quantifying the financial impact of IT security breaches, Information Management & Computer Security 11, No. 2, MCB Press, 2003, pp. 74-83. Gates, Bill, Speech at the RSA Conference 2005: Security: Raising the Bar, San Francisco, California, February 15, 2005, http://www.microsoft.com/billgates/speeches/2005/02-15RSA05.asp, visited on 12. 2. 2006. Ghoshal, Sumantra, Bartlett, Christopher A., Moran, Peter, A new manifesto for management, Sloan Management Review 40, No. 3, Spring 1999, pp. 9-20.
References
266
Glaser, Barney, G., Strauss, Anselm L., The discovery of grounded theory: strategies for qualitative research, Weidenfeld and Nicolson, London, 1968, pp. 271. Gordon, Lawrence A., Loeb, Martin P., Managing Cybersecurity Resources: a cost-benefit analysis, McGraw-Hill, New York, 2005, pp. 223. Gordon, Lawrence A., Loeb, Martin P., The Economics of Information Security Investment, ACM Transactions on Information and System Security 5, No. 4, 2002, pp. 438-457. Gosschalk, Brian, Hyde, Allan, The contribution of research to corporate governance post-Enron, International Journal of Market Research 47, No. 1, 2005, pp. 29-44. Goulding, Christina, Grounded Theory: A Practical Guide for Management, business and Market Researchers, SAGE Publications, London, 2002, pp. 186. Granova, Anna, Eloff, J.H.P., A legal overview of phishing, Computer Fraud & Security, July Issue 7, 2005, pp. 6-11. Great Britain, Data Protection Act 1998, Elizabeth II, Chapter 29, Queen's Printer of Acts of Parliament, 1998. Guidentops, Erik and De Haes, Steven, CotiT 3rd Edition Usage Survey: Growing Acceptance of CobiT, Information Systems Control Journal 6, No. 1, 2002, pp. 2-4. Gupta, Anil K., Govindarajan, V., Business Unit Strategy, Managerial Characteristics, and Business Unit Effectiveness at Strategic Implementation, Academy of Management Journal 27, No. 1, 1984, pp. 25-41. H Halliday, Sharon, Badenhorst, Karin, Von Solms, Rossouw, A business approach to effective information technology risk analysis and management, Information Management & Computer Security 4, No.1, MCB Press, 1996, pp. 19-31. Harmantzis, F. Risky Business: Turbulent times focus attention on operational risk management in financial services, February 2003, OR&MS, Institute for Operations Research and the Management Sciences, http://www.lionhrtpub.com/orms/orms-2-03/frrisk.html, visited on 26. 8. 2005. Hawker, Andrew, Security and Control in Information Systems, Routledge, London, 2000, pp. 400.
Hedlund, Gunnar, A model of knowledge management and the N-form corporation, Strategic Management Journal 15, Special Issue, 1994, pp. 73-90. Heemstra, Fred J. and Kusters, Rob J., Dealing with risk: a practical approach, Journal of Information Technology 11, 1996, pp. 333-346.
References
267
Henderson, J.C, Venkatraman, N., Understanding strategic alignment, Business Quarterly 55, No.3, 1991, pp. 72-79. Herremans, Irene M., Akathaporn, Parporn, McInnes, Morris, An Investigation of corporate social responsibility reputation and economic performance, Accounting Organizations and Society 18, No. 7/8, Pergamon Press, 1993, pp. 587-604. Higgins, Huong Ngo, Corporate system security: towards an integrated management approach, Information Management & Computer Security 7, No.5, MCB Press, 1999, pp. 217-222. Hinde, Stephen, The Weakest Link, Computers & Security 20, No. 4, Elsevier, 2001, pp. 295-301. Hirschheim, R. A., Information Systems Epistemology: An Historical Perspective, In: Information systems research: issues, methods and practical guidelines, Robert Galliers, Blackwell Scientific, London, 1992, pp. 28-60. Hitt, Michael A., Ireland, R. Duane, Hoskisson, Robert E., Strategic Management: Competitiveness and Globalization Concepts, 3rd edition, South-Western College Pub, Cincinnati, 1999, pp. 502. Homans, G.C., Contemporary theory in sociology, In: Handbook of Modern Sociology, R. E. L. Faris, Rand McNally, Chicago, 1964, pp. 951-977. Höne, Karin, Eloff, J.H.P., Information security policy- what do international information security standards say?, Computers & Security 21, No. 5, Elsevier, 2002, pp. 402-409. Hong, Kwo-Shing, Chi, Yen-Ping, Chao, Louis, R., Tang, Jih-Hsing, An integrated system theory of information security management, Information Management & Computer Security 11, No.5, MCB Press, 2003, pp. 243-248. I Information Assurance Advisory Council, Corporate Governance & Information Assurance: What Every Director Must Know, Working Paper, 2002, pp. 20. Information Systems Security Association, May 2004, http://www.issa.org/gaisp/_pdfs/v30.pdf, visited on 18. 11. 2005, pp. 60. Information Systems Security Association, November 2003, http://www.issa.org/gaisp/_pdfs/overview.pdf, visited on 18. 11. 2005, pp. 21. Institute of Directors in South Africa, King II Report, Conference Sandton Convention Centre, Conference Paper, 2002, pp. 48. International Organization for Standardization, ISO/IEC 17799:2000, Information technology — Code of practice for information security management, 2000, pp. 84.
References
268
International Organization for Standardization, ISO/IEC TR 13335, Part 1-5, in AFNOR, La Sécurité Informatique: Manager et Assurer, Paris, 2002, pp. 379. International Organization of Standardization, Plan-Do-Check-Act Model, http://iso-17799.safemode.org/index.php?page=BS7799-2, visited on 28. 8. 2005. International Security Forum, Standard of Good Practice for Information Security, Version 4.1, 2005, pp. 278. IT Governance Institute and Information Systems Audit and Control Foundation, CobiT, 3rd edition, 2000: Management Guidelines, Executive Summary, Framework, Audit Guidelines, Control Objectives, Implementation Tool Set. IT Governance Institute, CobiT Mapping, 2004, http://isaca.org-COBIT_Mapping_Paper_6jan04.pdf, visited on 15. 8. 2005, pp. 63. IT Governance Institute, IT Control Objectives for Sarbanes Oxley, http://www.isaca.org/Content/ContentGroups/Research1/Deliverables/IT_Control_Objectives_for_Sarbanes-Oxley_7july04.pdf, visited on 27. 5. 2005, pp. 92. J James, H., Coldwell, R.A., Corporate Security: An Australian Ostrich, Information Management & Computer Security 1, No. 4, MCB Press, 1993, pp. 10-12. Janczewski, Lech, Xinli Shi, Frank, Development of Information Security Baselines for Healthcare Information Systems in New Zealand, Computers & Security 21, No. 2, Elsevier, 2002, pp. 172-192. Jarillo, J. Carlos, Strategic Logic, Palgrave Macmillan, Hampshire, 2003, pp. 233. Jensen, M.C., Meckling, W.H., The Nature of Man, Journal of Applied Finance 7, No. 2, 1994, pp. 4-19. Jick, Todd D., Mixing qualitative and quantitative methods: Triangulation in action, Administrative Science Quarterly 24, No. 4, 1979, pp. 602-611. Joint Information Systems Committee (JISC), Developing a Security Policy, 2001, http://www.jisc.ac.uk/index.cfm?name=jcas_papers_security, consulted on August 16, 2005, pp. 5. Jordan, Ernie, Silcock, Luke, Beating IT Risk, John Wiley & Sons Ltd, New York, 2004, pp. 278.
References
269
K Kahle, Egbert, Merkel, Wilma, Fall- und Schadensanalyse bezüglich Know-how/ Informationsverlusten in Baden- Württemberg ab 1995, Sicherheitsforum Baden- Württemberg, Universität Lüneburg, 2004, pp. 95. Kaplan, Robert S., Norton, David P., Using the Balanced Scorecard as a Strategic Management System, Harvard Business Review 74, No.1, pp. 75-85. Katos, Vasilios, Adams, Carl, Modelling corporate wireless security and privacy, Journal of Strategic Information Systems 14, No. 3, 2005, pp. 307-321. Kay, John, Foundations of Corporate Success: How business strategies add value, Oxford University Press, Oxford, 1993, pp. 416. Kettunen, Pertti, Problems of the value added statement, University of Jyväakyla, Department of Economics and Management, No. 3, Working Paper, 1979, pp. 28. Knorr-Cetina, K., Bruegger, U., Global Microstructures: The Virtual Societies of Financial Markets, American Journal of Sociology 107, No. 4, 2002, pp. 905-950. Kogut, Bruce, Normative Observations on the International Value-Added Chain and Strategic Groups, Journal of International Business Studies 15, No. 2, 1984, pp. 151-167.
Kogut, Bruce, Zander, Udo, Knowledge of the firm and the evolutionary theory of the multinational corporation, Journal of International Business Studies 24, No. 4., Palgrave Macmillan, 1993, pp. 625-645.
Konsynski, B., McFarlan, W., Information partnerships—shared data, shared scales, Harvard Business Review 68, No. 5, 1990, pp. 114-120. Koved, L., Security Challenges for Enterprise Java in an E-Business Environment, IBM Systems Journal 40, No. 1, pp. 130-152. KPMG, 2002 Global Information Security Survey, 2002, http://www.kpmg.com/microsite/informationsecurity/isssurvey.html, visited on 25. 11. 2005. Kwok, Lam-for, Longley, Dennis, Information security management and modelling, Information Management & Computer Security 7, No. 1, MCB Press, 1999, pp. 30-39. L Landwehr, C.E., Computer Security, International Journal of Information Security 1, No. 1, 2001, pp. 3-13. Lari, Alireza, The transformational effects of technology on operations management, International Journal of Information Technology and Management 1, No. 2, 2002, pp. 256-272.
References
270
Laurence, Andrew, So What Really Changed After Enron?, Corporate Reputation Review 7, No. 1, Henry Stewart Publications, 2004, pp. 55-63. Leavitt, H.J., Whisler, T.L., Management in the 1980, Harvard Business Review 36, No. 6, 1958, pp. 41-48. Lee, Allen S., A Scientific Basis for Rigor and Relevance in Information- Systems Research, submission in process, presented at the London School of Economics and Political Science 20. 6. 2006, pp. 26. Lee, Matthew K.O., Turban, Efraim, A Trust Model for Consumer Internet Shopping, International Journal of Electronic Commerce 6, No. 1, Sharpe, 2001, pp. 75-91. Lester, T., The Reinvention of Privacy, The Atlantic Monthly, March 2001, pp. 27-29. Levin, H.A., Askin, F., Privacy in the Courts: Law and Social Reality, Journal of Social Issues 33, No. 3, pp. 138-153. Liebenau, Jonathan, Kärrberg, Patrik, International Perspectives on Information Security Practices: Opinions, Preferences and Tools in the Financial Services Industry, London School of Economics and Political Sciences, 2006, pp. 51. Lindup, Kenneth, Lindup, Heather, The Legal Duty of Care-A Justification for Information Security, Information Security Bulletin 8, No. 1, 2003, pp. 21-25. Liu, Chang, Marchewka, Jack T., Lu, June, Chun-Sheng, Yu, Beyond concern--- a privacy-trust-behavioral intention model of electronic commerce, Information & Management 42, No. 1, 2005, pp. 289-304. Lohmeyer, Daniel F., McCrory, Jim, Pogreb, Sofya, Managing Information Security, McKinsey Quarterly, Special Edition: Technology Issue 4, 2002, pp. 12-15. Lorsch, Jay W., Berlowitz, Leslie, Zelleke, Andy, Restoring Trust in American Business, MIT Press, Cambridge, 2005, pp. 185. Loveridge, Ray, Institutional Approaches To Business Strategy, In: The Oxford Handbook of Strategy: A Strategy Overview and Competitive Strategy, Volume 1, Oxford University Press, New York, 2003, pp. 98-131. Lowson, Robert H., Strategic operations management: the new competitive advantage, Routledge, London, 2002, pp. 325. M Marshall, C., Measuring and Managing Operational Risk in Financial Institutions: Tools, Techniques and Other Resources. Wiley Frontiers in Finance, John Wiley & Sons, Inc., 2001, pp. 594.
References
271
May, Thornton, Strategic Ignorance: the new competitive high ground, Information Management & Computer Security 6, No. 3, MCB Press, 1998, p. 127. McFarlan, F. Warren, Information Technology changes the way you compete, Harvard Business Review 62, No. 3, 1984, pp. 98-103. McGuire, Jean B., Schneeweis, Thomas, Branch, Ben, Perceptions of Firm Quality: A case or result of firm performance, Journal of Management 16, No. 1, 1990, pp. 167-180. Merton, Richard K., Social theory and social structure, enlarged ed., Free Press, New York, 1968, pp. 702. META Group, Security Adoption and Deployment Strategies, www.metagroup.com/cgi-bin/inetcgi.jsp visited on 28.1.2006. Meyer, Alan D., What is Strategy’s Distinctive Competence?, Journal of Management 17, No. 4, 1991, pp. 821-833. Mintzberg, Henry, Somon, Robert, Basu, Kunal, Beyond Selfishness, 2002, MIT Sloan Management Review 44, No. 1, 2002, pp. 67-74. Mintzberg, Henry, The Strategy Concept I: Five Ps For Strategy, California Management Review 30, No. 1, 1987, pp. 11-24. Mitnick, Kevin D., Are You the Weak Link?, Harvard Business Review 81, No. 4, 2003, pp. 18-20. Miyazaki, A.D., Fernandez, A., Consumer perceptions of privacy and security risks for online shopping, The Journal of Consumer Affairs 35, No. 1, pp. 27-44. Miyazaki, A.D., Fernandez, A., Internet privacy and security: an examination of online retailer disclosures, Journal of Public Policy and Marketing 19, No. 1, 2000, pp. 54-61. Mosakowski, Elaine, Earley, P. Christopher, A Selective Review of Time Assumptions in Strategy Research, Academy of Management Review 25, No. 4, 2000, pp. 796-812. Moulton, Rolf and Coles, Robert S., Applying information security governance, Computers & Security 22, No.7, Elsevier, 2003, pp. 580-584. N National Institute of Standards and Technology, Computer Security Incident Handling Guide, U.S. Department of Commerce, NIST Special Publication 800-61, 2004, pp. 148. National Institute of Standards and Technology, Generally Accepted Principles and Practices for Securing Information Technology Systems, U.S. Department of Commerce, NIST Special Publication 800-14, 1996, p. 22.
References
272
National Research Council, Dr. David Clark (MIT), Computers at Risk, National Academy Press, 1991, pp. 303. Newton, J., Strategies for problem prevention, IBM Systems Journal 24, No. 3/4, 1985, pp. 248-263. O O’Brian, Dale G., Yasnoff, William A., Privacy, Confidentiality, and Security in Information Systems of State Health Agencies, American Journal of Preventive Medicine 16, No. 4, 1999, pp. 351-358. Office of Government Commerce, About ITIL, http://www.ogc.gov.uk/index.asp?id=1000367, visited on 16. 8. 2005. Oltsik, Jon, IT governance: is it the answer?, Tech Republic, CNET Networks, released January 22, 2003, http://www.zdnet.com.au/insight/0,39023731,20271444,00.htm, visited on 25. 5. 2005. Organisation for Economic Co-operation and Development, OECD Guidelines for the Security of Information Systems, OECD Publications, 1996, pp. 50. Organisation for Economic Co-operation and Development, OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, http://www.oecd.org/dataoecd/16/22/15582260.pdf, visited on 2. 6. 2005, pp. 30. Orlikowski, Wanda J., Iacono, C. Suzanna, Research Commentary: Desperately Seeking the „IT” in IT Research- A Call to Theorizing the IT Artifact, Information Systems Research 12, No. 2, 2001, pp. 121-134. Orlitzky, M., Schmidt, F. Rynes, S., Corporate Social Responsibility and Financial Performance: a meta-analysis, Organization Studies 24, No. 3, 2003, pp. 403-441. Osborne, K., Auditing the IT Security Function, Computers & Security 17, No. 1, Elsevier, 1998, pp. 34-41. P Patton, Michael Quinn, Qualitative Evaluation and Research Methods, SAGE Publications, Newbury Park, 1990, pp. 432. Peters, Thomas J., Waterman, Robert H., In search of excellence: lessons from America’s best-run companies, Warner Books, New York, 1983, pp. 360. Podolny, Joel M., A Status-Based Model of Market Competition, American Journal of Sociology 98, No. 4, 1993, pp. 829-872.
References
273
Pollard, C., Telecom fraud: The cost of doing nothing just went up, Computers & Security 24, No. 7, Elsevier, 2005, pp. 437-439. Porter, Michael E. and Millar, V.E., How information gives you competitive advantage, Harvard Business Review, Nolan, Norton & Co, July-August 1985, pp. 149-160. Porter, Michael E., How competitive forces shape strategy, Harvard Business Review, Nolan, Norton & Co, March-April 1979, pp. 137-145. Porter, Michael E., The Competitive Advantage of Nations, Harvard Business Review, Nolan, Norton & Co, March-April 1990, pp. 73-93. Porter, Michael E., Competitive advantage: creating and sustaining superior performance, Revised 6th Edition, Free Press, 1998, pp. 557. Porter, Michael E., What is Strategy?, In: On Competition, Harvard Business School Publishing, Boston, 1998, pp. 39-73. Posthumus, Shaun, Von Solms, Rossouw, A framework for the governance of information security, Computers & Security 23, Elsevier, 2004, pp. 638-646. Poullet, Yves – Julia, Barcelo, Rosa, Health Telematics Networks: Reflections on Legislative and Contractual Models Providing Security Solutions, Electronic Communication Law Review 4, No. 3, Turpin Distribution Ltd, 1997, pp. 177. Power, R., 2002 CSI/FBI Computer Crime and Security Survey, Computer Security Issues & Trends 8, No. 1, 2002, p. 1-22. Prairie, Patti, Benchmarking IT Strategic Alignment, In: Competing in the Information Age: Strategic Alignment in Practice, Jerry N. Luftman, Oxford University Press, New York, 1996, pp. 242-290. PricewaterhouseCoopers, Martin Luther University, Global Economic Crime Survey 2005, http://bussmann2.jura.uni-halle.de/econcrime/PwC2005_globalcrimesurvey.pdf, consulted on November 30, 2005, pp. 36. Probst, Gilbert J. B., Leibold, Marius, Gibbert, Michael, Strategic Management in the Knowledge Economy, Wiley, 2002, pp. 354. Probst, Gilbert J. B., Gibbert, Michael, Leibold, Marius, Five Styles of Customer Knowledge Management, and How Smart Companies Use Them To Create Value, European Management Journal 20, No. 5, 2002, pp. 459-469. Purser, Steve, Balancing Threats and Opportunities, Information Security Bulletin 9, No.2, 2004, pp. 125-130.
References
274
Q Quinn, James Brian. Strategies for Change, In: The Strategy Process, Mintzberg, Henry, Quinn, James Brian, Ghoshal, Sumantra, Revised 2nd European Edition, Prentice Hall Europe, 1998, pp. 10-16. R Ragin, C. C., The Comparative Method: Moving beyond Qualitative and Quantitative Strategies, University of California Press, Berkley, 1987, pp. 185. Roberts, Peter W., Dowling, Graham R., Corporate reputation and sustained superior financial performance, Strategic Management Journal 23, No. 12, pp. 1077-1093. Rockart, John F., The Changing Role of the Information Systems Executive: A Critical Success Factors Perspective, Sloan Management Review, Fall 1982, pp. 3-13. Rodgers, John A., Yen, David C., Chou, David C., Developing e-business: a strategic approach, Information Management & Computer Security 10, No. 4, MCB Press, 2002, pp. 184-192. Rüegg-Stürm, Johannes, The New St. Gallen Management Model: Basic Categories of an Approach to Integrated Management, Palgrave Macmillan, Hampshire, 2005, pp. 88. Rumelt, Richard R., Evaluating Business Strategy, In: The Strategy Process: Concepts, Contexts Cases, Mintzberg, Henry, Lampel, Joseph, Quinn, James Brian, Ghoshal, Sumantra, Global Fourth Edition, Prentice Hall, 2003, pp. 80-88. Rumelt, Richard R., Toward a strategic theory of the firm, In: Competitive strategic management, Lamb, B., Prentice Hall, New Jersey, 1984, pp. 556-570. S Sambamurthy, V., Zmud, Robert, Arrangements for Information Technology Governance: A Theory of Multiple Contingencies, MIS Quarterly 23, June 1999, pp. 261-290. Schmundt, Hilmar, Verseuchter Seuchenschutz, Spiegel online, released December 5, 2005, http://www.spiegel.de/spiegel/0,1518,388324,00.html, visited 5. 12. 2005. Schultz, Eugene, Sarbanes-Oxley - a huge boon to information security in the US, Computers & Security 23, No.5, Elsevier, 2004, pp. 353-354. Schwarz, A., Hirschheim, R., An extended platform logic perspective of IT governance: managing perceptions and activities of IT, Journal of Strategic Information Systems 12, May 2003, pp. 129-166.
References
275
Scientific and Technological Options Assessment, Development of Surveillance Technology and Risk of Abuse of Economic Information, Vol. 1-5/5, European Parliament Press, Luxembourg, 1999. Scientific and Technological Options Assessment, Securing Process Control Systems - IT Security; Briefing Note, 2004, Internal Document, European Parliament, pp. 4. Scott, Susan V., Barrett, Michael I., The Development of Electronic Trading in the Futures Industry: Strategic Risk Positioning in a Globalising Age, London School of Economics and Political Science, Working Paper Series, 113, 2002, pp. 24. Selznick, Philip, Leadership in Administration: A Sociological Interpretation, Harper and Row, New York, 1957, pp. 162. Shain, Michael, An Overview of Security: Information At Risk/The Nature of Security-Confidentiality, Integrity and Availability, In: Information security handbook, Caelli, William, Longley, Dennis, Shain, Michael, Basingstoke, Macmillan, 1991, pp. 1-9. Sheriff, Mohamed Abdul, The Value of Information in Organisations: A Study of Information Use Situations as Contexts of Value, London School of Economics and Political Science, Ph.D. Thesis, 2000, pp. 243. Siponen, Mikko T., A conceptual foundation for organizational information security awareness, Information Management & Computer Security 8, No. 1, MCB Press, 2000, pp. 31-41. Siponen, Mikko T., An Analysis of the Recent IS Security Development Approaches: Descriptive and Prescriptive Implications, In: Information Security Management: Global Challenges in the New Millennium, edited by Dhillon, Gurpreet, Idea Group Publication, 2001, pp. 101-123. Siponen, Mikko T., Designing Secure Information Systems and Software, University of Oulu, Ph.D. Thesis, 2002, pp. 78. Siponen, Mikko T., Analysis of Modern IS Security Development Approaches: towards the next generation of social and adaptable ISS methods, Information and Organisation 15, No. 4, 2005, pp. 339-375. Smith, H.S., Milberg, S.J., Burke, S.J., Information Privacy: Measuring individuals’ concerns about organizational practices, MIS Quarterly 20, No. 2, 1996, pp. 167-196. Smith, Herman W., Strategies of Social Research: the Methodological Imagination, Prentice-Hall, Englewood Cliffs, 1975, pp. 423. Sommer, Peter, Identity Management and Digital Evidence, Information Assurance Advisory Council, 6th Symposium Report, Conference Paper, October 2005, pp. 10. Sousa De Vasconcellos E Sa, Jorge Alberto, Hambrick, Donald C., Key Success Factors: Test of a General Theory in the Mature Industrial-Product Sector, Strategic Management Journal 10, No.10, 1989, pp. 367-382.
References
276
Steward, Kathy A., Segars, Albert H., An Empirical Examination of the Concern for Information Privacy Instrument, Information Systems Research 13, No. 1, 2002, pp. 37-49. Stratopoulos, T., Dehning, B., Does successful investment in information technology solve the productivity paradox?, Information and Management 38, No. 2, 2000, pp. 103-117. Straub, Detmar W., Welke, Richard J., Coping With Systems Risk: Security Planning Models for Management Decision Making, MIS Quarterly 22, No. 4, 1998, pp. 441-464. Strauss, Anselm, Corbin, Juliet, Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory, SAGE Publications, London, 1990, pp. 312. Summer, Charles E., Bettis, Richard A., Duhaime, Irene H., Grant, John H., Hambrick, Donald C., Snow, Charles C., Zeithaml Carl P., Doctoral Education in the Field of Business Policy and Strategy, Journal of Management 16, No. 2, 1990, pp. 361-398. Swindle, Orson, Conner, Bill, The Link Between Information Security and Corporate Governance, released May 05, 2004, Computerworld, http://www.computerworld.com/securitytopics/security/story/0,10801,92915,00.html, visited on 14. 11. 2005. Swiss Federal Department of Justice and Police, Swiss Criminal Code, 1937, in the version of 2006. Swiss Federal Government, Swiss Federal Banking Act, 1934, in the version of 2006. Swiss Federal Banking Corporation, Technical aspects of the new capital adequacy reporting form in the context of Basel II: Draft of the circular on operational risks, 2006, pp. 21. T Tarasewich, P., Nickerson, R., Warkentin, M., Issues in mobile e-commerce, Communications of the Association for Information Systems 8, 2002, pp. 41-64. Thomson, Kerry-Lynn, Von Solms, Rossouw, Information security obedience: a definition, Computers & Security 24, No.1, Elsevier, 2005, pp. 69-75. Totty, Michael, Protecting security systems from insiders, The Wall Street Journal Europe 19, No. 10, Brussels, February 13, 2006, p. 16. Tryfonas, T., Kountouzis, E. and Poulymenakou, A., Embedding practices at contemporary information systems development approaches, Information Management & Computer Security 9, No,4, MCB Press, 2001, pp. 183-197. Tsoukas, Haridimos, The Validity of Idiographic Research Explanations, Academy of Management Review 14, No. 4, 1989, pp. 551-561.
References
277
Tsoumas, Vassilis, Tryfonas, Theodore, From risk analysis to effective security management: towards an automated approach, Information Management & Computer Security 12, No.1, MCB Press, 2004, pp. 91-101. Tsurumi, Y., Tsurumi, H., Value-added maximizing behaviour of Japanese firms and roles of corporate investment, Colubia Journal of World Business 20, No. 1, 1985, pp. 29-35. U Ulrich, H., Management- A Misunderstood Societal Function, In: Self-Organization and Management of Social Systems, edited by Ulrich, H., Probst, Gilbert J.B., Springer-Verlag, 1984, pp. 80-94. US Commerce, Economics and Statistics Administration, Digital Economy 2003, 2003 Survey, https://www.esa.doc.gov/2003.cfm, visited on 13. 6. 2005, pp. 140. V Van de Haar, H., Von Solms, R., A Tool for Information Security Management, Information Management & Computer Security 1, No. 1, MCB Press, 1993, pp. 4-10. Venkatraman, N., Camillus, J.C., Exploring the Concept of ‘Fit’ in Strategic Management, Academy of Management Review 9, No. 3, pp. 513-525. Vergin, Roger C., Qoronfleh, M.W., Corporate Reputation and the Stock Market, Business Horizons 41, No. 1, 1998, pp. 19-26. Vermeulen, Clive, Von Solm, Rossouw, The information security management toolbox- taking the pain out of security management, Information Management & Computer Security 10, No. 3, Emerald, 2002, pp. 119-125. Vilen, Leo, The Value-Added Chain Approach as a Method of Assessing Business Strategies, Helsingin Kauppakorkeakoulun Kuvalaitos, 1991, pp. 175. Von Solms, Basie Sebastiaan H., Information Security Governance- Compliance management vs operational management, Computers & Security 24, No. 6, Elsevier, 2005, pp. 443-447. Von Solms, Basie Sebastiaan H., Information Security governance: CobiT or ISO 17799 or both?, Computers & Security 24, No. 3, Elsevier, 2005, pp. 99-104. Von Solms, Basie Sebastiaan H., Von Solms, Rossouw, From information security to…business security?, Computers & Security 24, No. 4, Elsevier, 2005, pp. 271-273. Von Solms, Basie Sebastiaan H., Von Solms, Rossouw, The 10 deadly sins of information security management, Computers & Security 23, No. 8, Elsevier, 2004, pp. 371-376.
References
278
Von Solms, Rossouw, Information Security Management (1): why information security is so important, Computers & Security 6, No. 4, Elsevier, 1998, pp. 174-177. Von Solms, Rossouw, Information Security Management (2): guidelines to the management of information technology security (GMITS), Computers & Security 6, No. 5, Elsevier, 1998, pp. 221-223. Von Solms, Rossouw, Information security management (3): the Code of Practice for Information Security Management (BS 7799), Computers & Security 6, No. 5, Elsevier, 1998, pp. 224-225. Von Solms, Rossouw, Information security management: why standards are important, Computers & Security 7, No. 1, Elsevier, 1999, pp. 50-57. Von Solms, Rossouw, Von Solms, Sebastiaan H., Caelli, William J., Information Security Management: A Framework for Effective Management Involvement, Information Age 22, No. 4, 1990, pp. 217-222. Von Solms, Rossouw, Von Solms, Sebastiaan H., Caelli, William J., A Model for Information Security Management, Information Management & Computer Security 1, No. 3, MCB Press, 1993, pp. 12-17. W Walsham Geoff, Interpreting Information Systems in Organizations, Wiley, Chichester, 1993, pp. 3-23. Ward, Jeremy, ‘Towards a Culture of Security’ - The OECD Information Security Guidelines, Information Security Bulletin 8, February 2003, pp. 17-19. Ward, John, Information Systems and Technology Application Portfolio Management- an Assessment of Matrix-Bases Analyses, Journal of Information Technology 3, No. 3, 1988, pp. 206-215. Warren, M., Hutchinson, W., A security risk management approach for e-commerce, Information Management & Computer Security 11, No. 5, MCB Press, 2003, pp. 238-242. Weick, Karl E., Theory Construction as Discipline Imagination, The Academy of Management Review 14, No. 4, 1989, pp. 516-531. Weill, Peter, Ross, Jeanne, A Matrixed Approach to Designing IT Governance, MIT Sloan Management Review 46, No. 2, 2005, pp. 26-34. Weill, Peter, Subrmani, Mani, Broadbent, Marianne, Building IT Infrastructure for Strategic Agility, MIT Sloan Management Review 44, No. 1, 2002, pp. 57-65. Weiss, Kenneth P., Data Integrity and Security: Who’s in Charge Here Anyway, Information Management & Computer Security 1, No. 4, MCB Press, 1993, pp. 4-9.
References
279
Whitman, Michael E., In defense of the realm: understanding the threats to information security, International Journal of Information Management 24, No. 1, Elsevier, 2004, pp. 43-57. Whitman, Michael E., Townsend, Anthony M., Alberts, Robert J., Information Systems Security and the Need for Policy, In: Information Security Management: Global Challenges in the New Millennium, edited by Dhillon, Gurpreet, Idea Group Publication, 2001, pp. 9-18. Willison, Robert, Backhouse, James, Re-conceptualising IS security: Insights from a criminological perspective, London School of Economics and Political Science, Working Paper Series, 132, 2005, pp. 48. Wood, Charles Cresson, Effective Information Security Management, Elsevier Advanced Technology, Oxford, 1991, pp. 235. Wright, T., Secure Digital Archiving of High-Value Data, BT Technology Journal 19, No. 3, 2001, pp. 60-66. Wylder, John, Strategic Information Security, Auerbach Publications, London, 2004, pp. 228. Y Yin, Robert K., Case Study Research: Design and Methods, Sage Publications, 2nd /3rd ed., London, 1994/2003, pp. 171/144.