Whether motivated by greed, disgruntlement, or other psychological processes, this act has the greatest potential for loss and damage to the employer. We argue the focus must include not only the act and its immediate antecedents of intention (to commit computer abuse) and deterrence (of the crime), but also phenomena which temporally precede these areas. Specifically, we assert the need to consider the thought processes of the potential offender and how these are influenced by the organizational context, prior to deterrence. We believe the interplay between thought processes and this context may significantly impact the efficacy of IS security controls, specifically deterrence safeguards. Through this focus, we extend the Straub and Welke (1998) security action cycle framework and propose three areas worthy of empirical investigation-techniques of neutralization (rationalization), expressive/instrumental criminal motivations, and disgruntlement as a result of perceptions of organizational injustice-and propose questions for future research in these areas.
In this essay, we outline some important concerns in the hope of improving the effectiveness of security and privacy research. We discuss the need to reexamine our understanding of information technology (IT) and information system (IS) artefacts and to expand the range of the latter to include those artificial phenomena that are crucial to information security and privacy research. We then briefly discuss some prevalent limitations in theory, methodology, and contributions that generally weaken security/privacy studies and jeopardise their chances of publication in a top IS journal. More importantly, we suggest remedies for these weaknesses, identifying specific improvements that can be made and offering a couple of illustrations of such improvements. In particular, we address the notion of loose recontextualisation, using deterrence theory (DT) research as an example. We also provide an illustration of how the focus on intentions may have resulted in an underuse of powerful theories in security and privacy research, because such theories explain more than just intentions. We then outline three promising opportunities for IS research that should be particularly compelling to security and privacy researchers: online platforms, the Internet of things (IoT), and big data. All of these carry innate information security and privacy risks and vulnerabilities that can be addressed only by researching each link of the systems chain, that is, technologies-policies-processes-people-society-economy-legislature. We conclude by suggesting several specific opportunities for new research in these areas.
This paper critically analyses the foundations of three widely advocated information security management standards (BS7799, GASPP and SSE-CMM). The analysis reveals several fundamental problems related to these standards, casting serious doubts on their validity.The implications for research and practice, in improving information security management standards, are considered.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.