Applying double loop learning to interpret implications for information systems security design

Mattia, Angela; Dhillon, Gurpreet

doi:10.1109/icsmc.2003.1244262

Cited by 11 publications

(7 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Clearly, there appears to be a mismatch between the values propounded by the managers in our study and the organizational and legislative actions. In the literature this has been characterized as the mismatch between the espoused theory and theory in use (Mattia & Dhillon, 2003).…”

Section: Discussionmentioning

confidence: 99%

Value‐focused assessment of information system security in organizations

Dhillon¹,

Torkzadeh²

2006

Information Systems Journal

250

164

View full text Add to dashboard Cite

. Information system (IS) security continues to present a challenge for executives and professionals. A large part of IS security research is technical in nature with limited consideration of people and organizational issues. The study presented in this paper adopts a broader perspective and presents an understanding of IS security in terms of the values of people from an organizational perspective. It uses the value‐focused thinking approach to identify ‘fundamental’ objectives for IS security and ‘means’ of achieving them in an organization. Data for the study were collected through in‐depth interviews with 103 managers about their values in managing IS security. Interview results suggest 86 objectives that are essential in managing IS security. The 86 objectives are organized into 25 clusters of nine fundamental and 16 means categories. These results are validated by a panel of seven IS security experts. The findings suggest that for maintaining IS security in organizations, it is necessary to go beyond technical considerations and adopt organizationally grounded principles and values.

show abstract

Section: Discussionmentioning

confidence: 99%

Value‐focused assessment of information system security in organizations

Dhillon¹,

Torkzadeh²

2006

Information Systems Journal

250

164

View full text Add to dashboard Cite

show abstract

“…Lack of compliance with security policies occurs because of a number of reasons. Foremost amongst them are the inability of the policy to reflect current practices [1] and stakeholder resistance to security rules [2]. The organizational studies literature has intricately linked the concept of resistance to organizational power [3,4].…”

Section: Introductionmentioning

confidence: 99%

Organizational power and information security rule compliance

Kolkowska

Dhillon

2013

Computers & Security

View full text Add to dashboard Cite

“…In academia, the concept of single loop and double loop learning gains relevance (Hwang & Wang 2016;Reychav et al 2016;Vallerand et al 2017). With the increasing sophistication in attacks (Baskerville et al 2014), the two types of learning have become essential in firms (Ahmad et al 2012): Organizations need both single loop and double loop learning to secure their systems (Mattia & Dhillon 2003). In the literature, organizational learning in the information security context is present as described (Ahmad et al 2015;Schlienger & Teufel 2005).…”

Section: Investmentsmentioning

confidence: 99%

Information security investments: An exploratory multiple case study on decision-making, evaluation and learning

Weishäupl

Yasasin

Schryen

2018

Computers & Security

View full text Add to dashboard Cite

The need to protect resources against attackers is reflected by huge information security investments of firms worldwide. In the presence of budget constraints and a diverse set of assets to protect, organizations have to decide in which IT security measures to invest, how to evaluate those investment decisions, and how to learn from past decisions to optimize future security investment actions. While the academic literature has provided valuable insights into these issues, there is a lack of empirical contributions. To address this lack, we conduct a theory-based exploratory multiple case study. Our case study reveals that (1) firms' investments in information security are largely driven by external environmental and industry-related factors, (2) firms do not implement standardized decision processes, (3) the security process is perceived to impact the business process in a disturbing way, (4) both the implementation of evaluation processes and the application of metrics are hardly existent and (5) learning activities mainly occur at an ad-hoc basis.

show abstract

Applying double loop learning to interpret implications for information systems security design

Cited by 11 publications

References 3 publications

Value‐focused assessment of information system security in organizations

Value‐focused assessment of information system security in organizations

Organizational power and information security rule compliance

Information security investments: An exploratory multiple case study on decision-making, evaluation and learning

Contact Info

Product

Resources

About