The Impact of the Sarbanes-Oxley (SOX) Act on Information Security

“…Our finding strongly resonates with those reported by extant studies in this context (Doherty and Fulford, 2006;Knapp et al, 2009;Cram et al, 2017). Organisations should regularly conduct exercises and training, which can provide employees with an awareness of cyber-security (Dhillon and Backhouse, 2000;Dhillon and Mishra, 2006). Our results matched with Haeussinger and Kranz (2013), who also noted that SETA exercises are capable of improving information security through increased awareness about potential IS risks and implementable ISPs.…”

“…Therefore, managers should regularly assess the level of incumbent cyber-security and work towards continuous improvement goals (Webb et al, 2014). In this context, findings from our study echoed those reported by Boss et al (2009), Dhillon and Mishra (2006) and Herath and Rao (2009). Finally, senior managers must conduct regular evaluation of employees' compliance with those ISPs (Warkentin and Johnston, 2006a, b).…”

“…Although senior management commitment, ethical leadership and participation alone does not guarantee adequate information security at the operational, strategic compliance levels, they are strong Cyber-security at the organisational level prerequisites for active growth, execution and subsequent compliance with ISS controls (Boss et al, 2009). Therefore, ISS compliance among employees and subsequent evaluation by senior management helps to improve the effectiveness of ISS controls and supplements their presence, instead of solely depending on them (Dhillon and Mishra, 2006;Herath and Rao, 2009). Additionally, researchers noted that senior management and primary stakeholders needed good situational awareness about the incumbent IT risk levels (such as strategic, operational and financial) (Franke and Brynielsson, 2014;Dora et al, 2016), or of the external ISS background (Webb et al, 2014).…”

“…Thus, ISGs and ISS controls can also support regulatory compliance for the organisation. Finally, ISGs can support a firm to achieve ISS controls to be benchmarked and be embedded in key business processes (Dhillon and Mishra, 2006). Therefore, through the ISGs, organisations must verify whether the business goals and vision are in alignment and whether do they lead to executable IT security goals.…”

Antecedents for enhanced level of cyber-security in organisations

“…Our finding strongly resonates with those reported by extant studies in this context (Doherty and Fulford, 2006;Knapp et al, 2009;Cram et al, 2017). Organisations should regularly conduct exercises and training, which can provide employees with an awareness of cyber-security (Dhillon and Backhouse, 2000;Dhillon and Mishra, 2006). Our results matched with Haeussinger and Kranz (2013), who also noted that SETA exercises are capable of improving information security through increased awareness about potential IS risks and implementable ISPs.…”

“…Therefore, managers should regularly assess the level of incumbent cyber-security and work towards continuous improvement goals (Webb et al, 2014). In this context, findings from our study echoed those reported by Boss et al (2009), Dhillon and Mishra (2006) and Herath and Rao (2009). Finally, senior managers must conduct regular evaluation of employees' compliance with those ISPs (Warkentin and Johnston, 2006a, b).…”

“…Although senior management commitment, ethical leadership and participation alone does not guarantee adequate information security at the operational, strategic compliance levels, they are strong Cyber-security at the organisational level prerequisites for active growth, execution and subsequent compliance with ISS controls (Boss et al, 2009). Therefore, ISS compliance among employees and subsequent evaluation by senior management helps to improve the effectiveness of ISS controls and supplements their presence, instead of solely depending on them (Dhillon and Mishra, 2006;Herath and Rao, 2009). Additionally, researchers noted that senior management and primary stakeholders needed good situational awareness about the incumbent IT risk levels (such as strategic, operational and financial) (Franke and Brynielsson, 2014;Dora et al, 2016), or of the external ISS background (Webb et al, 2014).…”

“…Thus, ISGs and ISS controls can also support regulatory compliance for the organisation. Finally, ISGs can support a firm to achieve ISS controls to be benchmarked and be embedded in key business processes (Dhillon and Mishra, 2006). Therefore, through the ISGs, organisations must verify whether the business goals and vision are in alignment and whether do they lead to executable IT security goals.…”

Antecedents for enhanced level of cyber-security in organisations

“…SOX impacts various aspects of the information systems discipline, such as project management, software development, IT governance, and data monitoring [Dhillon and Mishra 2006]. The software development process is becoming more formalized with SOX [Leih 2005] because compliance needs make development more process centric and encourage organizations to follow all the controls and documentation requirements.…”

A Framework for Integrating Sarbanes-Oxley Compliance into the Systems Development Process