Why there aren’t more information security research studies

Andrew G. Kotulica, Jan Guynes Clarkb,*

aKent State University, Kent, OH, USAbDepartment of Information Systems, The University of Texas at San Antonio, 6900 N. Loop 1604 West, San Antonio, TX 78249, USA

Abstract

Noting a serious lack of empirical research in the area of security risk management (SRM), we proposed a conceptual model

based on the study of SRM at the firm level. Although considerable time and effort were expended in attempting to validate the

usefulness of the proposed model, we were not successful. We provide here a description of our conceptual model, the

methodology designed to test this model, the problems we faced while attempting to test the model, and our suggestions for those

who attempt to conduct work in highly sensitive areas.

# 2003 Elsevier B.V. All rights reserved.

Keywords: Security; Risk; Security risk management; IT strategy

1. Introduction

Organizations are faced with an extremely complex

information security environment, dealing with such

issues as open systems, the IT platform, strategic

exploitation of electronic integration, network inter-

connectivity, etc. They are attempting to learn to

manage the complexities of the components of the

IT platform while integrating it with the firm’s stra-

tegies. Since top management teams (TMTs) are

incorporating IT in their business strategies, making

strategic decisions under varying levels of uncertainty,

IT security and business and strategic risks must be

considered. But there are multiple tradeoffs, priority

concerns, and multiple consequences that should be

addressed during the decision-making process [2].

The majority of the relevant literature is based

on opinion, anecdotal evidence, or experience. Straub

and Welke [60] addressed the multi-faceted nature of

information security risk at the firm level using a

‘‘deterrence theory’’ based comparative qualitative

study in two Fortune 500 information services firms.

A major conclusion was that managers do not have a

good security planning process, but if exposed to one,

they would employ it. Consequently, we have pro-

posed a conceptual model based on sound theoretical

considerations that should prove beneficial for the

study of the SRM program process.

2. Research framework

Recent empirical research suggests that the down-

side nature of risk is a major factor in determining

risky decision-making behavior by firm executives

[58]. Additionally, managers involved in the same

decision-making process view the magnitude of the

risks differently [36].

Our purpose was to create and test a conceptual

model of SRM program effectiveness. We drew

Information & Management 41 (2004) 597–607

* Corresponding author. Tel.: þ1-210-458-5244;

fax: þ1-210-458-6305.

E-mail address: jgclark@utsa.edu (J.G. Clark).

0378-7206/$ – see front matter # 2003 Elsevier B.V. All rights reserved.

doi:10.1016/j.im.2003.08.001

heavily from the works of Jarvenpaa and Ives [34,35],

DeLone and Mclean [16], Suh et al. [62], and Shirani

et al. [32,67] to derive a conceptual model (Fig. 1).

These studies all focused on measures of IS success.

In order to operationalize the conceptual SRM

program model we incorporated a commonly held

definition: risk is the perceived extent of possible loss

[14]. Dean contends that possibility is more closely

related to thought and perceptions than probability and

further contends that managers’ perceptions of risk are

the basis of firm risk management. This parallels the

notion put forth by Bodeau [4] in the development of

disclosure risk for information systems.

Historically, threats and vulnerabilities have not

been considered until after a security breach had

occurred. The goal of risk management is to maximize

possible gain while minimizing possible loss. The risk

management process must be a cost-effective, non-

technology driven, value creation process that con-

tributes to the overall effectiveness of the organization

[34,67]. However, adoption of the risk management

perspective does not drive the level of security risk to

zero. There is generally some degree of risk, regard-

less of the action or decision [70].

The increased importance and potential business

risks associated with the disclosure, modification,

unavailability or destruction of information intensifies

the potential business impact of a security breach.

One must also focus on human issues. People impact

security risk in two major ways: they cause informa-

tion security breaches [33] and make risky decision-

making decisions that impact an organization’s

response to threats [45].

2.1. Organization characteristics

Our study emphasized the importance of manage-

rial interpretation and strategic choice. The TMT of

organizations is responsible for obtaining information

for the strategic decisions that all organizations are

required to execute [11]. These managers collect and

interpret information from many different internal and

external sources. Therefore, their perceptions can be

used to help in analyzing their actions [10,48].

Strategic applications of IT carry with them the

potential for new risks [33]. Thus firms that rely

heavily on IT resources must deal with potentially

higher levels of risk than firms with less dependence.

Additionally, TMT perceptions about potential secur-

ity risks influence what they desire from their SRM

program.

2.1.1. SRM program posture

Content analysis was conducted on literature pub-

lished after 1980 to extract major suggestions about

material to be included in a corporate level SRM

Fig. 1. Conceptual model of SRM program effectiveness.

598 A.G. Kotulic, J.G. Clark / Information & Management 41 (2004) 597–607

program. We assumed that different configurations

could be identified. The program construct was oper-

ationalized using posture as the surrogate. The mea-

sures were selected to position the posture along a hard

< > soft continuum, based on:

(1) governance—centralized/shared/distributed,

(2) countermeasures—reactive/pro-active,

(3) structure—centralized/decentralized, and

(4) policy and procedures—formalized/casual.

This approach is similar to that used in predicting

business performance/effectiveness using the Miles

and Snow typology [20,28,57,73].

The governance of IT resource security may be

centralized, shared between the central authority and

the user or group [3], or totally distributed [25,65].

It may even be under the management of people who

lack the knowledge required to manage it [17].

The common definition of countermeasures is the

identification of threats [24]. We took a holistic

approach and defined them as an array of organiza-

tional devices to deter, prevent, or detect security

breaches. Examples include penetration teams quick

reaction teams, and utilization of Internet security

resources. The structural imperatives identified for

IS organizations may be necessary for an effective

security organization [53]. There is general agreement

that organizations need a ‘‘security policy’’ [39,59].

However, exactly what should be included in it seems

to be an elusive aspect of SRM programs.

2.1.2. IT resource posture

There are several theoretical frameworks that view

the IT resource in a broad context [1,42,51]. For this

study, IT resource posture includes all of the technol-

ogies, capabilities, data and information, and how and

why they are being deployed. We operationalized the

posture using electronic integration (EI) and reach and

range.

We used the Venkatraman [68,69] model of electro-

nic integration, which identifies the role of business

networks linking enterprises along a continuum of the

‘‘unstructuredness’’ of the information being trans-

mitted. The range extends from low (transactions) to

high (knowledge) and captures the concepts of ‘‘con-

nectivity’’ and ‘‘the networked business organization.’’

Keen [37] discussed reach and range of the IT

Platform. Range is the level of information that is

accessible across the IT platform; reach is the level of

connectivity of the platform.

2.1.3. Organization posture

There are many organization structure typologies

for capturing the dimension of an organization. For-

malization, integration, and centralization have been

identified [47]. Powell [52] contends that due to social,

economic, technical and managerial factors, the

dynamics of team-based organizations has moved

organizations beyond their boundaries. Therefore,

any attempts to identify them using existing techni-

ques will fail. We argue that flexible organizations are

more likely to have more effective SRM programs.

For our study, we broadly defined organizational

posture as the structural and contextual dimensions

that together identify the internal characteristics and

settings that identify unique organizational properties.

We selected Miles and Snow’s [46] ‘‘strategic arche-

type’’ and Covin and Slevan’s [9] ‘‘structure’’ con-

cepts as the dimensions most suitable to form a

parsimonious set to measure the construct.

2.1.4. Contextual factors

A major premise in organization science has been

the concept of fit. Thompson [64] postulated that

organizations must exhibit characteristics of internal

fit or their processes and organizational structures

must be internally consistent and they must be suitable

to contend with key environmental contingencies.

Nadler and Tushman [49] defined fit as the degree

of consistency of structure, needs, goals, demands, and

objectives among components. Organizations must

achieve a fit or performance will suffer [26,27,73].

Jarvenpaa and Ives [34,35] view fit and flexibility as

complementary to each other and stress the impor-

tance of the external/internal fit perspective.

A major premise of our study was that there is a

direct relationship between the business risk level and

the current firm concern about security risk. If there is

a lack of communication between management and

the security function, the overall SRM program effec-

tiveness may be negatively impacted.

Size is important in strategy and MIS success

(cf. [13,21]). There are many different ways in which

it has been measured (e.g., number of employees,

sales, etc.), but two measures were determined to

be the most suitable when testing hypotheses related

A.G. Kotulic, J.G. Clark / Information & Management 41 (2004) 597–607 599

to the actual performance of the SRM program:

number of employees/computer users and the installed

IT platform. Industry is another variable used in

organizational research. We used the primary and

secondary industry sectors within which the firms

operate.

2.2. Management characteristics

There is a strong theoretical and empirical basis for

focusing on the top management team characteristics,

their influence on content and process issues, and the

role of the group dynamic in the decision-making

process [6,29,30]. There may be differences in man-

agerial attitudes and perceptions toward security risks,

and they may influence management choices relative

to the appropriate security measures required. Per-

ceived risk is another significant issue. Managers may

be classified as risk takers or risk avoiders relative to

business and security risk [41]. We used these con-

cepts to operationalize the construct in order to iden-

tify how these attitudes and perceptions influenced

their SRM program choices [27,40].

2.3. Executive management support

The concept of executive management support

being a necessary condition for successful implemen-

tation of IT is well known [15,38,71]. Jarvenpaa and

Ives [34,35] focused on the role of the CEO. They

made a distinction between involvement and partici-

pation when testing the relationship between execu-

tive support and the progressive use of IT in the firm.

For our study, the same distinction was used. Involve-

ment was defined as the importance placed on the

security risk management program by top manage-

ment; participation was the executive activities or

substantive personal interventions in the management

of the security risk management program. We

hypothesized that executive management involvement

is a necessary condition for the successful implemen-

tation of an SRM program within an organization.

2.4. SRM program effectiveness

DeLone and McLean [16] classified IS success

measures into six categories. Their model of IS

success shows use and user satisfaction as being

interdependent. Suh et al. [62] suggested that when

IS use is employed as a surrogate for benefits from use,

success seems to be equated with high-usage systems

net benefits result from system use. This is similar to

an SRM program. The organizational net benefits

should flow from the program and therefore be an

important determinant of the success of the system.

The DeLone and McLean model was later extended by

Seddon [54], who identified perceived usefulness and

user satisfaction as measures of the net benefits of past

IS use. In our study, perceived usefulness and net

benefits were employed as measures for program

effectiveness.

2.4.1. The confirmation/disconfirmation paradigm

Oliver [50] suggests that consumers form pre-pur-

chase expectations of performance. When comparing

these, there are three possible results: (1) there is no

difference between actual and expected performance,

a neutral result; (2) actual performance is greater than

expectations, resulting in a positive disconfirmation,

i.e., satisfaction; or (3) actual performance is less than

expectations, with negative disconfirmation, and dis-

satisfaction.

Suh et al.’s [62] model introduced the concept of

desired expectations as a substitute for expectation/

anticipation in the disconfirmation of expectation

paradigm. Shirani et al. [56] developed a broadly

based explanatory model of user information satisfac-

tion, incorporating this paradigm of Oliver. This

model provides a new approach to understanding

the process and variables that are ultimately respon-

sible for user information satisfaction. They provide

support for the position that it is important to account

for contextual factors and processes if one is investi-

gating issues associated with IS success.

2.5. Research hypotheses

We elected to test only a portion of the model at

first. Additionally, it is best to focus on portions of the

model that have the most empirical support, rather

than new constructs. Therefore, the following hypoth-

eses were proposed:

H1. Executive management involvement in the SRM

program is positively related to the perceived useful-

ness of the SRM program.

600 A.G. Kotulic, J.G. Clark / Information & Management 41 (2004) 597–607

H2. Executive management involvement in the SRM

program is positively related to the perceived

employee compliance with the SRM program.

H3. Executive management participation in the SRM

program is negatively related to the perceived useful-

ness of the SRM program.

H4. Executive management participation in the SRM

program is negatively related to the perceived

employee compliance with the SRM program.

H5. The security breach severity level is negatively

related to the perceived usefulness of the SRM pro-

gram.

H6. The security breach severity level is negatively

related to the perceived level of employee compliance

with the SRM program.

H7. The magnitude of actual security breach costs is

negatively related to the perceived usefulness of the

SRM program.

H8. The magnitude of security breach costs is nega-

tively related to the perceived level of employee

compliance with the SRM program.

H9. The effectiveness of the SRM program is

positively related to the level of positive disconfirma-

tion between desired performance and actual perfor-

mance.

3. Research methodology

Our original research strategy included a planned

preliminary field study at two firms with a security risk

management program in place for at least 1 year. This

field study was to be used as a pilot test to refine the

research instruments. Focused interviews were to be

analyzed using an open coding procedure to screen for

the emergence of unanticipated characteristics. Based

on the outcome of the two analyses, additional firm

sites were to be used to further refine the construct

measures. The finalized instruments were then to be

sent to a sample of firms selected from the total

population of firms. The process follows Churchill’s

[8] research paradigm for the development of con-

struct measures.

3.1. The sample

The sample of organizations was extracted from a

heterogeneous industry population of US firms. We

aimed toward generalizability and maintaining an

acceptable level of precision in control and measure-

ment of the variables [44]. Survey instruments were

designed for the CEO and one TMT member of each

of the firms. Since high rates of non-response to

surveys are normal, we hoped for a 20% return,

requiring 500 surveys being mailed for 100 usable

responses. We employed Tomaskovic-Devey et al.’s

[66] suggested methodology for reducing non-

response.

3.2. The survey instrument

Since our study used several measures that had not

been validated, the full Churchill research paradigm

model had to be followed. As one of our major goals

was to gain an understanding of the nature of the

constructs and their relationships in the conceptual

research model [55,61], these steps had to be

employed to ensure proper interpretation of the find-

ings. Two questionnaires were constructed for the

pilot test. The first questionnaire was divided into

two sections: one for the highest-ranking security

official (CSO), the other for the highest ranking IS

official (CIO). The second questionnaire was intended

for other high-ranking members of the TMT.

The research strategy relied upon both multi- and

single-respondents from each firm, aggregating results

to develop a firm level measure for analysis. The CEO

and at least one other member of the TMT were to be

surveyed. Since members of the TMT deal with a

variety of business risks [12], they may perceive

organizational outcomes differently [5,43]. However,

if only the CEO response was received, we considered

that sufficient, since CEOs are supposed to define

the strategy and also determine the risk taking nature

of IT in the firm [31].

The instruments were pre-tested on a convenient

sample of Management and Management Information

Systems faculty members at two geographically dis-

persed universities. We relied upon the instrument

A.G. Kotulic, J.G. Clark / Information & Management 41 (2004) 597–607 601

review methodology employed by Chan and Huff [7].

Faculty panels were asked to comment on the con-

struct definition, the suitability of the operationaliza-

tion (the dimensions) and the questions used to

measure the dimensions. The responses were used

to modify and refine the instruments. The plan was

to pilot test the refined instrument with a sample of two

firms with known mature security risk management

cultures. A convenient sample of firms was identified

and five firms agreed to take part in the pilot test before

seeing the questionnaires.

After an in-depth analysis of the data collected at the

model firm sites, a decision was to be made on the

desirability of further field studies at more sites. The

additions were to be drawn from the original five firms.

Such process steps are similar to those used in a

multi-case methodology used by several researchers

[22,23]. This methodology utilizes replicative logic

[72], where cases are treated as a series of separate

experiments that are used to confirm or reject the

inferences that the researcher extracted from all pre-

viously conducted. Additionally, multiple data sources

are employed for each case. For example, the Eisen-

hardt studies used CEO interviews, TMT semi-struc-

tured interviews, TMT questionnaires, and secondary

archival data sources.

The pilot test data was to be put through an exten-

sive data screening and purification process, as out-

lined by Tabachnick and Fidell [63]. A combination of

factor analysis and coefficient alpha was to be used for

this operation.

3.3. The pilot study

We provided a research study proposal to the ori-

ginal five firms with copies of the preliminary ques-

tionnaires. They were asked to give the self-report

questionnaires to the designated managers and to

expect follow-up interviews in order to improve the

relevance, clarity, and content of the questions. The

organizations were told that, upon completion of the

study, they would receive an executive review profil-

ing their firm, enabling them to make comparisons

with others in the same industry. Finally, they were

told that organization and/or individual identity would

not be revealed. Unfortunately, after reviewing copies

of the preliminary questionnaires, all of the original

five firms declined to continue.

After being rejected by them, we identified 38

potentially suitable organizations for the pilot study.

We relied upon various methods, including colleague

and insider referrals and introductions, contacting pro-

fessional organizations that had sponsored, supported,

or published information security surveys, contacting

leading security industry firms, contacting consulting

firms with a visible presence in information security,

contacting several governmental organizations, and

making a presentation at a USENIX security sympo-

sium in order to solicit support. Although we had a

series of meetings with IS and security personnel at

several firms, and made a presentation via teleconfer-

encing to high-level managers at several locations of a

government organization, we were not successful.

Eighteen months after the preliminary research instru-

ments were finalized, the pilot test stage was termi-

nated. At that time, 42 of the 43 organizations contacted

refused to take part in the field study. The net result of

this activity was that one firm agreed to participate,

responded to the questionnaires, and allowed the neces-

sary interviews to take place. The reasons given by the

42 firm representatives that refused to take part in the

pilot test are shown in Table 1. As reported, the major

problem was because of the need to concentrate on

Y2K problems. Many individuals were concerned that

this type of study might lead to problems with negative

consequences for them.

Our pilot study organization is a leading firm in the

security industry. In order for them to participate, we

Table 1

Pilot test firm data

Reason for refusal Number %

Y2K issues require total focus of

organization

15 35.7

Job security issues 6 14.3

Do not have a formal program 5 11.9

Top management would want explanations 5 11.9

Top management too busy 3 7.0

Recently failed security audit 2 4.8

Do not participate in this type of

academic research

2 4.8

No reason given 2 4.8

Information security program details

classified sensitive

1 2.4

Lost time cost 1 2.4

Total 42 100.0

602 A.G. Kotulic, J.G. Clark / Information & Management 41 (2004) 597–607

had to agree to allow one of their employees to

conduct the interviews. The participation of this

firm, and their assigned interviewer, proved extremely

beneficial in developing the finalized research instru-

ments. The CIO, CSO, two TMT members, and

a second CSO/CIO questionnaire provided informa-

tion about the content and structure of the research

instruments.

3.4. Research instrument and sample selection

modifications

The content and structure of the research instru-

ments were modified. The original two questionnaires

were divided into four questionnaires designated for

the CIO, CSO, a member of the TMT and a functional

level manager. This move was taken in order to reduce

the time required for each participant to complete the

questionnaire and to insure privacy (that other firm

member would not see the CIO and CSO responses).

In order to further reduce the response time, all

questions used to measure the SR knowledge and

awareness of firm management were eliminated.

Additionally, all questions involving quantitative

information for the actual performance of the SRM

program and that required quantitative or qualitative

answers for the desired performance of the SRM

program were eliminated. Finally, the wording of

several questions was modified to increase their

clarity. We attempted to eliminate as many sections

of the questionnaire as possible, especially those

that were considered highly intrusive or would

require the complete Churchill pre-test process to

validate. The university research center’s name was

prominently displayed on the cover page of every

questionnaire to enhance the professional appearance

of the instruments and to help establish researcher

credibility.

Feedback during the pilot test led us to believe that

firm size was a major selection factor in tapping

organizations with an established security risk man-

agement program. The discussions indicated that

organizations with more than 500 employees could

afford the costs of formal information security pro-

grams and would be the likely to have assigned

security and/or risk management personnel. The ori-

ginal goal was to obtain about 100 usable firm survey

responses from an initial mailing to 500 firms.

However, following the pilot study, we estimated that

we would require a mailing of between 1200 and 1600

firm questionnaires to provide such a number of useful

responses. A cross section of 1500 firms was selected

from a database of 5001 US businesses with 500 or

more employees.

Results of the pilot test and prior research [18]

reinforced the importance of rewards and trust. The

revised cover letter addressed concerns related to

trustworthiness of the researchers and expected time

for completion. Token incentives have also been sug-

gested as effective in increasing the potential response

rate. As a result, we included customized business card

size magnets, containing the slogan ‘‘practice safe

computing’’.

4. Response rate

Each survey package contained a cover letter

addressed to the CEO or COO of the firm, four

questionnaires, five tokens of appreciation and four

self-addressed return envelopes. Follow-up letters

were sent out to firms that did not return at least

one questionnaire within 4–6 weeks after the initial

package was sent out. The letter contained an appeal

for participation and offered an executive summary

report profiling the firm if all four questionnaires were

returned. A different follow-up letter was sent out 2–4

weeks after a firm returned at least one questionnaire.

This package contained supplemental questionnaires

to replace those that had not been returned and

additional postage paid return envelopes. In spite of

these efforts, we obtained an unacceptable number of

responses to conduct any statistically meaningful

parametric or non-parametric tests.

We sent out 1540 complete research packages; 66

were returned with no means of resolution, resulting in

1474 possible respondents. Of those, only 23 firms

returned at least one of the four questionnaires: a

response rate of 1.6%. In total, 67 questionnaires were

returned: 18 CSO, 18 CIO, 16 TMT, and 15 functional

managers. Of those questionnaires, nine firms returned

four questionnaires, four firms returned three ques-

tionnaires, nine firms returned two questionnaires and

one firm returned one questionnaire. The nine firms

that submitted the four questionnaires represent a firm

response rate of 0.61%.

A.G. Kotulic, J.G. Clark / Information & Management 41 (2004) 597–607 603

5. Non-response

Throughout data collection, many telephone con-

versations and e-mail exchanges were made with

CIOs, CSOs and risk managers on the goals of the

research study, the makeup of the questionnaires, and

the researchers’ credentials. In one instance, one of the

researchers was informed that his credentials had been

reviewed with a third party, because the organization

was concerned that he might be practicing ‘‘social

engineering’’ techniques to gain information about the

firm’s SRM program countermeasures.

As a result of our extremely poor response rate, we

attempted to determine the specific reason(s) that

firms would not take part in the study. We modified

Dillman’s [19] list of reasons why individuals and

organizations do not respond to mail surveys and

added some based on our experience, resulting in a

17-item questionnaire. This was sent out to the firms

that did not return at least one of the original survey

questionnaires. Seventy-four firms responded to this

survey (see Table 2). Responses were gathered via

e-mail, telephone conversations, and the return of

the new questionnaire sent to approximately 1400

of the firms that did not respond to the original

package. This represents a response rate of approxi-

mately 5.1%. The top four reasons for not responding

to the original survey were related to surveys in

general (items 3 and 4), company policy regarding

security information sharing (item 11), and excessive

use of management time (item 13). Interestingly,

although several sources have suggested that firm

identification is a major reason that firms do not take

part in mail survey research studies, 47.3% of the firms

gave the name of the firm for this questionnaire.

6. Lessons learned

Information security research is one of the most

intrusive types of organization research, and there is

undoubtedly a general mistrust of any ‘‘outsider’’

attempting to gain data about the actions of the security

practitioner community. In spite of all our efforts, we

failed to achieve anywhere near an acceptable response

rate. We conclude that it is nearly impossible to extract

information of this nature by mail from business

organizations without having a major supporter.

We do not propose the use of mass mailings of

survey instruments when attempting to collect data of

Table 2

Non-response feedback from 74 firms

Number %

The organization does not accept unsolicited submissions of any ideas or materials 5 6.8

The request did not comply with our established policies for survey requests 0 NA

Due to the large volume of survey requests we receive, our policy is not to participate in any surveys 19 25.7

Due to the large volume of survey requests we receive, we cannot participate in every one we receive 36 29.7

The corporate headquarters is responsible for such decisions and the survey was forwarded there 4 5.4

Temporary issues (company being sold/reorganization is in progress) 6 8.1

The university sponsor for the research study cannot provide legal confidentiality protection 1 1.4

The use of individual identification numbers on the questionnaires could be used to reveal responses by an

individual or by the organization

3 4.1

The questionnaires contain some questions that require answers that would reveal proprietary information 7 9.5

The questionnaires contain many questions that would require checking company records 3 4.1

We do not share any information about our computer security policies with outside entities 17 23.0

Our management team is too busy to spend time filling out any survey questionnaires 9 12.2

The time of our management team is valuable and we decided that the benefits received for the time expended

were not adequate to participate in the research project.

17 23.0

Company security policies prevent complete answers to some of the requested information 7 9.5

Company policy prevents revealing any demographic information about our management team 4 5.4

Company policy prevents revealing information about management, team business philosophy, or internal actions 3 4.1

Other 1 1.4

Total 128

604 A.G. Kotulic, J.G. Clark / Information & Management 41 (2004) 597–607

a sensitive nature. Firms are unwilling to divulge such

information without strong assurances that the infor-

mation provided will in no way harm them, yet could

provide insight in how to improve their organization.

Time is far better spent focusing on a few, select

firms with whom the researcher has developed an

excellent rapport and trust. Straub and Welke [60]

were able to obtain rather detailed information from

their two-firm comparative study. They attributed this

to their well-developed consulting relationship with

the firms; they had signed non-disclosure agreements

protecting the identity of the firms. Both firms also

read, discussed, and approved the written results

before they were submitted to an academic journal.

We learned, the hard way, that developing a

research stream in an emerging, organization-sensitive

area requires major personal, financial and profes-

sional commitments far beyond what most researchers

can afford to expend. The total cost of the research

project, time expended, and professional tradeoffs

have far exceeded that originally estimated. The pro-

ject scope was also too large. We suggest a slow,

cautious approach for studies that are either under-

researched or of a sensitive nature. Our study had both

characteristics.

An indirect contribution of the research study is the

information extracted from those who were willing to

discuss their reasons for not wishing to participate.

This type of feedback should prove beneficial for

anyone planning to investigate organizational security

issues.

We have provided a theoretical model to study the

process that leads to effective SRM programs. The

model includes desired expectations in an IS area

outside of the EUC domain and incorporates the role

of executive management support. The framework

should provide the academic community additional

insights to aid research in other aspects of IS/IT that

require performance metrics when viewed within the

context of the socio-technical perspective.

The process of developing and implementing an

SRM program is time sensitive. In order to explore the

process, a form of longitudinal research is an appro-

priate approach. We propose case study research as an

appropriate methodology for this.

The organizational level information security

domain is relatively new and under researched. In

spite of this, it may prove to be one of the most critical

areas of research necessary for supporting the viability

of the firm. Although we were not able to collect

enough data for statistical significance, our research

provides a starting point for the development of

theory-based guidelines for managing the SRM pro-

gram process. We feel it is imperative for organiza-

tions to obtain a better understanding of how

organizational context, the deployed IT resource,

and the propensity for risk impact the overall level

of information security program effectiveness within

the organization.

References

[1] L.M. Applegate, J.J. Elam, New information systems leaders:

a changing role in a changing world, MIS Quarterly 16, 1992,

pp. 469–489.

[2] S.L. Barton, P.J. Gordon, Corporate strategy: useful perspec-

tive for the study of capital structure? Academy of Manage-

ment Review 12 (1), 1987, pp. 67–75.

[3] F. Bergeron, C. Berube, End users talk computer policy,

Journal of Systems Management 41 (12), 1990, pp. 14–

32.

[4] D.J. Bodeau, A conceptual model for computer risk analysis,

in: Proceedings of the 8th Annual Computer Security

Applications Conference, IEEE Press, New York, 1992,

pp. 56–63.

[5] L.J. Bourgeois, Strategic goals, perceived uncertainty, and

economic performance in volatile environments, Academy of

Management Journal 28, 1985, pp. 548–573.

[6] A.S. Chakravarthy, Y. Doz, Strategy process research:

focusing on corporate self-renewal, Strategic Management

Journal 13, 1992, pp. 5–14.

[7] Y.E. Chan, S.L. Huff, The development of instruments to

assess information systems and business unit strategy and

performance, in: N. Venkatraman, J. Henderson (Eds.),

Research in Strategic Management and Information Technol-

ogy, vol. 1, JAI Press, Greenwich, CT, 1994.

[8] G.A. Churchill, A paradigm for developing better measures

of marketing constructs, Journal of Marketing Research 16

(1), 1979, pp. 64–73.

[9] J.G. Covin, D.P. Slevan, The influence of organization

structure on the utility of an entrepreneurial top management

style, Journal of Management Studies 23 (3), 1988, pp.

217–234.

[10] R.M. Cyert, J.G. March, A Behavioral Theory of the Firm,

Prentice-Hall, Englewood Cliffs, NJ, 1993.

[11] R.L. Daft, K.E. Weick, Toward a model of organizations as

interpretation systems, Academy of Management Review 9,

1984, pp. 284–295.

[12] R.L. Daft, J. Sormunen, D. Parks, Chief executive scanning,

environmental characteristics, and company performance: an

empirical study, Strategic Management Journal 9, 1998, pp.

123–129.

A.G. Kotulic, J.G. Clark / Information & Management 41 (2004) 597–607 605

[13] F. Damanpour, Organizational innovation: a meta-analysis of

effects of determinants and moderators, Academy of Manage-

ment Journal 34 (3), 1991, pp. 555–590.

[14] E.B. Dean, Risk: from the perspective of competitive

advantage, retrieved from World Wide Web July 1996, http://

dfac.larc.nasa.gov/dfc/rsk.html.

[15] W.H. DeLone, Determinants of success of computer usage in

small business, MIS Quarterly 12 (1), 1988, pp. 51–61.

[16] W.H. DeLone, E.R. McLean, Information systems success:

the quest for the dependent variable, Information Systems

Research 3 (1), 1992, pp. 60–95.

[17] H.B. DeMaio, Open systems security and the art of random

juggling, Information Systems Security 4, 1995, pp. 7–11.

[18] D.A. Dillman, Mail and Telephone Surveys: The Total

Design Method, Wiley, New York, 1978.

[19] D.A. Dillman, Mail and Internet Surveys: The Tailored

Design Method, second ed., Wiley, New York, 2000.

[20] D.H. Doty, W.H. Glick, G.P. Huber, Fit equifinality and

organizational effectiveness: a test of two configurational

theories, Academy of Management Journal 36, 1993, pp.

1196–1250.

[21] P. Ein-Dor, E. Segev, Organizational context and the success

of management information system, Management Science 24

(10), 1978, pp. 1067–1077.

[22] K.M. Eisenhardt, Better stories and better constructs: the case

for rigor and comparative logic, Academy of Management

Review 16 (3), 1991, pp. 620–627.

[23] K. M Eisenhardt, L.J. Bourgeois, Politics of strategic decision

making in high velocity environments: toward a midrange

theory, Academy of Management Journal 31 (4), 1988, pp.

737–770.

[24] J.H.P. Eloff, L. Labuschagne, K.P. Badenhorst, A compara-

tive framework for risk analysis methods, Computers and

Security 12, 1993, pp. 597–603.

[25] J. Frank, Quality control of personnel computing, Journal of

Systems Management 39 (12), 1988, pp. 32–39.

[26] J.R. Galbraith, R. Kazanjian, Strategy Implementation:

Structure, Systems, and Process, second ed., West Publishing,

St. Paul, MN, 1986.

[27] D.L. Goodhue, D.W. Straub, Security concerns of system

users: a study of perceptions of the adequacy of security,

Information & Management 20 (1), 1991, pp. 13–27.

[28] D.C. Hambrick, An empirical typology of mature industrial-

product environments, Academy of Management Journal 26

(2), 1983, pp. 213–230.

[29] D.C. Hambrick, The top management team: key to strategic

success, California Management Review 30 (1), 1987, pp.

88–108.

[30] D.C. Hambrick, P. Mason, Upper echelons: the organization

as a reflection of its top managers, Academy of Management

Review 9 (2), 1984, pp. 193–206.

[31] S. Hart, An integrative framework for strategy-making proces-

ses, Academy of Management Review 17, 1992, pp. 327–351.

[32] S. Hill, M. Smith, Risk management and corporate security: a

viable leadership and business solution designed to enhance

corporations in the emerging marketplace, Computers and

Security 14, 1995, pp. 199–204.

[33] J. Hitchings, Deficiencies of the traditional approach to

information security and the requirements for a new

methodology, Computers and Security 14, 1995, pp. 377–383.

[34] S.L. Jarvenpaa, B. Ives, Executive involvement and partici-

pation in the management of information technology, MIS

Quarterly 15 (2), 1991, pp. 205–227.

[35] S.L. Jarvenpaa, B. Ives, Organizational fit and flexibility: IT

design principals for a globally competing firm, in: N.

Venkatraman, J. Henderson (Eds.), Research in Strategic

Management and Information Technology, vol. 1, JAI Press,

Greenwich, CT, 1994.

[36] L.R. Kahneman, A. Tversky, Variants of uncertainty,

Cognition 11, 1982, pp. 143–157.

[37] P.G.W. Keen, Shaping the Future: Business Design Through

Information Technology, Harvard Business School Press,

Boston, MA, 1991.

[38] D. Leonard-Barton, I. Deschamps, Managerial influence in

the implementation of new technology, Management Science

34 (10), 1988, pp. 1252–1265.

[39] K.R. Lindup, A new model for information security policies,

Computers and Security 14, 1995, pp. 691–695.

[40] K.R. MacCrimmon, D.A. Wehrung, Taking Risks: The

Management of Uncertainty, Free Press, New York, 1986.

[41] K.R. MacCrimmon, D.A. Wehrung, Characteristics of risk

taking executives, Management Science 36 (4), 1990, pp.

422–435.

[42] S.E. Madnick, The information technology platform, In: E.

Michael, S. Scott Morton (Eds.), The Corporation of the

1990s: Information Technology and Organizational Transfor-

mation, Oxford University Press, New York, 1991.

[43] D.L. McDade, The assessment of perceived environmental

uncertainty and economic performance, Human Relations 43,

1990, pp. 1203–1218.

[44] J.E. McGrath, Dilemmatics: the study of research choices and

dilemmas, in: J.E. McGrath, J. Martin, R.A. Kulka (Eds.),

Judgment Calls in Research, Sage, Beverly Hills, CA,

1982.

[45] R.E. McGaughey Jr., C.A. Snyder, H.H. Carr, Implementing

information technology for competitive advantage: Risk

management issues, Information & Management 26 (5),

1994, pp. 273–280.

[46] R.E. Miles, C.C. Snow, A.D. Meyer, H.J. Coleman,

Organizational strategy, structure, and process, Academy of

Management Review 3 (3), 1978, pp. 546–562.

[47] D. Miller, C. Droge, J. Toulouse, Strategic process and

content as mediators between organizational context and

structure, Academy of Management Journal 31 (3), 1988, pp.

544–569.

[48] H. Mintzberg, Patterns in strategy formation, Management

Science 24 (9), 1978, pp. 934–948.

[49] D.A. Nadler, M.L. Tushman, A congruence model for

diagnosing organizational behavior, in: R. Miles (Ed.),

Resource Book in Macro Organizational Behavior, Goodyear,

Santa Clara, CA, 1980.

[50] R.L. Oliver, A cognitive model of the antecedents and

consequences of satisfaction decisions, Journal of Marketing

Research 17 (4), 1980, pp. 460–469.

606 A.G. Kotulic, J.G. Clark / Information & Management 41 (2004) 597–607

[51] M.E. Porter, V.E. Millar, How information gives you a

competitive advantage, Harvard Business Review 4, 1985, pp.

149–160.

[52] P. Powell, Beyond networking: the rise of the nebulous

organization, European Management Journal 10 (3), 1992, pp.

352–356.

[53] J.F. Rockart, M.J. Earl, J.W. Ross, IT in the 1990s: managing

organizational interdependence, Sloan Management Review

30 (2), 1996, pp. 7–17.

[54] P.B. Seddon, A respecification and extension of the DeLone

and McLean model of IS success, Information Systems

Research 8 (3), 1997, pp. 240–253.

[55] V. Sethi, W.R. King, Construct measurement in information

systems research: an illustration in strategic systems,

Decision Sciences Journal 22 (3), 1991, pp. 455–472.

[56] A. Shirani, M. Aiken, B. Reithel, A model of user

information satisfaction, Data Base 25 (4), 1994, pp. 17–23.

[57] S.M. Shortell, E.J. Zajac, Perceptual and archival measures of

miles and snow’s strategic types: a comprehensive assessment

of reliability and validity, Academy of Management Journal

33 (4), 1990, pp. 817–832.

[58] S.B. Sitkin, L.R. Weingart, Determinants of risky decision-

making behavior: a test of the mediating role of risk

perceptions and propensity, Academy of Management Journal

38 (6), 1995, pp. 1573–1592.

[59] D.F. Sterne, On the buzzword ‘‘security policy,’’ in:

Proceedings of the 1991 IEEE Computer Society Symposium

on Research in Security and Privacy, 20–22 May, Oakland,

CA, IEEE Computer Society Press, Los Alamitos, CA, 1991,

pp. 219–230.

[60] D.W. Straub, R.J. Welke, Coping with systems risk: security

planning models for management decision-making, MIS

Quarterly 22 (4), 1998, pp. 441–469.

[61] A. Subramamian, S. Nolakanta, Measurement: a blueprint for

theory-building in MIS, Information & Management 26 (1),

1994, pp. 13–20.

[62] K. Suh, S. Kim, J. Lee, End-user’s disconfirmed expectations

and the success of information systems, Information Re-

sources Management Journal 7 (4), 1994, pp. 30–39.

[63] B.G. Tabachnick, L.S. Fidell, Using Multivariate Statistics,

second ed., Harper & Row, New York, 1989.

[64] J.D. Thompson, Organizations in Action: Social Science Bases

of Administrative Theory, McGraw-Hill, New York, 1967.

[65] H. Tipton, Liability of corporate officers for security

problems, Computer Security Journal 10 (1), 1994, pp. 59–69.

[66] D. Tomaskovic-Devey, J. Leiter, S. Thompson, Organiza-

tional survey nonresponse, Administrative Science Quarterly

39, 1994, pp. 439.

[67] E.G. Troy, A rebirth of risk management, Risk Management

42 (7), 1995, pp. 71–73.

[68] N. Venkatraman, The concept of fit in strategy research:

toward verbal and statistical correspondence, Academy of

Management Review 14 (3), 1989, pp. 432–444.

[69] N. Venkatraman, IT-enabled business transformation: from

automation to business scope redefinition, Sloan Management

Review (1994) 73–87.

[70] F. Wharton, Risk management: basic concepts and general

principles, In: J. Ansell, F. Wharton (Eds), Risk: Analysis,

Assessment and Management, Wiley, London, 1992.

[71] C.S. Yap, C.P.P. Soh, K.S. Raman, International systems

success factors for business, OMEGA International Journal of

Management Sciences 5 (6), 1992, pp. 597–609.

[72] R.K. Yin, Case Study Research: Design and Methods, vol. 5,

Sage, Newbury Park, CA, 1989.

[73] E.J. Zajac, S.M. Shortell, Changing generic strategies:

likelihood, direction, and performance implications, Strategic

Management Journal 10, 1989, pp. 413–430.

Andrew G. Kotulic is an Assistant Professor of Information

Architecture and Knowledge Management in the Department of

Management and Information Systems at the College of Business

Administration, Kent State University. He received his PhD from

the University of Texas at Arlington. He worked in industry for

major corporations such as Motorola, Northrop Grumman and Sara

Lee before entering academics. His research interests include

information security, privacy and information warfare. His research

has been published in the Journal of Management and several

conference proceedings.

Jan Guynes Clark is Professor of Information Systems at The

University of Texas at San Antonio. She received her PhD from the

University of North Texas. Her research interests include informa-

tion security, telecommunications in a global environment, and IS

strategies. Her publications have appeared in leading journals such

as Communications of the ACM, Data Base, IEEE Transactions on

Engineering Management, and Information & Management.

A.G. Kotulic, J.G. Clark / Information & Management 41 (2004) 597–607 607