why there aren’t more information security research studies
TRANSCRIPT
Why there aren’t more information security research studies
Andrew G. Kotulica, Jan Guynes Clarkb,*
aKent State University, Kent, OH, USAbDepartment of Information Systems, The University of Texas at San Antonio, 6900 N. Loop 1604 West, San Antonio, TX 78249, USA
Abstract
Noting a serious lack of empirical research in the area of security risk management (SRM), we proposed a conceptual model
based on the study of SRM at the firm level. Although considerable time and effort were expended in attempting to validate the
usefulness of the proposed model, we were not successful. We provide here a description of our conceptual model, the
methodology designed to test this model, the problems we faced while attempting to test the model, and our suggestions for those
who attempt to conduct work in highly sensitive areas.
# 2003 Elsevier B.V. All rights reserved.
Keywords: Security; Risk; Security risk management; IT strategy
1. Introduction
Organizations are faced with an extremely complex
information security environment, dealing with such
issues as open systems, the IT platform, strategic
exploitation of electronic integration, network inter-
connectivity, etc. They are attempting to learn to
manage the complexities of the components of the
IT platform while integrating it with the firm’s stra-
tegies. Since top management teams (TMTs) are
incorporating IT in their business strategies, making
strategic decisions under varying levels of uncertainty,
IT security and business and strategic risks must be
considered. But there are multiple tradeoffs, priority
concerns, and multiple consequences that should be
addressed during the decision-making process [2].
The majority of the relevant literature is based
on opinion, anecdotal evidence, or experience. Straub
and Welke [60] addressed the multi-faceted nature of
information security risk at the firm level using a
‘‘deterrence theory’’ based comparative qualitative
study in two Fortune 500 information services firms.
A major conclusion was that managers do not have a
good security planning process, but if exposed to one,
they would employ it. Consequently, we have pro-
posed a conceptual model based on sound theoretical
considerations that should prove beneficial for the
study of the SRM program process.
2. Research framework
Recent empirical research suggests that the down-
side nature of risk is a major factor in determining
risky decision-making behavior by firm executives
[58]. Additionally, managers involved in the same
decision-making process view the magnitude of the
risks differently [36].
Our purpose was to create and test a conceptual
model of SRM program effectiveness. We drew
Information & Management 41 (2004) 597–607
* Corresponding author. Tel.: þ1-210-458-5244;
fax: þ1-210-458-6305.
E-mail address: [email protected] (J.G. Clark).
0378-7206/$ – see front matter # 2003 Elsevier B.V. All rights reserved.
doi:10.1016/j.im.2003.08.001
heavily from the works of Jarvenpaa and Ives [34,35],
DeLone and Mclean [16], Suh et al. [62], and Shirani
et al. [32,67] to derive a conceptual model (Fig. 1).
These studies all focused on measures of IS success.
In order to operationalize the conceptual SRM
program model we incorporated a commonly held
definition: risk is the perceived extent of possible loss
[14]. Dean contends that possibility is more closely
related to thought and perceptions than probability and
further contends that managers’ perceptions of risk are
the basis of firm risk management. This parallels the
notion put forth by Bodeau [4] in the development of
disclosure risk for information systems.
Historically, threats and vulnerabilities have not
been considered until after a security breach had
occurred. The goal of risk management is to maximize
possible gain while minimizing possible loss. The risk
management process must be a cost-effective, non-
technology driven, value creation process that con-
tributes to the overall effectiveness of the organization
[34,67]. However, adoption of the risk management
perspective does not drive the level of security risk to
zero. There is generally some degree of risk, regard-
less of the action or decision [70].
The increased importance and potential business
risks associated with the disclosure, modification,
unavailability or destruction of information intensifies
the potential business impact of a security breach.
One must also focus on human issues. People impact
security risk in two major ways: they cause informa-
tion security breaches [33] and make risky decision-
making decisions that impact an organization’s
response to threats [45].
2.1. Organization characteristics
Our study emphasized the importance of manage-
rial interpretation and strategic choice. The TMT of
organizations is responsible for obtaining information
for the strategic decisions that all organizations are
required to execute [11]. These managers collect and
interpret information from many different internal and
external sources. Therefore, their perceptions can be
used to help in analyzing their actions [10,48].
Strategic applications of IT carry with them the
potential for new risks [33]. Thus firms that rely
heavily on IT resources must deal with potentially
higher levels of risk than firms with less dependence.
Additionally, TMT perceptions about potential secur-
ity risks influence what they desire from their SRM
program.
2.1.1. SRM program posture
Content analysis was conducted on literature pub-
lished after 1980 to extract major suggestions about
material to be included in a corporate level SRM
Fig. 1. Conceptual model of SRM program effectiveness.
598 A.G. Kotulic, J.G. Clark / Information & Management 41 (2004) 597–607
program. We assumed that different configurations
could be identified. The program construct was oper-
ationalized using posture as the surrogate. The mea-
sures were selected to position the posture along a hard
< > soft continuum, based on:
(1) governance—centralized/shared/distributed,
(2) countermeasures—reactive/pro-active,
(3) structure—centralized/decentralized, and
(4) policy and procedures—formalized/casual.
This approach is similar to that used in predicting
business performance/effectiveness using the Miles
and Snow typology [20,28,57,73].
The governance of IT resource security may be
centralized, shared between the central authority and
the user or group [3], or totally distributed [25,65].
It may even be under the management of people who
lack the knowledge required to manage it [17].
The common definition of countermeasures is the
identification of threats [24]. We took a holistic
approach and defined them as an array of organiza-
tional devices to deter, prevent, or detect security
breaches. Examples include penetration teams quick
reaction teams, and utilization of Internet security
resources. The structural imperatives identified for
IS organizations may be necessary for an effective
security organization [53]. There is general agreement
that organizations need a ‘‘security policy’’ [39,59].
However, exactly what should be included in it seems
to be an elusive aspect of SRM programs.
2.1.2. IT resource posture
There are several theoretical frameworks that view
the IT resource in a broad context [1,42,51]. For this
study, IT resource posture includes all of the technol-
ogies, capabilities, data and information, and how and
why they are being deployed. We operationalized the
posture using electronic integration (EI) and reach and
range.
We used the Venkatraman [68,69] model of electro-
nic integration, which identifies the role of business
networks linking enterprises along a continuum of the
‘‘unstructuredness’’ of the information being trans-
mitted. The range extends from low (transactions) to
high (knowledge) and captures the concepts of ‘‘con-
nectivity’’ and ‘‘the networked business organization.’’
Keen [37] discussed reach and range of the IT
Platform. Range is the level of information that is
accessible across the IT platform; reach is the level of
connectivity of the platform.
2.1.3. Organization posture
There are many organization structure typologies
for capturing the dimension of an organization. For-
malization, integration, and centralization have been
identified [47]. Powell [52] contends that due to social,
economic, technical and managerial factors, the
dynamics of team-based organizations has moved
organizations beyond their boundaries. Therefore,
any attempts to identify them using existing techni-
ques will fail. We argue that flexible organizations are
more likely to have more effective SRM programs.
For our study, we broadly defined organizational
posture as the structural and contextual dimensions
that together identify the internal characteristics and
settings that identify unique organizational properties.
We selected Miles and Snow’s [46] ‘‘strategic arche-
type’’ and Covin and Slevan’s [9] ‘‘structure’’ con-
cepts as the dimensions most suitable to form a
parsimonious set to measure the construct.
2.1.4. Contextual factors
A major premise in organization science has been
the concept of fit. Thompson [64] postulated that
organizations must exhibit characteristics of internal
fit or their processes and organizational structures
must be internally consistent and they must be suitable
to contend with key environmental contingencies.
Nadler and Tushman [49] defined fit as the degree
of consistency of structure, needs, goals, demands, and
objectives among components. Organizations must
achieve a fit or performance will suffer [26,27,73].
Jarvenpaa and Ives [34,35] view fit and flexibility as
complementary to each other and stress the impor-
tance of the external/internal fit perspective.
A major premise of our study was that there is a
direct relationship between the business risk level and
the current firm concern about security risk. If there is
a lack of communication between management and
the security function, the overall SRM program effec-
tiveness may be negatively impacted.
Size is important in strategy and MIS success
(cf. [13,21]). There are many different ways in which
it has been measured (e.g., number of employees,
sales, etc.), but two measures were determined to
be the most suitable when testing hypotheses related
A.G. Kotulic, J.G. Clark / Information & Management 41 (2004) 597–607 599
to the actual performance of the SRM program:
number of employees/computer users and the installed
IT platform. Industry is another variable used in
organizational research. We used the primary and
secondary industry sectors within which the firms
operate.
2.2. Management characteristics
There is a strong theoretical and empirical basis for
focusing on the top management team characteristics,
their influence on content and process issues, and the
role of the group dynamic in the decision-making
process [6,29,30]. There may be differences in man-
agerial attitudes and perceptions toward security risks,
and they may influence management choices relative
to the appropriate security measures required. Per-
ceived risk is another significant issue. Managers may
be classified as risk takers or risk avoiders relative to
business and security risk [41]. We used these con-
cepts to operationalize the construct in order to iden-
tify how these attitudes and perceptions influenced
their SRM program choices [27,40].
2.3. Executive management support
The concept of executive management support
being a necessary condition for successful implemen-
tation of IT is well known [15,38,71]. Jarvenpaa and
Ives [34,35] focused on the role of the CEO. They
made a distinction between involvement and partici-
pation when testing the relationship between execu-
tive support and the progressive use of IT in the firm.
For our study, the same distinction was used. Involve-
ment was defined as the importance placed on the
security risk management program by top manage-
ment; participation was the executive activities or
substantive personal interventions in the management
of the security risk management program. We
hypothesized that executive management involvement
is a necessary condition for the successful implemen-
tation of an SRM program within an organization.
2.4. SRM program effectiveness
DeLone and McLean [16] classified IS success
measures into six categories. Their model of IS
success shows use and user satisfaction as being
interdependent. Suh et al. [62] suggested that when
IS use is employed as a surrogate for benefits from use,
success seems to be equated with high-usage systems
net benefits result from system use. This is similar to
an SRM program. The organizational net benefits
should flow from the program and therefore be an
important determinant of the success of the system.
The DeLone and McLean model was later extended by
Seddon [54], who identified perceived usefulness and
user satisfaction as measures of the net benefits of past
IS use. In our study, perceived usefulness and net
benefits were employed as measures for program
effectiveness.
2.4.1. The confirmation/disconfirmation paradigm
Oliver [50] suggests that consumers form pre-pur-
chase expectations of performance. When comparing
these, there are three possible results: (1) there is no
difference between actual and expected performance,
a neutral result; (2) actual performance is greater than
expectations, resulting in a positive disconfirmation,
i.e., satisfaction; or (3) actual performance is less than
expectations, with negative disconfirmation, and dis-
satisfaction.
Suh et al.’s [62] model introduced the concept of
desired expectations as a substitute for expectation/
anticipation in the disconfirmation of expectation
paradigm. Shirani et al. [56] developed a broadly
based explanatory model of user information satisfac-
tion, incorporating this paradigm of Oliver. This
model provides a new approach to understanding
the process and variables that are ultimately respon-
sible for user information satisfaction. They provide
support for the position that it is important to account
for contextual factors and processes if one is investi-
gating issues associated with IS success.
2.5. Research hypotheses
We elected to test only a portion of the model at
first. Additionally, it is best to focus on portions of the
model that have the most empirical support, rather
than new constructs. Therefore, the following hypoth-
eses were proposed:
H1. Executive management involvement in the SRM
program is positively related to the perceived useful-
ness of the SRM program.
600 A.G. Kotulic, J.G. Clark / Information & Management 41 (2004) 597–607
H2. Executive management involvement in the SRM
program is positively related to the perceived
employee compliance with the SRM program.
H3. Executive management participation in the SRM
program is negatively related to the perceived useful-
ness of the SRM program.
H4. Executive management participation in the SRM
program is negatively related to the perceived
employee compliance with the SRM program.
H5. The security breach severity level is negatively
related to the perceived usefulness of the SRM pro-
gram.
H6. The security breach severity level is negatively
related to the perceived level of employee compliance
with the SRM program.
H7. The magnitude of actual security breach costs is
negatively related to the perceived usefulness of the
SRM program.
H8. The magnitude of security breach costs is nega-
tively related to the perceived level of employee
compliance with the SRM program.
H9. The effectiveness of the SRM program is
positively related to the level of positive disconfirma-
tion between desired performance and actual perfor-
mance.
3. Research methodology
Our original research strategy included a planned
preliminary field study at two firms with a security risk
management program in place for at least 1 year. This
field study was to be used as a pilot test to refine the
research instruments. Focused interviews were to be
analyzed using an open coding procedure to screen for
the emergence of unanticipated characteristics. Based
on the outcome of the two analyses, additional firm
sites were to be used to further refine the construct
measures. The finalized instruments were then to be
sent to a sample of firms selected from the total
population of firms. The process follows Churchill’s
[8] research paradigm for the development of con-
struct measures.
3.1. The sample
The sample of organizations was extracted from a
heterogeneous industry population of US firms. We
aimed toward generalizability and maintaining an
acceptable level of precision in control and measure-
ment of the variables [44]. Survey instruments were
designed for the CEO and one TMT member of each
of the firms. Since high rates of non-response to
surveys are normal, we hoped for a 20% return,
requiring 500 surveys being mailed for 100 usable
responses. We employed Tomaskovic-Devey et al.’s
[66] suggested methodology for reducing non-
response.
3.2. The survey instrument
Since our study used several measures that had not
been validated, the full Churchill research paradigm
model had to be followed. As one of our major goals
was to gain an understanding of the nature of the
constructs and their relationships in the conceptual
research model [55,61], these steps had to be
employed to ensure proper interpretation of the find-
ings. Two questionnaires were constructed for the
pilot test. The first questionnaire was divided into
two sections: one for the highest-ranking security
official (CSO), the other for the highest ranking IS
official (CIO). The second questionnaire was intended
for other high-ranking members of the TMT.
The research strategy relied upon both multi- and
single-respondents from each firm, aggregating results
to develop a firm level measure for analysis. The CEO
and at least one other member of the TMT were to be
surveyed. Since members of the TMT deal with a
variety of business risks [12], they may perceive
organizational outcomes differently [5,43]. However,
if only the CEO response was received, we considered
that sufficient, since CEOs are supposed to define
the strategy and also determine the risk taking nature
of IT in the firm [31].
The instruments were pre-tested on a convenient
sample of Management and Management Information
Systems faculty members at two geographically dis-
persed universities. We relied upon the instrument
A.G. Kotulic, J.G. Clark / Information & Management 41 (2004) 597–607 601
review methodology employed by Chan and Huff [7].
Faculty panels were asked to comment on the con-
struct definition, the suitability of the operationaliza-
tion (the dimensions) and the questions used to
measure the dimensions. The responses were used
to modify and refine the instruments. The plan was
to pilot test the refined instrument with a sample of two
firms with known mature security risk management
cultures. A convenient sample of firms was identified
and five firms agreed to take part in the pilot test before
seeing the questionnaires.
After an in-depth analysis of the data collected at the
model firm sites, a decision was to be made on the
desirability of further field studies at more sites. The
additions were to be drawn from the original five firms.
Such process steps are similar to those used in a
multi-case methodology used by several researchers
[22,23]. This methodology utilizes replicative logic
[72], where cases are treated as a series of separate
experiments that are used to confirm or reject the
inferences that the researcher extracted from all pre-
viously conducted. Additionally, multiple data sources
are employed for each case. For example, the Eisen-
hardt studies used CEO interviews, TMT semi-struc-
tured interviews, TMT questionnaires, and secondary
archival data sources.
The pilot test data was to be put through an exten-
sive data screening and purification process, as out-
lined by Tabachnick and Fidell [63]. A combination of
factor analysis and coefficient alpha was to be used for
this operation.
3.3. The pilot study
We provided a research study proposal to the ori-
ginal five firms with copies of the preliminary ques-
tionnaires. They were asked to give the self-report
questionnaires to the designated managers and to
expect follow-up interviews in order to improve the
relevance, clarity, and content of the questions. The
organizations were told that, upon completion of the
study, they would receive an executive review profil-
ing their firm, enabling them to make comparisons
with others in the same industry. Finally, they were
told that organization and/or individual identity would
not be revealed. Unfortunately, after reviewing copies
of the preliminary questionnaires, all of the original
five firms declined to continue.
After being rejected by them, we identified 38
potentially suitable organizations for the pilot study.
We relied upon various methods, including colleague
and insider referrals and introductions, contacting pro-
fessional organizations that had sponsored, supported,
or published information security surveys, contacting
leading security industry firms, contacting consulting
firms with a visible presence in information security,
contacting several governmental organizations, and
making a presentation at a USENIX security sympo-
sium in order to solicit support. Although we had a
series of meetings with IS and security personnel at
several firms, and made a presentation via teleconfer-
encing to high-level managers at several locations of a
government organization, we were not successful.
Eighteen months after the preliminary research instru-
ments were finalized, the pilot test stage was termi-
nated. At that time, 42 of the 43 organizations contacted
refused to take part in the field study. The net result of
this activity was that one firm agreed to participate,
responded to the questionnaires, and allowed the neces-
sary interviews to take place. The reasons given by the
42 firm representatives that refused to take part in the
pilot test are shown in Table 1. As reported, the major
problem was because of the need to concentrate on
Y2K problems. Many individuals were concerned that
this type of study might lead to problems with negative
consequences for them.
Our pilot study organization is a leading firm in the
security industry. In order for them to participate, we
Table 1
Pilot test firm data
Reason for refusal Number %
Y2K issues require total focus of
organization
15 35.7
Job security issues 6 14.3
Do not have a formal program 5 11.9
Top management would want explanations 5 11.9
Top management too busy 3 7.0
Recently failed security audit 2 4.8
Do not participate in this type of
academic research
2 4.8
No reason given 2 4.8
Information security program details
classified sensitive
1 2.4
Lost time cost 1 2.4
Total 42 100.0
602 A.G. Kotulic, J.G. Clark / Information & Management 41 (2004) 597–607
had to agree to allow one of their employees to
conduct the interviews. The participation of this
firm, and their assigned interviewer, proved extremely
beneficial in developing the finalized research instru-
ments. The CIO, CSO, two TMT members, and
a second CSO/CIO questionnaire provided informa-
tion about the content and structure of the research
instruments.
3.4. Research instrument and sample selection
modifications
The content and structure of the research instru-
ments were modified. The original two questionnaires
were divided into four questionnaires designated for
the CIO, CSO, a member of the TMT and a functional
level manager. This move was taken in order to reduce
the time required for each participant to complete the
questionnaire and to insure privacy (that other firm
member would not see the CIO and CSO responses).
In order to further reduce the response time, all
questions used to measure the SR knowledge and
awareness of firm management were eliminated.
Additionally, all questions involving quantitative
information for the actual performance of the SRM
program and that required quantitative or qualitative
answers for the desired performance of the SRM
program were eliminated. Finally, the wording of
several questions was modified to increase their
clarity. We attempted to eliminate as many sections
of the questionnaire as possible, especially those
that were considered highly intrusive or would
require the complete Churchill pre-test process to
validate. The university research center’s name was
prominently displayed on the cover page of every
questionnaire to enhance the professional appearance
of the instruments and to help establish researcher
credibility.
Feedback during the pilot test led us to believe that
firm size was a major selection factor in tapping
organizations with an established security risk man-
agement program. The discussions indicated that
organizations with more than 500 employees could
afford the costs of formal information security pro-
grams and would be the likely to have assigned
security and/or risk management personnel. The ori-
ginal goal was to obtain about 100 usable firm survey
responses from an initial mailing to 500 firms.
However, following the pilot study, we estimated that
we would require a mailing of between 1200 and 1600
firm questionnaires to provide such a number of useful
responses. A cross section of 1500 firms was selected
from a database of 5001 US businesses with 500 or
more employees.
Results of the pilot test and prior research [18]
reinforced the importance of rewards and trust. The
revised cover letter addressed concerns related to
trustworthiness of the researchers and expected time
for completion. Token incentives have also been sug-
gested as effective in increasing the potential response
rate. As a result, we included customized business card
size magnets, containing the slogan ‘‘practice safe
computing’’.
4. Response rate
Each survey package contained a cover letter
addressed to the CEO or COO of the firm, four
questionnaires, five tokens of appreciation and four
self-addressed return envelopes. Follow-up letters
were sent out to firms that did not return at least
one questionnaire within 4–6 weeks after the initial
package was sent out. The letter contained an appeal
for participation and offered an executive summary
report profiling the firm if all four questionnaires were
returned. A different follow-up letter was sent out 2–4
weeks after a firm returned at least one questionnaire.
This package contained supplemental questionnaires
to replace those that had not been returned and
additional postage paid return envelopes. In spite of
these efforts, we obtained an unacceptable number of
responses to conduct any statistically meaningful
parametric or non-parametric tests.
We sent out 1540 complete research packages; 66
were returned with no means of resolution, resulting in
1474 possible respondents. Of those, only 23 firms
returned at least one of the four questionnaires: a
response rate of 1.6%. In total, 67 questionnaires were
returned: 18 CSO, 18 CIO, 16 TMT, and 15 functional
managers. Of those questionnaires, nine firms returned
four questionnaires, four firms returned three ques-
tionnaires, nine firms returned two questionnaires and
one firm returned one questionnaire. The nine firms
that submitted the four questionnaires represent a firm
response rate of 0.61%.
A.G. Kotulic, J.G. Clark / Information & Management 41 (2004) 597–607 603
5. Non-response
Throughout data collection, many telephone con-
versations and e-mail exchanges were made with
CIOs, CSOs and risk managers on the goals of the
research study, the makeup of the questionnaires, and
the researchers’ credentials. In one instance, one of the
researchers was informed that his credentials had been
reviewed with a third party, because the organization
was concerned that he might be practicing ‘‘social
engineering’’ techniques to gain information about the
firm’s SRM program countermeasures.
As a result of our extremely poor response rate, we
attempted to determine the specific reason(s) that
firms would not take part in the study. We modified
Dillman’s [19] list of reasons why individuals and
organizations do not respond to mail surveys and
added some based on our experience, resulting in a
17-item questionnaire. This was sent out to the firms
that did not return at least one of the original survey
questionnaires. Seventy-four firms responded to this
survey (see Table 2). Responses were gathered via
e-mail, telephone conversations, and the return of
the new questionnaire sent to approximately 1400
of the firms that did not respond to the original
package. This represents a response rate of approxi-
mately 5.1%. The top four reasons for not responding
to the original survey were related to surveys in
general (items 3 and 4), company policy regarding
security information sharing (item 11), and excessive
use of management time (item 13). Interestingly,
although several sources have suggested that firm
identification is a major reason that firms do not take
part in mail survey research studies, 47.3% of the firms
gave the name of the firm for this questionnaire.
6. Lessons learned
Information security research is one of the most
intrusive types of organization research, and there is
undoubtedly a general mistrust of any ‘‘outsider’’
attempting to gain data about the actions of the security
practitioner community. In spite of all our efforts, we
failed to achieve anywhere near an acceptable response
rate. We conclude that it is nearly impossible to extract
information of this nature by mail from business
organizations without having a major supporter.
We do not propose the use of mass mailings of
survey instruments when attempting to collect data of
Table 2
Non-response feedback from 74 firms
Number %
The organization does not accept unsolicited submissions of any ideas or materials 5 6.8
The request did not comply with our established policies for survey requests 0 NA
Due to the large volume of survey requests we receive, our policy is not to participate in any surveys 19 25.7
Due to the large volume of survey requests we receive, we cannot participate in every one we receive 36 29.7
The corporate headquarters is responsible for such decisions and the survey was forwarded there 4 5.4
Temporary issues (company being sold/reorganization is in progress) 6 8.1
The university sponsor for the research study cannot provide legal confidentiality protection 1 1.4
The use of individual identification numbers on the questionnaires could be used to reveal responses by an
individual or by the organization
3 4.1
The questionnaires contain some questions that require answers that would reveal proprietary information 7 9.5
The questionnaires contain many questions that would require checking company records 3 4.1
We do not share any information about our computer security policies with outside entities 17 23.0
Our management team is too busy to spend time filling out any survey questionnaires 9 12.2
The time of our management team is valuable and we decided that the benefits received for the time expended
were not adequate to participate in the research project.
17 23.0
Company security policies prevent complete answers to some of the requested information 7 9.5
Company policy prevents revealing any demographic information about our management team 4 5.4
Company policy prevents revealing information about management, team business philosophy, or internal actions 3 4.1
Other 1 1.4
Total 128
604 A.G. Kotulic, J.G. Clark / Information & Management 41 (2004) 597–607
a sensitive nature. Firms are unwilling to divulge such
information without strong assurances that the infor-
mation provided will in no way harm them, yet could
provide insight in how to improve their organization.
Time is far better spent focusing on a few, select
firms with whom the researcher has developed an
excellent rapport and trust. Straub and Welke [60]
were able to obtain rather detailed information from
their two-firm comparative study. They attributed this
to their well-developed consulting relationship with
the firms; they had signed non-disclosure agreements
protecting the identity of the firms. Both firms also
read, discussed, and approved the written results
before they were submitted to an academic journal.
We learned, the hard way, that developing a
research stream in an emerging, organization-sensitive
area requires major personal, financial and profes-
sional commitments far beyond what most researchers
can afford to expend. The total cost of the research
project, time expended, and professional tradeoffs
have far exceeded that originally estimated. The pro-
ject scope was also too large. We suggest a slow,
cautious approach for studies that are either under-
researched or of a sensitive nature. Our study had both
characteristics.
An indirect contribution of the research study is the
information extracted from those who were willing to
discuss their reasons for not wishing to participate.
This type of feedback should prove beneficial for
anyone planning to investigate organizational security
issues.
We have provided a theoretical model to study the
process that leads to effective SRM programs. The
model includes desired expectations in an IS area
outside of the EUC domain and incorporates the role
of executive management support. The framework
should provide the academic community additional
insights to aid research in other aspects of IS/IT that
require performance metrics when viewed within the
context of the socio-technical perspective.
The process of developing and implementing an
SRM program is time sensitive. In order to explore the
process, a form of longitudinal research is an appro-
priate approach. We propose case study research as an
appropriate methodology for this.
The organizational level information security
domain is relatively new and under researched. In
spite of this, it may prove to be one of the most critical
areas of research necessary for supporting the viability
of the firm. Although we were not able to collect
enough data for statistical significance, our research
provides a starting point for the development of
theory-based guidelines for managing the SRM pro-
gram process. We feel it is imperative for organiza-
tions to obtain a better understanding of how
organizational context, the deployed IT resource,
and the propensity for risk impact the overall level
of information security program effectiveness within
the organization.
References
[1] L.M. Applegate, J.J. Elam, New information systems leaders:
a changing role in a changing world, MIS Quarterly 16, 1992,
pp. 469–489.
[2] S.L. Barton, P.J. Gordon, Corporate strategy: useful perspec-
tive for the study of capital structure? Academy of Manage-
ment Review 12 (1), 1987, pp. 67–75.
[3] F. Bergeron, C. Berube, End users talk computer policy,
Journal of Systems Management 41 (12), 1990, pp. 14–
32.
[4] D.J. Bodeau, A conceptual model for computer risk analysis,
in: Proceedings of the 8th Annual Computer Security
Applications Conference, IEEE Press, New York, 1992,
pp. 56–63.
[5] L.J. Bourgeois, Strategic goals, perceived uncertainty, and
economic performance in volatile environments, Academy of
Management Journal 28, 1985, pp. 548–573.
[6] A.S. Chakravarthy, Y. Doz, Strategy process research:
focusing on corporate self-renewal, Strategic Management
Journal 13, 1992, pp. 5–14.
[7] Y.E. Chan, S.L. Huff, The development of instruments to
assess information systems and business unit strategy and
performance, in: N. Venkatraman, J. Henderson (Eds.),
Research in Strategic Management and Information Technol-
ogy, vol. 1, JAI Press, Greenwich, CT, 1994.
[8] G.A. Churchill, A paradigm for developing better measures
of marketing constructs, Journal of Marketing Research 16
(1), 1979, pp. 64–73.
[9] J.G. Covin, D.P. Slevan, The influence of organization
structure on the utility of an entrepreneurial top management
style, Journal of Management Studies 23 (3), 1988, pp.
217–234.
[10] R.M. Cyert, J.G. March, A Behavioral Theory of the Firm,
Prentice-Hall, Englewood Cliffs, NJ, 1993.
[11] R.L. Daft, K.E. Weick, Toward a model of organizations as
interpretation systems, Academy of Management Review 9,
1984, pp. 284–295.
[12] R.L. Daft, J. Sormunen, D. Parks, Chief executive scanning,
environmental characteristics, and company performance: an
empirical study, Strategic Management Journal 9, 1998, pp.
123–129.
A.G. Kotulic, J.G. Clark / Information & Management 41 (2004) 597–607 605
[13] F. Damanpour, Organizational innovation: a meta-analysis of
effects of determinants and moderators, Academy of Manage-
ment Journal 34 (3), 1991, pp. 555–590.
[14] E.B. Dean, Risk: from the perspective of competitive
advantage, retrieved from World Wide Web July 1996, http://
dfac.larc.nasa.gov/dfc/rsk.html.
[15] W.H. DeLone, Determinants of success of computer usage in
small business, MIS Quarterly 12 (1), 1988, pp. 51–61.
[16] W.H. DeLone, E.R. McLean, Information systems success:
the quest for the dependent variable, Information Systems
Research 3 (1), 1992, pp. 60–95.
[17] H.B. DeMaio, Open systems security and the art of random
juggling, Information Systems Security 4, 1995, pp. 7–11.
[18] D.A. Dillman, Mail and Telephone Surveys: The Total
Design Method, Wiley, New York, 1978.
[19] D.A. Dillman, Mail and Internet Surveys: The Tailored
Design Method, second ed., Wiley, New York, 2000.
[20] D.H. Doty, W.H. Glick, G.P. Huber, Fit equifinality and
organizational effectiveness: a test of two configurational
theories, Academy of Management Journal 36, 1993, pp.
1196–1250.
[21] P. Ein-Dor, E. Segev, Organizational context and the success
of management information system, Management Science 24
(10), 1978, pp. 1067–1077.
[22] K.M. Eisenhardt, Better stories and better constructs: the case
for rigor and comparative logic, Academy of Management
Review 16 (3), 1991, pp. 620–627.
[23] K. M Eisenhardt, L.J. Bourgeois, Politics of strategic decision
making in high velocity environments: toward a midrange
theory, Academy of Management Journal 31 (4), 1988, pp.
737–770.
[24] J.H.P. Eloff, L. Labuschagne, K.P. Badenhorst, A compara-
tive framework for risk analysis methods, Computers and
Security 12, 1993, pp. 597–603.
[25] J. Frank, Quality control of personnel computing, Journal of
Systems Management 39 (12), 1988, pp. 32–39.
[26] J.R. Galbraith, R. Kazanjian, Strategy Implementation:
Structure, Systems, and Process, second ed., West Publishing,
St. Paul, MN, 1986.
[27] D.L. Goodhue, D.W. Straub, Security concerns of system
users: a study of perceptions of the adequacy of security,
Information & Management 20 (1), 1991, pp. 13–27.
[28] D.C. Hambrick, An empirical typology of mature industrial-
product environments, Academy of Management Journal 26
(2), 1983, pp. 213–230.
[29] D.C. Hambrick, The top management team: key to strategic
success, California Management Review 30 (1), 1987, pp.
88–108.
[30] D.C. Hambrick, P. Mason, Upper echelons: the organization
as a reflection of its top managers, Academy of Management
Review 9 (2), 1984, pp. 193–206.
[31] S. Hart, An integrative framework for strategy-making proces-
ses, Academy of Management Review 17, 1992, pp. 327–351.
[32] S. Hill, M. Smith, Risk management and corporate security: a
viable leadership and business solution designed to enhance
corporations in the emerging marketplace, Computers and
Security 14, 1995, pp. 199–204.
[33] J. Hitchings, Deficiencies of the traditional approach to
information security and the requirements for a new
methodology, Computers and Security 14, 1995, pp. 377–383.
[34] S.L. Jarvenpaa, B. Ives, Executive involvement and partici-
pation in the management of information technology, MIS
Quarterly 15 (2), 1991, pp. 205–227.
[35] S.L. Jarvenpaa, B. Ives, Organizational fit and flexibility: IT
design principals for a globally competing firm, in: N.
Venkatraman, J. Henderson (Eds.), Research in Strategic
Management and Information Technology, vol. 1, JAI Press,
Greenwich, CT, 1994.
[36] L.R. Kahneman, A. Tversky, Variants of uncertainty,
Cognition 11, 1982, pp. 143–157.
[37] P.G.W. Keen, Shaping the Future: Business Design Through
Information Technology, Harvard Business School Press,
Boston, MA, 1991.
[38] D. Leonard-Barton, I. Deschamps, Managerial influence in
the implementation of new technology, Management Science
34 (10), 1988, pp. 1252–1265.
[39] K.R. Lindup, A new model for information security policies,
Computers and Security 14, 1995, pp. 691–695.
[40] K.R. MacCrimmon, D.A. Wehrung, Taking Risks: The
Management of Uncertainty, Free Press, New York, 1986.
[41] K.R. MacCrimmon, D.A. Wehrung, Characteristics of risk
taking executives, Management Science 36 (4), 1990, pp.
422–435.
[42] S.E. Madnick, The information technology platform, In: E.
Michael, S. Scott Morton (Eds.), The Corporation of the
1990s: Information Technology and Organizational Transfor-
mation, Oxford University Press, New York, 1991.
[43] D.L. McDade, The assessment of perceived environmental
uncertainty and economic performance, Human Relations 43,
1990, pp. 1203–1218.
[44] J.E. McGrath, Dilemmatics: the study of research choices and
dilemmas, in: J.E. McGrath, J. Martin, R.A. Kulka (Eds.),
Judgment Calls in Research, Sage, Beverly Hills, CA,
1982.
[45] R.E. McGaughey Jr., C.A. Snyder, H.H. Carr, Implementing
information technology for competitive advantage: Risk
management issues, Information & Management 26 (5),
1994, pp. 273–280.
[46] R.E. Miles, C.C. Snow, A.D. Meyer, H.J. Coleman,
Organizational strategy, structure, and process, Academy of
Management Review 3 (3), 1978, pp. 546–562.
[47] D. Miller, C. Droge, J. Toulouse, Strategic process and
content as mediators between organizational context and
structure, Academy of Management Journal 31 (3), 1988, pp.
544–569.
[48] H. Mintzberg, Patterns in strategy formation, Management
Science 24 (9), 1978, pp. 934–948.
[49] D.A. Nadler, M.L. Tushman, A congruence model for
diagnosing organizational behavior, in: R. Miles (Ed.),
Resource Book in Macro Organizational Behavior, Goodyear,
Santa Clara, CA, 1980.
[50] R.L. Oliver, A cognitive model of the antecedents and
consequences of satisfaction decisions, Journal of Marketing
Research 17 (4), 1980, pp. 460–469.
606 A.G. Kotulic, J.G. Clark / Information & Management 41 (2004) 597–607
[51] M.E. Porter, V.E. Millar, How information gives you a
competitive advantage, Harvard Business Review 4, 1985, pp.
149–160.
[52] P. Powell, Beyond networking: the rise of the nebulous
organization, European Management Journal 10 (3), 1992, pp.
352–356.
[53] J.F. Rockart, M.J. Earl, J.W. Ross, IT in the 1990s: managing
organizational interdependence, Sloan Management Review
30 (2), 1996, pp. 7–17.
[54] P.B. Seddon, A respecification and extension of the DeLone
and McLean model of IS success, Information Systems
Research 8 (3), 1997, pp. 240–253.
[55] V. Sethi, W.R. King, Construct measurement in information
systems research: an illustration in strategic systems,
Decision Sciences Journal 22 (3), 1991, pp. 455–472.
[56] A. Shirani, M. Aiken, B. Reithel, A model of user
information satisfaction, Data Base 25 (4), 1994, pp. 17–23.
[57] S.M. Shortell, E.J. Zajac, Perceptual and archival measures of
miles and snow’s strategic types: a comprehensive assessment
of reliability and validity, Academy of Management Journal
33 (4), 1990, pp. 817–832.
[58] S.B. Sitkin, L.R. Weingart, Determinants of risky decision-
making behavior: a test of the mediating role of risk
perceptions and propensity, Academy of Management Journal
38 (6), 1995, pp. 1573–1592.
[59] D.F. Sterne, On the buzzword ‘‘security policy,’’ in:
Proceedings of the 1991 IEEE Computer Society Symposium
on Research in Security and Privacy, 20–22 May, Oakland,
CA, IEEE Computer Society Press, Los Alamitos, CA, 1991,
pp. 219–230.
[60] D.W. Straub, R.J. Welke, Coping with systems risk: security
planning models for management decision-making, MIS
Quarterly 22 (4), 1998, pp. 441–469.
[61] A. Subramamian, S. Nolakanta, Measurement: a blueprint for
theory-building in MIS, Information & Management 26 (1),
1994, pp. 13–20.
[62] K. Suh, S. Kim, J. Lee, End-user’s disconfirmed expectations
and the success of information systems, Information Re-
sources Management Journal 7 (4), 1994, pp. 30–39.
[63] B.G. Tabachnick, L.S. Fidell, Using Multivariate Statistics,
second ed., Harper & Row, New York, 1989.
[64] J.D. Thompson, Organizations in Action: Social Science Bases
of Administrative Theory, McGraw-Hill, New York, 1967.
[65] H. Tipton, Liability of corporate officers for security
problems, Computer Security Journal 10 (1), 1994, pp. 59–69.
[66] D. Tomaskovic-Devey, J. Leiter, S. Thompson, Organiza-
tional survey nonresponse, Administrative Science Quarterly
39, 1994, pp. 439.
[67] E.G. Troy, A rebirth of risk management, Risk Management
42 (7), 1995, pp. 71–73.
[68] N. Venkatraman, The concept of fit in strategy research:
toward verbal and statistical correspondence, Academy of
Management Review 14 (3), 1989, pp. 432–444.
[69] N. Venkatraman, IT-enabled business transformation: from
automation to business scope redefinition, Sloan Management
Review (1994) 73–87.
[70] F. Wharton, Risk management: basic concepts and general
principles, In: J. Ansell, F. Wharton (Eds), Risk: Analysis,
Assessment and Management, Wiley, London, 1992.
[71] C.S. Yap, C.P.P. Soh, K.S. Raman, International systems
success factors for business, OMEGA International Journal of
Management Sciences 5 (6), 1992, pp. 597–609.
[72] R.K. Yin, Case Study Research: Design and Methods, vol. 5,
Sage, Newbury Park, CA, 1989.
[73] E.J. Zajac, S.M. Shortell, Changing generic strategies:
likelihood, direction, and performance implications, Strategic
Management Journal 10, 1989, pp. 413–430.
Andrew G. Kotulic is an Assistant Professor of Information
Architecture and Knowledge Management in the Department of
Management and Information Systems at the College of Business
Administration, Kent State University. He received his PhD from
the University of Texas at Arlington. He worked in industry for
major corporations such as Motorola, Northrop Grumman and Sara
Lee before entering academics. His research interests include
information security, privacy and information warfare. His research
has been published in the Journal of Management and several
conference proceedings.
Jan Guynes Clark is Professor of Information Systems at The
University of Texas at San Antonio. She received her PhD from the
University of North Texas. Her research interests include informa-
tion security, telecommunications in a global environment, and IS
strategies. Her publications have appeared in leading journals such
as Communications of the ACM, Data Base, IEEE Transactions on
Engineering Management, and Information & Management.
A.G. Kotulic, J.G. Clark / Information & Management 41 (2004) 597–607 607