Skip to main content
SpringerLink
Log in

Strategic Planning for IS Security: Designing Objectives

  • Conference paper
  • First Online:
Book cover Designing for a Digital and Globalized World (DESRIST 2018)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 10844))

Abstract

Management of information systems (IS) security in organizations has been hampered by the apparent lack of inclusion of organizational security objectives in the traditional strategic planning process. In order to improve IS security strategic planning, we argue that there should be a renewed emphasis on security planning objectives. In this paper we present two sets of objectives – fundamental and means. We then define an evaluation mechanism for assessing the security posture of a firm. Based on case work in healthcare, we illustrate the usefulness of the security evaluation method for designing enterprise security.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Anderson, E.E., Choobineh, J.: Enterprise information security strategy. Comput. Secur. 27(1–2), 22–29 (2008)

    Article  Google Scholar 

  2. Andrews, K.R.: The Concept of Corporate Strategy. Irwin, Homewood (1987)

    Google Scholar 

  3. Ansoff, H.I.: Corporate Strategy. Penguin Books, Harmondsworth (1987)

    Google Scholar 

  4. Ansoff, H.I.: Strategic Management in a Historical Perspective. Wiley, Chichester (1991)

    Google Scholar 

  5. Backhouse, J., Dhillon, G.: Structures of responsibility and security of information systems. Eur. J. Inf. Syst. 5(1), 2–9 (1996)

    Article  Google Scholar 

  6. Baskerville, R.: Designing Information Systems Security. Wiley, New York (1988)

    Google Scholar 

  7. Baskerville, R.: Information systems security design methods: implications for information systems development. ACM Comput. Surv. 25(4), 375–414 (1993)

    Article  Google Scholar 

  8. Baskerville, R., Dhillon, G.: Information systems security strategy: a process view. In: Straub, D.W., Goodman, S., Baskerville, R. (eds.) Information Security: Policy, Processes, and Practices. M E Sharpe, Armonk (2008)

    Google Scholar 

  9. Baskerville, R., Siponen, M.: An information security meta-policy for emergent organizations. Logistics Inf. Manag. 15(5/6), 337–346 (2002)

    Article  Google Scholar 

  10. Bell, D., Padula, L.: Secure Computer Systems: Unified Exposition and Multics Interpretation. MITRE Corp, Bedford (1976)

    Book  Google Scholar 

  11. Biba, K.J.: Integrity considerations for secure computer systems. The Mitre Corporation (1977)

    Google Scholar 

  12. Bishop, M.: Computer Security. Art and Science. Addison-Wesley, Boston (2003)

    Google Scholar 

  13. Bostrom, R.P., Heinen, J.S.: MIS problems and failures: a socio-technical perspective. Part I: The causes. MIS Q. 1(1), 17–32 (1977)

    Article  Google Scholar 

  14. Choobinen, J., Dhillon, G., Grimaila, M., Rees, J.: Management of information security: challenges and research directions. Commun. AIS 20, 958–971 (2007)

    Google Scholar 

  15. D’Aubeterre, F., Singh, R., Iyer, L.: Secure activity resource coordination: empirical evidence of enhanced security awareness in designing secure business processes. Eur. J. Inf. Syst. 17(5), 528–542 (2008)

    Article  Google Scholar 

  16. Dhillon, G.: Managing Information System Security. Macmillan, London (1997)

    Book  Google Scholar 

  17. Dhillon, G.: Information Security Management: Global Challenges in the New Millennium. Idea Group Publishing, Hershey (2001)

    Book  Google Scholar 

  18. Dhillon, G.: Violation of safeguards by trusted personnel and understanding related information security concerns. Comput. Secur. 20(2), 165–172 (2001)

    Article  Google Scholar 

  19. Dhillon, G., Backhouse, J.: Current directions in IS security research: towards socio-organizational perspectives. Inf. Syst. J. 11(2), 127–153 (2001)

    Article  Google Scholar 

  20. Dhillon, G., Torkzadeh, C.: Value focused assessment of information system security in organizations. Inf. Syst. J. 16(3), 293–314 (2006)

    Article  Google Scholar 

  21. Donnellon, A., Gray, B., Bougon, M.G.: Communication, meaning, and organised action. Adm. Sci. Q. 31, 43–55 (1986)

    Article  Google Scholar 

  22. Drevin, L., Kruger, H., Steyn, T.: Value-focused assessment of information communication and technology security awareness in an academic environment. In: Fischer-Hübner, S., Rannenberg, K., Yngström, L., Lindskog, S. (eds.) SEC 2006. IIFIP, vol. 201, pp. 448–453. Springer, Boston, MA (2006). https://doi.org/10.1007/0-387-33406-8_40

    Chapter  Google Scholar 

  23. Gerber, M., Solms, R.: From risk analysis to security requirements. Comput. Secur. 20(7), 207–214 (2001)

    Article  Google Scholar 

  24. Gregory, R., Keeney, R.L.: Creating policy alternatives using stakeholder values. Manag. Sci. 40, 1035–1048 (1994)

    Article  Google Scholar 

  25. Grover, V., Segars, A.H.: An empirical evaluation of stages of strategic information systems planning: patterns of process design and effectiveness. Inf. Manag. 42(5), 761–779 (2005)

    Article  Google Scholar 

  26. Henderson, J.C., Sifonis, J.G.: The value of strategic IS planning: understanding consistency, validity, and IS markets. MIS Q. 12, 187–200 (1988)

    Article  Google Scholar 

  27. Herath, T., Rao, H.R.: Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decis. Support Syst. 47(2), 154–165 (2009)

    Article  Google Scholar 

  28. Hitchings, J.: The need for a new approach to information security. In: 10th International Conference on Information Security (IFIP Sec 1994), Curacao, NA, 23–27 May (1994)

    Google Scholar 

  29. Hoven, J.: Information resources management: stewards of data. Inf. Syst. Manag. 16(1), 88–90 (1999)

    Article  Google Scholar 

  30. Kaplan, R.B., Murdock, L.: Rethinking the corporation: core process redesign. McKinsey Q. 2, 27–43 (1991)

    Google Scholar 

  31. Keeney, R.L.: Value-Focused Thinking. Harvard University Press, Cambridge (1992)

    MATH  Google Scholar 

  32. Kolkowska, E., Hedström, K., Karlsson, F.: Information security goals in a Swedish hospital. In: Asproth, V. (ed.) Proceedings of IRIS 31 - The 31st Information Systems Research Seminar in Scandinavia, Åre, Sweden (2008)

    Google Scholar 

  33. Koontz, H.: The management theory jungle revisited. Acad. Manag. Rev. 5(2), 175–187 (1980)

    Article  Google Scholar 

  34. Kukalis, S.: Determinants of strategic planning systems in large organizations a contingency approach. J. Manag. Stud. 28, 143–160 (1991)

    Article  Google Scholar 

  35. Kumar, N., Stern, L.W., Anderson, J.C.: Conducting interorganizational research using key informants. Acad. Manag. J. 36(6), 1633–1651 (1993)

    Google Scholar 

  36. Lederer, A.L., Sethi, V.: Key prescriptions for strategic information systems planning. J. Manag. Inf. Syst. 13, 35–62 (1996)

    Article  Google Scholar 

  37. Merrick, J.R.W., Parnell, G.S., Barnett, J., Garcia, M.: A multiple-objective analysis of stakeholder values to identify watershed improvement needs. Decis. Anal. 2(1), 44–57 (2005)

    Article  Google Scholar 

  38. Mintzberg, H.: Power in and Around Organizations. Prentice-Hall, Englewood Cliffs (1983)

    Google Scholar 

  39. Mintzberg, H.: Structures in Fives: Designing Effective Organizations. Prentice-Hall, Englewood Cliffs (1983)

    Google Scholar 

  40. Mintzberg, H.: Crafting Strategy. Harvard Business Review, Boston (1987)

    Google Scholar 

  41. Mintzberg, H.: Strategy formulation: schools of thought. In: Fredrickson, J.W. (ed.) Perspectives on Strategic Management. Harper Business, New York (1990)

    Google Scholar 

  42. Parker, D.B.: Restating the foundation of information security. In: Gable, G.G., Caelli, W.J. (eds.) Eighth IFIP International Symposium on Computer Security, IFIP Sec 1992, Singapore, 27–29 May 1992, pp. 139–151. Elsevier Science Publishers B.V. (North Holland) (1992)

    Google Scholar 

  43. Parker, D.B.: Toward a new framework for information security. In: Bosworth, S., Kabay, M.E. (eds.) The Computer Security Handbook. Wiley, New York (2002)

    Google Scholar 

  44. Puhakainen, P., Siponen, M.: Improving employee’s compliance through IS security training: an action research study. MIS Q. 34(4), 757–778 (2010)

    Article  Google Scholar 

  45. Quinn, B., Mintzberg, H., James, R.M.: The Strategy Process - Concepts, Contexts and Cases. Prentice-Hall, Englewood Cliffs (1988)

    Google Scholar 

  46. Ramanujam, V., Venkatraman, N., Camillus, J.C.: Multi-objective assessment of effectiveness of strategic planning: a discriminant analysis approach. Acad. Manag. J. 29(2), 347–372 (1986)

    Google Scholar 

  47. Rees, J., Bandyopadhyay, S., Spafford, E.H.: PFIRES: a policy framework for information Security. Commun. ACM 46(7), 101–106 (2003)

    Article  Google Scholar 

  48. Rindfleisch, T.C.: Privacy, information technology, and health care. Commun. ACM 40(8), 93–100 (1997)

    Article  Google Scholar 

  49. Sammon, D., Finnegan, P.: The ten commandments of data warehousing. ACM SIGMIS Database 31(4), 82–91 (2000)

    Article  Google Scholar 

  50. Segars, A.H., Grover, V.: Profiles of stratgic information systems planning. Inf. Syst. Res. 10(3), 199–232 (1999)

    Article  Google Scholar 

  51. Siponen, M.: Five dimensions of information security awareness. Comput. Soc. 31(2), 24–29 (2001)

    Article  Google Scholar 

  52. Siponen, M., Iivari, J.: Six design theories for IS security policies and guidelines. J. Assoc. Inf. Syst. 7(7), 445–472 (2006)

    Google Scholar 

  53. Siponen, M.T.: An analysis of the traditional IS security approaches: implications for research and practice. Eur. J. Inf. Syst. 14(3), 303–315 (2005)

    Article  Google Scholar 

  54. Straub, D.W., Welke, R.J.: Coping with systems risks: security planning models for management decision making. MIS Q. 22(4), 441–469 (1998)

    Article  Google Scholar 

  55. Tan, F.B., Hunter, M.G.: The repertory grid technique: a method for the study of cognition in information systems. MIS Q. 26(1), 39–57 (2002)

    Article  Google Scholar 

  56. Van Bruggen, G.H., Lilien, G.L., Kacker, M.: Informants in organizational marketing research: Why use multiple informants and how to aggregate responses. J. Mark. Res. 39(4), 469–478 (2002)

    Article  Google Scholar 

  57. Von Solms, R., Van de Haar, H., Von Solms, S.H., Caelli, W.J.: A framework for information security evaluation. Inf. Manag. 26(3), 143–153 (1994)

    Article  Google Scholar 

  58. Wilkes, J., Stata, R.: Specifying data availability in multi-device file systems. ACM SIGOPS Operating Syst. Rev. 25(1), 56–59 (1991)

    Article  Google Scholar 

  59. Wing, J.M.: A specifier’s introduction to formal methods. Computer 23(9), 8–24 (1990)

    Article  Google Scholar 

  60. Wing, J.M.: A symbiotic relationship between formal methods and security. In: Proceedings from Workshops on Computer Security, Fault Tolerance, and Software Assurance: From Needs to Solution, CMU-CS-98-188, December 1998

    Google Scholar 

  61. Wrapp, H.E.: Good managers don’t make policy decisions. In: Mintzberg, H., Quinn, J.B. (eds.) The strategy process, pp. 32–38. Prentice-Hall, Englewood Cliffs (1991)

    Google Scholar 

  62. ZDNet Australia. Security’s pathetic while management’s apathetic: Ernst & Young. ZD Net Australia, Australia (2004)

    Google Scholar 

  63. Zuccato, A.: Holistic security management framework applied in electronic commerce. Comput. Secur. 26(3), 256–265 (2007)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of North Carolina at Greensboro, Greensboro, USA

    Gurpreet Dhillon

  2. University of Nevada Las Vegas, Las Vegas, USA

    Gholamreza Torkzadeh & Jerry Chang

Authors
  1. Gurpreet Dhillon
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gholamreza Torkzadeh
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jerry Chang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gurpreet Dhillon .

Editor information

Editors and Affiliations

  1. School of Information Systems and Technology, Claremont Graduate University, Claremont, California, USA

    Samir Chatterjee

  2. Muma College of Business, University of South Florida, Tampa, Florida, USA

    Kaushik Dutta

  3. Department of Management Studies, IIT Madras, Chennai, Tamil Nadu, India

    Rangaraja P. Sundarraj

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Dhillon, G., Torkzadeh, G., Chang, J. (2018). Strategic Planning for IS Security: Designing Objectives. In: Chatterjee, S., Dutta, K., Sundarraj, R. (eds) Designing for a Digital and Globalized World. DESRIST 2018. Lecture Notes in Computer Science(), vol 10844. Springer, Cham. https://doi.org/10.1007/978-3-319-91800-6_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-91800-6_19

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-91799-3

  • Online ISBN: 978-3-319-91800-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation