Abstract
Management of information systems (IS) security in organizations has been hampered by the apparent lack of inclusion of organizational security objectives in the traditional strategic planning process. In order to improve IS security strategic planning, we argue that there should be a renewed emphasis on security planning objectives. In this paper we present two sets of objectives – fundamental and means. We then define an evaluation mechanism for assessing the security posture of a firm. Based on case work in healthcare, we illustrate the usefulness of the security evaluation method for designing enterprise security.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Anderson, E.E., Choobineh, J.: Enterprise information security strategy. Comput. Secur. 27(1–2), 22–29 (2008)
Andrews, K.R.: The Concept of Corporate Strategy. Irwin, Homewood (1987)
Ansoff, H.I.: Corporate Strategy. Penguin Books, Harmondsworth (1987)
Ansoff, H.I.: Strategic Management in a Historical Perspective. Wiley, Chichester (1991)
Backhouse, J., Dhillon, G.: Structures of responsibility and security of information systems. Eur. J. Inf. Syst. 5(1), 2–9 (1996)
Baskerville, R.: Designing Information Systems Security. Wiley, New York (1988)
Baskerville, R.: Information systems security design methods: implications for information systems development. ACM Comput. Surv. 25(4), 375–414 (1993)
Baskerville, R., Dhillon, G.: Information systems security strategy: a process view. In: Straub, D.W., Goodman, S., Baskerville, R. (eds.) Information Security: Policy, Processes, and Practices. M E Sharpe, Armonk (2008)
Baskerville, R., Siponen, M.: An information security meta-policy for emergent organizations. Logistics Inf. Manag. 15(5/6), 337–346 (2002)
Bell, D., Padula, L.: Secure Computer Systems: Unified Exposition and Multics Interpretation. MITRE Corp, Bedford (1976)
Biba, K.J.: Integrity considerations for secure computer systems. The Mitre Corporation (1977)
Bishop, M.: Computer Security. Art and Science. Addison-Wesley, Boston (2003)
Bostrom, R.P., Heinen, J.S.: MIS problems and failures: a socio-technical perspective. Part I: The causes. MIS Q. 1(1), 17–32 (1977)
Choobinen, J., Dhillon, G., Grimaila, M., Rees, J.: Management of information security: challenges and research directions. Commun. AIS 20, 958–971 (2007)
D’Aubeterre, F., Singh, R., Iyer, L.: Secure activity resource coordination: empirical evidence of enhanced security awareness in designing secure business processes. Eur. J. Inf. Syst. 17(5), 528–542 (2008)
Dhillon, G.: Managing Information System Security. Macmillan, London (1997)
Dhillon, G.: Information Security Management: Global Challenges in the New Millennium. Idea Group Publishing, Hershey (2001)
Dhillon, G.: Violation of safeguards by trusted personnel and understanding related information security concerns. Comput. Secur. 20(2), 165–172 (2001)
Dhillon, G., Backhouse, J.: Current directions in IS security research: towards socio-organizational perspectives. Inf. Syst. J. 11(2), 127–153 (2001)
Dhillon, G., Torkzadeh, C.: Value focused assessment of information system security in organizations. Inf. Syst. J. 16(3), 293–314 (2006)
Donnellon, A., Gray, B., Bougon, M.G.: Communication, meaning, and organised action. Adm. Sci. Q. 31, 43–55 (1986)
Drevin, L., Kruger, H., Steyn, T.: Value-focused assessment of information communication and technology security awareness in an academic environment. In: Fischer-Hübner, S., Rannenberg, K., Yngström, L., Lindskog, S. (eds.) SEC 2006. IIFIP, vol. 201, pp. 448–453. Springer, Boston, MA (2006). https://doi.org/10.1007/0-387-33406-8_40
Gerber, M., Solms, R.: From risk analysis to security requirements. Comput. Secur. 20(7), 207–214 (2001)
Gregory, R., Keeney, R.L.: Creating policy alternatives using stakeholder values. Manag. Sci. 40, 1035–1048 (1994)
Grover, V., Segars, A.H.: An empirical evaluation of stages of strategic information systems planning: patterns of process design and effectiveness. Inf. Manag. 42(5), 761–779 (2005)
Henderson, J.C., Sifonis, J.G.: The value of strategic IS planning: understanding consistency, validity, and IS markets. MIS Q. 12, 187–200 (1988)
Herath, T., Rao, H.R.: Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decis. Support Syst. 47(2), 154–165 (2009)
Hitchings, J.: The need for a new approach to information security. In: 10th International Conference on Information Security (IFIP Sec 1994), Curacao, NA, 23–27 May (1994)
Hoven, J.: Information resources management: stewards of data. Inf. Syst. Manag. 16(1), 88–90 (1999)
Kaplan, R.B., Murdock, L.: Rethinking the corporation: core process redesign. McKinsey Q. 2, 27–43 (1991)
Keeney, R.L.: Value-Focused Thinking. Harvard University Press, Cambridge (1992)
Kolkowska, E., Hedström, K., Karlsson, F.: Information security goals in a Swedish hospital. In: Asproth, V. (ed.) Proceedings of IRIS 31 - The 31st Information Systems Research Seminar in Scandinavia, Åre, Sweden (2008)
Koontz, H.: The management theory jungle revisited. Acad. Manag. Rev. 5(2), 175–187 (1980)
Kukalis, S.: Determinants of strategic planning systems in large organizations a contingency approach. J. Manag. Stud. 28, 143–160 (1991)
Kumar, N., Stern, L.W., Anderson, J.C.: Conducting interorganizational research using key informants. Acad. Manag. J. 36(6), 1633–1651 (1993)
Lederer, A.L., Sethi, V.: Key prescriptions for strategic information systems planning. J. Manag. Inf. Syst. 13, 35–62 (1996)
Merrick, J.R.W., Parnell, G.S., Barnett, J., Garcia, M.: A multiple-objective analysis of stakeholder values to identify watershed improvement needs. Decis. Anal. 2(1), 44–57 (2005)
Mintzberg, H.: Power in and Around Organizations. Prentice-Hall, Englewood Cliffs (1983)
Mintzberg, H.: Structures in Fives: Designing Effective Organizations. Prentice-Hall, Englewood Cliffs (1983)
Mintzberg, H.: Crafting Strategy. Harvard Business Review, Boston (1987)
Mintzberg, H.: Strategy formulation: schools of thought. In: Fredrickson, J.W. (ed.) Perspectives on Strategic Management. Harper Business, New York (1990)
Parker, D.B.: Restating the foundation of information security. In: Gable, G.G., Caelli, W.J. (eds.) Eighth IFIP International Symposium on Computer Security, IFIP Sec 1992, Singapore, 27–29 May 1992, pp. 139–151. Elsevier Science Publishers B.V. (North Holland) (1992)
Parker, D.B.: Toward a new framework for information security. In: Bosworth, S., Kabay, M.E. (eds.) The Computer Security Handbook. Wiley, New York (2002)
Puhakainen, P., Siponen, M.: Improving employee’s compliance through IS security training: an action research study. MIS Q. 34(4), 757–778 (2010)
Quinn, B., Mintzberg, H., James, R.M.: The Strategy Process - Concepts, Contexts and Cases. Prentice-Hall, Englewood Cliffs (1988)
Ramanujam, V., Venkatraman, N., Camillus, J.C.: Multi-objective assessment of effectiveness of strategic planning: a discriminant analysis approach. Acad. Manag. J. 29(2), 347–372 (1986)
Rees, J., Bandyopadhyay, S., Spafford, E.H.: PFIRES: a policy framework for information Security. Commun. ACM 46(7), 101–106 (2003)
Rindfleisch, T.C.: Privacy, information technology, and health care. Commun. ACM 40(8), 93–100 (1997)
Sammon, D., Finnegan, P.: The ten commandments of data warehousing. ACM SIGMIS Database 31(4), 82–91 (2000)
Segars, A.H., Grover, V.: Profiles of stratgic information systems planning. Inf. Syst. Res. 10(3), 199–232 (1999)
Siponen, M.: Five dimensions of information security awareness. Comput. Soc. 31(2), 24–29 (2001)
Siponen, M., Iivari, J.: Six design theories for IS security policies and guidelines. J. Assoc. Inf. Syst. 7(7), 445–472 (2006)
Siponen, M.T.: An analysis of the traditional IS security approaches: implications for research and practice. Eur. J. Inf. Syst. 14(3), 303–315 (2005)
Straub, D.W., Welke, R.J.: Coping with systems risks: security planning models for management decision making. MIS Q. 22(4), 441–469 (1998)
Tan, F.B., Hunter, M.G.: The repertory grid technique: a method for the study of cognition in information systems. MIS Q. 26(1), 39–57 (2002)
Van Bruggen, G.H., Lilien, G.L., Kacker, M.: Informants in organizational marketing research: Why use multiple informants and how to aggregate responses. J. Mark. Res. 39(4), 469–478 (2002)
Von Solms, R., Van de Haar, H., Von Solms, S.H., Caelli, W.J.: A framework for information security evaluation. Inf. Manag. 26(3), 143–153 (1994)
Wilkes, J., Stata, R.: Specifying data availability in multi-device file systems. ACM SIGOPS Operating Syst. Rev. 25(1), 56–59 (1991)
Wing, J.M.: A specifier’s introduction to formal methods. Computer 23(9), 8–24 (1990)
Wing, J.M.: A symbiotic relationship between formal methods and security. In: Proceedings from Workshops on Computer Security, Fault Tolerance, and Software Assurance: From Needs to Solution, CMU-CS-98-188, December 1998
Wrapp, H.E.: Good managers don’t make policy decisions. In: Mintzberg, H., Quinn, J.B. (eds.) The strategy process, pp. 32–38. Prentice-Hall, Englewood Cliffs (1991)
ZDNet Australia. Security’s pathetic while management’s apathetic: Ernst & Young. ZD Net Australia, Australia (2004)
Zuccato, A.: Holistic security management framework applied in electronic commerce. Comput. Secur. 26(3), 256–265 (2007)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Dhillon, G., Torkzadeh, G., Chang, J. (2018). Strategic Planning for IS Security: Designing Objectives. In: Chatterjee, S., Dutta, K., Sundarraj, R. (eds) Designing for a Digital and Globalized World. DESRIST 2018. Lecture Notes in Computer Science(), vol 10844. Springer, Cham. https://doi.org/10.1007/978-3-319-91800-6_19
Download citation
DOI: https://doi.org/10.1007/978-3-319-91800-6_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-91799-3
Online ISBN: 978-3-319-91800-6
eBook Packages: Computer ScienceComputer Science (R0)