Fundamental assumptions and premises distinguish the prevalent thinking in business information systems security from that in information warfare. An analysis of these two paradigms may lead to improved management of information security activities. The business paradigm assumes that risks are predictable, measurable and persistent. It assumes a static relationship with safeguards and a causal structure based on variance. It draws its principles from probability theory, its strategy from quality improvement, and its organizational learning from exploitation. The warfare paradigm assumes that risks are unpredictable, not measurable, and transient. It assumes a dynamic relationship with safeguards and a causal structure based on process. It draws its principles from possibility theory, its strategy from agility theory, and its organizational learning from exploration. The shifting context of many organizations promises to increase the presence of the warfare paradigm as balanced against the business paradigm. This shift means that assumptions about the transience of risk, unpredictability of risks, and the consequential emergence of safeguards will grow. An increasing belief that the essential causal structure of security is based on process will lead to a greater perception that security events are more important than static threats; and security failures are a process failure rather than a simple failure of a security safeguard. This shift may lead to increasing use of possibility theory, agility strategies, and exploitative learning strategies.

Alger, J. (1996). Introduction. Information warfare. Cyberterrorism: Protecting your personal security in the electronic age. W. Schwartau (Ed.), 2nd ed., pp. 8-14. New York: Thunder’s Mouth Press.

Baskerville, R. (1991a). “Risk analysis as a source of professional knowledge”. Computers & Security, 10(8), 749-764.

Baskerville, R. (1991b). “Risk analysis: an interpretive feasibility tool in justifying information systems security”. European Journal of Information Systems, 1(2), 121-130.

Baskerville, R. (2004). Information Warfare Action Plans for e-Business. Paper presented at the The 3rd European Conference on Information Warfare and Security, Royal Holloway, University of London, UK, 28-29 June

Baskerville, R., Levine, L., Pries-Heje, J., Ramesh, B., & Slaughter, S. (2001). “How Internet Software Companies Negotiate Quality”. IEEE Computer, 34(5), 51-57.

Baskerville, R. and Portougal, V. (2003). “A Possibility Theory Framework for Security Evaluation in National Infrastructure Protection”. Journal of Database Management, 14(2), 1-13.

Berkowitz, B. (2001). “Information Warfare: Time to Prepare”. Issues in Science and Technology, Winter 2000-2001, 37-44.

Berkowitz, B. (2003). The New Face of War: How War Will Be Fought in the 21st Century. New York: The Free Press.

Bhalla, N. (2003). “Is the mouse click mighty enough to bring society to its knees?” Computers & Security, 22(4), 322-336.

Cooke, P. (2002). Knowledge economies: clusters, learning and cooperative advantage. London ; New York: Routledge.

Cronin, B. and Crawford, H. (1999). “Information Warfare: Its Application in Military and Civilian Contexts”. The Information Society, 15, 257-263.

Delibasis, D. (2002). “The right of states to use force in cyberspace: Defining the rules of engagement”. Information & Communication Technology Law, 11(3), 255-268.

Deming, W. E. (1982). Out of the Crisis. Cambridge, Mass.: MIT Center for Advanced Engineering Study.

Denning, D. E. (1999). Information Warfare and Security. Reading Mass: Addison-Wesley.

Furnell, S. M. and Warren, M. J. (1999). “Computer Hacking and Cyber Terrorism: The Real Threats in the New Millennium?” Computers & Security, 18(1), 28-34.

Hall, W. M. (2003). Stray Voltage: War in the Information Age. Annapolis, Maryland: Naval Institute Press.

Hoffman, L., Michelman, E., and Clements, D. (1978). SECURATE – Security evaluation and analysis using fuzzy metrics, AFIPS National Computer Conference Proceedings. Vol. 47, pp. 531-540.

Huhtinen, A., and Rantapelkonen, J. (2002). Imagewars: Beyond the Mask of Information Warfare. Saarijärvi, Finland: Marshal of Finland Mannerheim’s War Studies Fund.

ISO. (2004). Quality Management Principles. International Organization for Standardization. Retrieved 9 Sep, 2004, from the World Wide Web: http://www.iso.org/iso/en/iso9000-14000/iso9000/qmp.html

ISO/IEC. (2000). ISO/IEC 17799: Information technology — Code of practice for information security management (International Standard ISO/IEC 17799:2000(E)). Geneva: International Standards Organization.

Jones, A., Kovacich, G. L. and Luzwick, P. G. (2002). “Everything you wanted to know about information warfare but were afraid to ask”. Part 1. Information Systems Security, 11(4), 9-20.

Juran, J. M. and Godfrey, A. B. (Eds.). (1998). Juran’s Quality Handbook 5th Edition. New York: McGraw-Hill.

Kovacich, G. L., Jones, A. and Luzwick, P. G. (2002). “Global information warfare: How businesses, governments, and others achieve objectives and attain competitive advantages”. Security Management Practices, 11(5), 15-23.

Levinthal, D. A. and March, J. G. (1993). “The myopia of learning”. Strategic Management Journal, 14, 95-112.

March, J. G. (1991). “Exploration and Exploitation in Organizational Learning”. Organization Science, 2(1), 71-87.

Markus, L. and Robey, D. (1988). “Information technology and organizational change: Causal structure in theory and research”. Management Science, 34(5), 583-598.

Mohr, L. B. (1982). Explaining Organizational Behavior. San Francisco: Jossey-Bass.

Osborne, W. B., Bethel, S. A., Chew, N. R., Nostrand, P. M. and Whitehead, Y. G. (1996, August). Information Operations: A New War-Fighting Capability [Report]. Air Force 2025. Retrieved December 5, 2004, from the World Wide Web: http://www.au.af.mil/au/2025/volume3/chap02/v3c2-1.htm

Ozier, W. (1989). “Risk quantification problems and Bayesian Decision Support System solutions”. Information Age, 11(4), 229-234.

Pande, P. S., Neuman, R. P. and Cavanagh, R. R. (2000). The Six Sigma Way: How GE, Motorola, and Other Top Companies Are Honing Their Performance. New York: McGraw-Hill.

Siponen, M., Baskerville, R. and Kuivalainena, T. (2005). Integrating Security into Agile Development Methods. Paper presented at the Hawaii International Conference on System Sciences, January 3-6. Big Island, Hawaii.

The President’s Commission on Critical Infrastructure Protection. (1997). Critical Foundations Protecting America’s Infrastructures (Commission Report). Washington, D.C.>

Vatis, M. A. (2001, September 22). Cyber Attacks During The War on Terrorism: A Predictive Analysis [White Paper]. Institute for Security Technology Studies at Dartmouth College. Retrieved Dec. 6, 2004, from the World Wide Web: http://www.ists.dartmouth.edu/library/analysis/cyber_a1.pdf

Verton, D. (2003). “Blaster worm linked to severity of blackout”. Computerworld, 37(35), 1,4.

Zviran, M., Hoge, J. and Micucci, V. (1990). “SPAN — a DSS for security plan analysis”. Computers & Security, 9(2), 153-160.