You are here: Home Contents V10 N1 V10N1_Schuessler.html
Personal tools

Systems Security Effectiveness in Large versus Small Businesses



Full text

Journal of Information Systems Security
Volume 10, Number 1 (2014)
Pages 339
ISSN 1551-0123 (Print)
ISSN 1551-0808 (Online)
Joseph H. Schuessler — Tarleton State University, USA
John Windsor — The University of North Texas, USA
Yu “Andy” Wu — The University of North Texas, USA
Information Institute Publishing, Washington DC, USA




The growing importance of Information Systems Security (ISS) for organizations hasoccurred for numerous reasons. However, despite ISS being largely a managerialissue, managerial concern for ISS is still inadequate, as evidenced by its generally low ranking as a key issue in information systems management surveys.

This research seeks to shed light on ISS by conceptualizing an organization’s use ofcountermeasures using the Security Action Cycle, positioning a non-recursiverelationship between threats and countermeasures, and by extending the ISSconstruct developed by Kankanhalli, Teo, Tan & Wei (2003). Industry affiliation andorganizational size are considered in terms of the differences in threats that firmsface, the different countermeasures in use by various firms, and ultimately, how afirm’s ISS effectiveness is affected. Results and implications for researchers andpractitioners are discussed.




Security Action Cycle, Information Systems Security, Deterrence Theory, Security Effectiveness




Abu-Musa, A. (2004), “Auditing E-Business: New Challenges for External Auditors”, Journal ofAmerican Academy of Business, 4(1/2), pp. 28-42.

Armstrong, J. and Overton, T. (1977), “Estimating Nonresponse Bias in Mail Surveys”, Journalof Marketing Research, 14(3), pp. 396-402.

August, T. and Tunca, T. (2006), “Network Software Security and User Incentives”,Management Science, 52(11), pp. 1703-1720.

Bagozzi, P. (1980), Causal Methods in Marketing, New York, NY: John Wiley & Sons.

Barsanti, C. (1999), “Modern Network Complexity Needs Comprehensive Security”, Security,36(7), pp. 65-68.

Blumstein, A. (1978), “Introduction”. in A. Blumstein, J. Cohen and D. Nagin (eds.) Deterrenceand Incapacitation: Estimating the Effects of Criminal Sanctions on Crime Rates, Washington, DC:National Academy of Sciences.

Brancheau, J., Janz, B., and Wetherbe, J. (1996), “Key Issues in Information SystemsManagement: 1994-95 SIM Delphi Results”, Management Information Systems Quarterly, 20(2),pp. 225-242.

Burns, N. and Grove, S. (2004), The Practice of Nursing Research: Conduct, Critique & Utilization(5th ed.), Philadelphia, PA: Elsevier: Saunders.

Cheng, H., Sims, R., and Teegen, H. (1997), “To Purchase or to Pirate Software: An EmpiricalStudy”, Journal of Management Information Systems, 13(4), pp. 49-60.

Chin, W., Marcolin, B., and Newsted, P. (2003), “A Partial Least Squares Latent VariableModeling Approach for Measuring Interaction Effects: Results from a Monte Carlo SimulationStudy and an Electronic-Mail Emotion / Adoption Study”, Information Systems Research, 14(2),pp. 189-217.

Cresswell, J. (1994), Research Design: Qualitative and Quantitative Approaches. London: Sage.

D’Arcy, J. and Heratch, T. (2011), “A Review and Analysis of Deterrence Theory in the ISSecurity Literature: Making Sense of the Disparate Findings”, European Journal of InformationSystems, 20, pp. 643-658.

D’Arcy, J. and Hovav, A. (2009), “Does One Size Fit All? Examining the Differential Effects ofIS Security Countermeasures”, Journal of Business Ethics”, 89, pp. 59-71.

D’Arcy, J. and Hovav, A. (2007), “Deterring Internal Information System Misuse”,Communications of the ACM, 50(10), pp. 113-117.

D’Arcy, J. and Hovav, A. (2004), The Role of Individual Characteristics on the Effectiveness of ISSecurity Countermeasures, Paper presented at the Proceedings of the Tenth Annual AmericasConference on Information Systems, New York, NY.

D’Arcy, J., Hovav, A., and Dennis, A. (2009), “User Awareness of Security Countermeasuresand Its Impact on Information Systems Misuse: A Deterrence Approach”, Information SystemsResearch, 20(1), pp. 79-98.

Dhillon, G. and Backhouse, J. (2000), “Information System Security Management in the NewMillennium”, Communications of the ACM, 43(7), pp. 125-128.

Ernst & Young, (2011), 2011 Global Information Security Survey, Ernst & Young Global Limited.

Goodhue, D. and Straub, D. (1991), “Security Concerns of System Users: A Study ofPerceptions of the Adequacy of Security”. Information & Management, 20(1), pp. 13-27.

Gopal, R. and Sanders, G. (1997), “Preventive and Deterrent Controls for Software Piracy”,Journal of Management Information Systems, 13(4), pp. 29-48.

Gefen, D., Straub, D.W., and Boudreau, M.C. Structural equation modeling and regression:Guidelines for research practice. Communications of the AIS, 7(7), 1-78.

Hair, J.F., Anderson, R., Tatham, R., and Black, W. (1998), Multivariate Data Analysis (5th ed.),Patparganj, Delhi, India: Pearson Education, Inc.

Hair, J.F., Hult, G.T.M., Ringle, C.M., and Sarstedt, M. (2014), A Primer on Partial Least SquaresStructural Equation Modeling (PLS-SEM), Thousand Oaks, CA: Sage.

Hair, J.F., Ringle, C.M., and Sarstedt, M. (2011), PLS-SEM: Indeed a silver bullet, Journal ofMarketing Theory and Practice, 19(2), 139-151.

Hill, S. and Smith, M. (1995), “Risk Management & Corporate Security: A Viable Leadershipand Business Solution Designed to Enhance Corporations in the Emerging Marketplace”,Computers & Security, 14(3), pp. 199-204.

Hitchings, J. (1995), “Deficiencies of the Traditional Approach to Information Security andthe Requirements for a New Methodology”, Computers & Security, 14(5), pp. 377-383.

Hoffer, J. and Straub, D. (1989), “The 9 To 5 Underground: Are You Policing ComputerCrimes?”, Sloan Management Review, 30(4), pp. 35-43.

Livari, J. (1989), “Levels of Abstraction as a Conceptual Framework for an InformationSystem” in E. D. Falkenberg & P. Lindgreen (eds.) Information System Concepts: An In-DepthAnalysis, Amsterdam: North-Holland.

Kankanhalli, A., Teo, H., Tan, B., and Wei, K. (2003), “An Integrative Study of InformationSystems Security Effectiveness”, International Journal of Information Management, 23(2), pp.139-154.

Keller, S., Powell, A., Horstmann, B., Predmore, C., and Crawford, M. (2005), “InformationSecurity Threats and Practices in Small Businesses”, Information Systems Management 22(2),pp. 7-19.

Kock, N. and Lynn, G.S. (2012), “Lateral Collinearity and Misleading Results in Variance-Based SEM: An Illustration and Recommendations”, Journal of the Association for InformationSystems, 13(7), pp. 546-580.

Kohlberg, L. and Hersh, R. (1977), “Moral Development: A Review of the Theory”, TheoryInto Practice, 16(0), pp. 53-59.

Kotulic, A. and Clark, J. (2004), “Why There Aren't More Information Security ResearchStudies”, Information & Management, 41(5), pp. 597-607.

Loch, K., Carr, H., and Warkentin, M. (1992), “Threats to Information Systems: Today'sReality, Yesterday's Understanding”, MIS Quarterly, 16(2), pp. 173-186.

Luftman, J. and Kempaiah, R. (2008), “Key Issues for IT Executives 2007”, ManagementInformation Systems Quarterly Executive, 7(2), pp. 99-112.

Luftman, J., Kempaiah, R., and Rigoni, E. (2009), “Key Issues for IT Executives 2008”,Management Information Systems Quarterly Executive, 8(3), pp. 151-159.

Luftman, J. and Ben-Zvi, T. (2010), “Key Issues for IT Executives 2009: Difficult Economy’sImpact on IT”, Management Information Systems Quarterly Executive, 9(1), pp. 49-59.

Luftman, J. and Ben-Zvi, T. (2010), “Key Issues for IT Executives 2010: Judicious ITInvestments Continue Post-Recession”, Management Information Systems Quarterly Executive,9(4), pp.

Madnick, S. (1978), “Management Policies and Procedures Needed for Effective ComputerSecurity” , Sloan Management Review, 20(1), pp. 61-74.

Mangione, T. (1995), Mail Surveys: Improving the Quality, Thousand Oaks, CA: SagePublications.

Menn, J. (2010), Fatal Systems Error: The Hunt for the New Crime Lords Who are Bringing Downthe Internet (1 st Ed.) New York, NY: PublicAffairs.

Nance, W. and Straub, D. (1988), An Investigation into the use and Usefulness of SecuritySoftware in Detecting Computer Abuse, Paper presented at the Proceedings of the Ninth AnnualConference on Information Systems, Minneapolis, MN.

Nolan, R. (1973), “Managing the Computer Resource: A Stage Hypothesis” Communications ofthe ACM, 16(7), pp. 399-405.

Nunnally, J. (1978), Psychometric Theory (2 nd ed.) New York, NY: Mcgraw-Hill College.

Paswan, A., Dant, R., and Lumpkin, J. (1998), An Empirical Investigation of the LinkagesAmong Relationalism, Environmental Uncertainty, and Bureaucratization, Journal of BusinessResearch, 43, pp. 125-140.

Pearson, F. and Weiner, W. (1985), “Toward an Integration of Criminological Theories”,Journal of Crime and Criminology, 76(1), pp. 116-150.

Peters, S. (2009), “14th Annual CSI Computer Crime and Security Survey ExecutiveSummary”, CSI Computer Crime and Security Survey, Computer Security Institute.

Phelps, D. (2005), ‘Information Systems Security: Self-Efficacy and Security Effectiveness inFlorida Libraries’. (Doctoral dissertation, Florida State University, 2005), Dissertation AbstractsInternational.

Pimchangthong, D., Plaisent, M., and Bernard, P. (2003), “Key Issues in Information SystemsManagement: A Comparative Study of Academics and Practitioners in Thailand”, Journal ofGlobal Information Technology Management, 6(4), pp. 27-44.

Podsakoff, P., MacKenzie, S., Lee, J., and Podsakoff, N. (2003), “Common Method Biases inBehavioral Research: A Critical Review of the Literature and Recommended Remedies”,Journal of Applied Psychology, 88(5), pp. 879-903.

Podsakoff, P. and Organ, D. (1986), “Self-Reports in Organizational Research: Problems andProspects”, Journal of Management, 12(4), pp. 531-544.

Post, G. and Kagan, A. (2000), “Management Tradeoffs in Anti-Virus Strategies”, Information& Management, 37(1), pp. 13-24.

Premkumar, G. and King, W. (1994), “Organizational Characteristics and InformationSystems Planning: An Empirical Study”, Information Systems Research, 5(2), pp. 75-109.

Randall, W. (2007), ‘An Empirical Examination of Service Dominant Logic: The Theory of theNetwork’. Marketing Department. College of Business, University of North Texas,Unpublished PhD Thesis.

Ringle, C., Wende, S., and Will, A. (2005), “SmartPLS (Version 2.0 (beta))”. Hamburg,Germany.

Schneier, B. (2004), Secrets and Lies: Digital Security in a Networked World. Indianapolis, Indiana:Wiley Publishing, Inc.

Schultz, E. (2004), “Security Training and Awareness - Fitting a Square Peg in a Round Hole”,Computers & Security, 23(1), pp. 1-2.

Sharp, J. (2008), “Globally Distributed Agile Teams: An Exploratory Study of the DimensionsContributing to Successful Team Configuration” (Doctoral dissertation, University of NorthTexas, 2008), Dissertation Abstracts International.

Siponen, M., Baskerville, R., and Heikka, J. (2006), “A Design Theory for Secure InformationSystems Design Methods”, Journal of the Association for Information Systems, 7(11), pp. 725-770.

Siponen, M. and Willison, R. (2009), “Information Security Management Standards: Problemsand Solutions”, Information & Management, 46, pp. 267-270.

Stephens, D. (2003), “Protecting Records in the Face of Chaos”, Information ManagementJournal, 37(1), pp. 33-40.

Straub, D. (1990), “Effective IS Security: An Empirical Study”, Information Systems Research,1(3), pp. 255-276.

Straub, D. (1986), “Computer Abuse and Computer Security: Update on an Empirical Study”,Security, Audit, and Control Review, 4(2), pp. 21-31.

Straub, D. and Nance, W. (1990), “Discovering and Disciplining Computer Abuse inOrganizations: A Field Study”, Management Information Systems Quarterly, 14(1), pp. 45-62.

Straub, D. and Welke, R. (1998), “Coping with Systems Risk: Security Planning Models forManagement Decision Making”, Management Information Systems Quarterly, 22(4), pp. 441-469.

Thong, J., Yap, C., and Raman, K. (1996), “Top Management Support, External Expertise andInformation Systems Implementation in Small Businesses”, Information Systems Research, 7(2),pp. 248-267.

Whitman, M. (2004), “In Defense of the Realm: Understanding the Threats to InformationSecurity”, International Journal of Information Management, 24(1), pp. 43-57.

Willison, R. (2009), “Motivations for Employee Computer Crime: Understanding andAddressing Workplace Disgruntlement through the Application of Organisational Justice(Working Paper No. 1). Retrieved from OpenArchive@CBS website:

Yeh, Q. and Chang, A. (2007), “Threats and Countermeasures for Information SystemSecurity: A Cross-Industry Study”, Information & Management, 44, pp. 480-491.

Young, R.F. (2008). ‘Defining the Information Security Posture: An Empirical Examination ofStructure, Integration, and Managerial Effectiveness’. Information Technology and DecisionSciences Department. College of Business, University of North Texas, Unpublished PhDThesis.