You are here: Home Contents V2 N3 V2N3_McFadzean.html
Personal tools

Anchoring Information Security Governance Research: Sociological Groundings and Future Directions



Full text

Journal of Information Systems Security
Volume 2, Number 3 (2006)
Pages 348
ISSN 1551-0123 (Print)
ISSN 1551-0808 (Online)
Elspeth McFadzean — Henley Management College, UK
Jean-Noël Ezingeard — Henley Management College, UK
David Birchall — Henley Management College, UK
Information Institute Publishing, Washington DC, USA




An important aspect of management is to ensure the security of both the IT infrastructure and all the valuable information contained within the organisation. Keeping, information safe and secure is a key necessity for present day managers. The board of directors are ultimately accountable for their organisation’s success. It is therefore imperative that its members take responsibility for the protection of their company’s information. There has been a lot of research undertaken on information security but very little has been carried out on information security governance. This paper explores and critiques the literature on both information security and information security governance. In order to investigate these areas effectively, it is important to classify the different theories and to trace their intellectual origins. This paper uses Burrell and Morgan’s four sociological paradigms to explore the literature. These paradigms are functionalism, interpretivism, radical humanism and radical structuralism. The paper presents potential further research that may be carried out within all four paradigms. It shows that the majority of information security and information security governance research has been undertaken from the conventional functionalist paradigm. In order to gain a wider and more creative perspective it is recommended that more research should be carried out on these two areas from the other three perspectives thereby placing an emphasis on the human and organisational aspects.




Information Security, Governance, Sociological Paradigms, Future Research




Abdul-Gader, A. H. and Kozar, K. A. (1995), “The Impact of Computer Alienation on Information Technology Investment Decisions: An Exploratory Cross-National Analysis,” MIS Quarterly, 19 (4), 535-559.

Abouzakhar, N. S. and Manson, G. A. (2002), “An Intelligent Approach to Prevent Distributed Systems Attack,” Information Management & Computer Security, 10 (5), 203-209.

Aldrich, H. E. (1992), ‘Incommensurable Paradigms? Vital Signs from Three Perspectives’ in Rethinking Organization, eds. M. Hughes and M. Reed, Sage, London.

Allen, D. and Wilson, T. (2003), “Vertical Trust/Mistrust During Information Strategy Formation,” International Journal of Information Management, 23, 223-237.

Angell, I. O. (1990), “Systems Thinking about Information Systems and Strategies,” Journal of Information Technology, 5 (3), 168-174.

Angell, I. O. (1996), “Economic Crime: Beyond Good and Evil,” Journal of Financial Regulation and Compliance, 4 (1), 9-14.

Angell, I. O. (2000), The New Barbarian Manifesto: How to Survive the Information Age, Kogan Page, London.

Austin, R. D. and Darby, C. A. (2003), “The Myth of Secure Computing,” Harvard Business Review, 81 (6), 120-126.

Avgerou, C. and Madon, S. (2004), ‘Framing IS Studies: Understanding the Social Context of IS Innovation’ in The Social Study of Information and Communication Technology, eds. C. Avgerou, C. Ciborra and F. Land, Oxford University Press, Oxford.

Backhouse, J. and Dhillon, G. (1996), “Structures of Responsibility and Security of Information Systems,” European Journal of Information Systems, 5, 2-9.

Bainbridge, S. M. (2002), “Why a Board? Group Decisionmaking in Corporate Governance,” Vanderbilt Law Review, 55 (1), 1-55.

Ball, R. A. (1979), “The Dialectical Method: Its Application to Social Theory,” Social Forces, 57 (3), 785-798.

Baskerville, R. (1991), “Risk Analysis: An Interpretive Feasibility Tool in Justifying Information Systems Security,” European Journal of Information Systems, 1 (2), 121-130.

Baskerville, R. (1993), “Information Systems Security Design Methods: Implications for Information Systems Development,” ACM Computing Surveys, 25 (4), 375-414.

Baskerville, R. and Siponen, M. (2002), “An Information Security Meta-Policy for Emergent Organizations,” Logistics Information Management, 15 (5/6), 337-346.

Baysinger, B. and Hoskisson, R. E. (1990), “The Composition of Boards of Directors and Strategic Control: Effects on Corporate Strategy,” Academy of Management Review, 15 (1), 72-87.

Beatson, J. G. (1991), ‘Security - A Personnel Issue: The Importance of Personnel Attitudes and Security Education’ in Computer Security and Information Integrity, eds. K. Dittrich, S. Rautakivi and J. Saari, Elsevier Science Publishers, Amsterdam, 29-38.

Beck, U. (1992), Risk Society, Sage Publishers, London.

Belanger, F., Hiller, J. S. and Smith, W. J. (2002), “Trustworthiness in Electronic Commerce: The Role of Privacy, Security, and Site Attributes,” Journal of Strategic Information Systems, 11, 245-270.

Bell, D. and La Padula, L. (1976), Secure Computer Systems: Unified Exposition and Multics Interpretation, MITRE Corporation, Bedford.

Bigley, G. A. and Pearce, J. L. (1998), “Straining for Shared Meaning in Organization Science: Problems of Trust and Distrust,” Academy of Management Review, 23 (3), 405-422.

Birch, G. D. W. and McEvoy, N. A. (1992), “Risk Analysis for Information Systems,” Journal of Information Technology, 7, 44-53.

Birchall, D., Ezingeard, J.-N. and McFadzean, E. S. (2003), Information Security: Setting the Boardroom Agenda, Grist Ltd, London.

Boockholdt, J. L. (1987), “Security and Integrity Controls for Microcomputers: A Summary Analysis,” Information and Management, 13, 33-41.

Boockholdt, J. L. (1989), “Implementing Security and Integrity in Micro-Mainframe Networks,” MIS Quarterly, 13 (2), 135-144.

Bresser, R. K. and Bishop, R. C. (1983), “Dysfunctional Effects of Formal Planning: Two Theoretical Explanations,” Academy of Management Review, 8 (4), 588-599.

Brooks, W. J., Warren, M. J. and Hutchinson, W. (2002), “A Security Evaluation Criteria,” Logistics Information Management, 15 (5/6), 377-384.

BSI (2000), “IT Baseline Protection Manual,” Federal Agency for Security in Information Technology, Bonn. Accessed on 10th December 2003 from

Burrell, G. and Morgan, G. (1979), Sociological Paradigms and Organizational Analysis, Ashgate, Aldershot, Hants.

Carpenter, M. A. and Westphal, J. D. (2001), “The Strategic Context of External Network Ties: Examining the Impact of Director Appointments on Board Involvement in Strategic Decision Making,” Academy of Management Journal, 4 (4), 639-660.

Chan, Y. E., Huff, S. L., Barclay, D. W. and Copeland, D. G. (1997), “Business Strategic Orientation, Information Systems Strategic Orientation, and Strategic Alignment,” Information Systems Research, 8 (2), 125-150.

Chan, Y. E. (2002), “Why Haven’t We Mastered Alignment? The Importance of the Informal Organization Structure,” MIS Quarterly Executive, 1 (2), 97-112.

Chokhani, S. (1992), “Trusted Products Evaluation,” Communications of the ACM, 35 (7), 64-76.

Chua, W. F. (1986), “Radical Developments in Accounting Thought,” Accounting Review, 61 (4), 601-632.

Clements, D. P. (1977), “Fuzzy Ratings for Computer Security Evaluation,” PhD Dissertation, University of California, Berkeley.

Coleman, J. (1990), Foundations of Social Theory, Harvard University Press, Cambridge, MA.

Computer Security Institute (2003), “CSI/FBI Computer Crime and Security Survey,” Article Retrieved 16th September 2003 from

Courtney, R. (1977), ‘Security Risk Assessment in Electronic Data Processing Systems,’ AFIPS National Conference Proceedings, 97-104.

Cross, S. R. (2004), “Corporate Governance, Information Technology and the Electronic Company in the United Kingdom,” Information & Communications Technology Law, 13 (2), 117-128.

Cutting, B. and Kouzmin, A. (2002), “Evaluating Corporate Board Cultures and Decision Making,” Corporate Governance, 2 (2), 27-45.

Daily, C. M., Dalton, D. R. and Cannella, A. A. (2003), “Corporate Governance: Decades of Dialogue and Data,” Academy of Management Review, 28 (3), 371-382.

Damianides, M. (2005), “Sarbanes-Oxley and IT Governance: New Guidance on IT Control and Compliance,” Information Systems Management, 22 (1), 77-85.

Deetz, S. (1996), “Describing Differences in Approaches to Organization Science: Rethinking Burrell and Morgan and Their Legacy,” Organization Science: A Journal of the Institute of Management Sciences, 7 (2), 191.

Deloitte Touche Tohmatsu (2003), “Global Security Survey,” Article Retrieved 16th May, 2003 from

Deutsch, Y. and Ross, T. W. (2003), “You are Known by the Directors you keep: Reputable Directors as a Signaling Mechanism for Young Firms,” Management Science, 49 (8), 1003-1017.

Dhillon, G. and Backhouse, J. (2001), “Current Directions in IS Security Research: Towards Socio-Organizational Perspectives,” Information Systems Journal, 11 (2), 127-153.

Dhillon, G. S. (1995), “Interpreting the Management of Information Systems Security,” Doctoral Dissertation, London School of Economics and Political Science, London.

Dirsmith, M. W., Covaleski, M. A. and McAllister, J. P. (1985), “Of Paradigms and Metaphors in Auditing Thought,” Contemporary Accounting Research, 2 (1), 46-68.

Dobson, J. (1991), ‘A Methodology for Analysing Human and Computer-Related Issues in Secure Systems’ in Computer Security and Information Integrity, eds. K. Dittrich, S. Rautakivi and J. Saari, Elsevier Science Publishers, Amsterdam, 151-170.

Doddrell, G. R. (1996), “Information Security and the Internet,” Internet Research: Electronic Networking Applications and Policy, 6 (1), 5-9.

Drazin, R., Glynn, M. A. and Kazanjian, R. K. (1999), “Multilevel Theorizing About Creativity in Organizations: A Sensemaking Perspective,” Academy of Management Review, 24 (2), 286-307.

Dutta, A. and McCrohan, K. (2002), “Management’s Role in Information Security in a Cyber Economy,” California Management Review, 45 (1), 67-87.

Edwards, B. A. (2000), “Chief Executive Officer Behavior: The Catalyst for Strategic Alignment,” International Journal of Value-Based Management, 13 (1), 47-54.

Entrust (2004), “Information Security Governance (ISG): An Essential Element of Corporate Governance,” Accessed on 24th February 2005 from

Ernst & Young (2003), Global Information Security Survey 2003, Ernst & Young LLP, London.

Ezingeard, J.-N., McFadzean, E. S. and Birchall, D. (2003), “Board of Directors and Information Security: A Perception Grid,” British Academy of Management Conference, Harrogate, Yorkshire.

Ezingeard, J.-N., McFadzean, E. and Birchall, D. (2005), “A Model of Information Assurance Benefits,” Information Systems Management, 22 (2), 20-29.

Figg, J. (1999), “Survey Notes Global Information Security Trends,” Internal Auditor, 56 (4), 14-15.

Finkelstein, S. and Hambrick, D. C. (1996), Strategic Leadership: Top Executives and their Effects on Organizations, West Publishing Company, Minneapolis, MN.

Finne, T. (1996), “The Information Security Chain in a Company,” Computers & Security, 15 (4), 297-316.

Fisher, R. (1984), Information Systems Security, Prentice-Hall, Englewood Cliffs, New Jersey.

Foo, S., Leong, P. C., Hui, S. C. and Liu, S. (1999), “Security Considerations in the Delivery of Web-Based Applications: A Case Study,” Information Management & Computer Security, 7 (1), 40-49.

Ford, C. M. (1996), “A Theory of Individual Creative Action in Multiple Social Domains,” Academy of Management Review, 21 (4), 1112-1142.

Galal, G. H. (2001), “From Contexts to Constructs: The Use of Grounded Theory in Operationalising Contingent Process Models,” European Journal of Information Systems, 10 (1), 2-14.

Gambetta, D. (1998), Trust: Making and Breaking Cooperative Relations, Basil Blackwell, Cambridge, UK.

Goldspink, C. (2000), “Contrasting Linear and Nonlinear Perspectives in Contemporary Social Research,” Emergence, 2 (2), 72-101.

Goles, T. and Hirschheim, R. (2000), “The Paradigm is Dead, the Paradigm is Dead…Long Live the Paradigm: The Legacy of Burrell and Morgan,” Omega, 28 (3), 249-268.

Haberberg, A. and Rieple, A. (2001), The Strategic Management of Organisations, Prentice-Hall Inc., Hemel Hempstead, Hertfordshire.

Hassard, J. (1991), “Multiple Paradigms and Organizational Analysis: A Case Study,” Organization Studies, 12 (2), 275-299.

Henderson, J. C. and Venkatraman, H. (1999), “Strategic Alignment: Leveraging Information Technology for Transforming Organizations,” IBM Systems Journal, 38 (2/3), 472-484.

Higgs, D. (2003), Review of the Role and Effectiveness of Non-Executive Directors, Department of Trade and Industry, London, UK.

Hillman, A. J. and Dalziel, T. (2003), “Boards of Directors and Firm Performance: Integrating Agency and Resource Dependence Perspectives,” Academy of Management Review, 28 (3), 383-396.

Hirschheim, R. and Klein, H. K. (1989), “Four Paradigms of Information Systems Development” Communications of the ACM, Vol. 32, No. 10, pp. 1199-1215.

Hitchings, J. (1996), ‘A Practical Solution to the Complex Human Issues of Information Security Design’ in Information Systems Security: Facing the Information Society of the 21st Century, eds. S. K. Katsikas and D. Gritzalis, Chapman & Hall, London, 3-12.

Hopper, T. and Powell, A. (1985), “Making Sense of Research into the Organizational and Social Aspects of Management Accounting,” Journal of Management Studies, 22 (5), 429-465.

Hunt, E. K. (1979), “The Importance of Thorstein Veblen for Contemporary Marxism,” Journal of Economic Issues, 13 (1), 113-140.

ISO/IEC/JTC1 (1996/1997), Information Technology - Security Techniques - Guidelines for the Management of IT Security, ISO/IEC TR 13335.

IT Governance Institute (2004), “IT Control Objectives for Sarbanes-Oxley,” Accessed on 3rd March 2005 from

Jain, A., Hong, L. and Pankanti, S. (2000), “Biometric Identification,” Communications of the ACM, 43 (2), 90-98.

Jones, G. R. and George, J. M. (1998), “The Experience and Evolution of Trust: Implications for Cooperation and Teamwork,” Academy of Management Review, 23 (3), 531-546.

Judge, W. Q. and Zeithaml, C. P. (1992), “Institutional and Strategic Choice Perspectives on Board Involvement in the Strategic Decision Process,” Academy of Management Journal, 35 (4), 766-794.

Kankanhalli, A., Teo, H.-H., Tan, B. C. Y. and Wei, K.-K. (2003), “An Integrative Study of Information Systems Security Effectiveness,” International Journal of Information Management, 23, 139-154.

Kaplan, R. S. (2001), “Using Strategic Themes to Achieve Organizational Alignment,” Balanced Scorecard Report, Harvard Business School Publishing, Boston, MA.

Kipp, M. F., Hunter, R. and Aspinall, M. (2002), “Market Crossroads: Fertile Ground for Board Development,” Corporate Governance, 2 (2), 13-15.

Kokolakis, S. A., Demopoulos, A. J. and Kiountouzis, E. A. (2000), “The Use of Business Process Modelling in Information Systems Security Analysis and Design,” Information Management & Computer Security, 8 (3), 107-116.

Kolokotronis, N., Margaritis, C., Papadopoulou, P., Kanellis, P. and Martakos, D. (2002), “An Integrated Approach for Securing Electronic Transactions over the Web,” Benchmarking, 9 (2), 166-181.

Korac-Kakabadse, N. and Kakabadse, A. (2001), “IS/IT Governance: Need for an Integrated Model,” Corporate Governance, 1 (4), 9-11.

Korukonda, A. R. and Hunt, J. G. (1991), “Premisses and Paradigms in Leadership Research,” Journal of Organizational Change Management, 4 (2), 19-33.

Koskosas, I. and Paul, R. (2003), ‘A Socio-Organizational Approach to Information Systems Security Risks,’ Proceedings of the 2nd European Conference on Information Warfare and Security, University of Reading, UK, 175-185.

Kuhn, T. A. (1970), The Structure of Scientific Revolutions, University of Chicago Press, Chicago.

Kuhn, T. A. (1974), ‘Second Thoughts on Paradigms’ in The Structure of Scientific Theories, ed. F. Suppe, University of Illinois Press, Urbana, Illinois.

Landwehr, C. E., Bull, A. R., McDermott, J. P. and Choi, W. S. (1994), “A Taxonomy of Computer Program Security Flaws,” ACM Computing Surveys, 26 (3), 211-254.

Lane, V. P. (1985), Security of Computer Based Information Systems, Macmillan, London.

Lashgari, M. (2004), “Corporate Governance: Theory and Practice,” Journal of American Academy of Business, 5 (1/2), 46-51.

Liebenau, J. and Backhouse, J. (1990), Understanding Information, Macmillan, London.

Lindup, K. (1996), “The Role of Information Security in Corporate Governance,” Computers & Security, 15 (6), 477-485.

Loch, K. D., Carr, H. H. and Warkentin, M. E. (1992), “Threats to Information Systems: Today’s Reality, Yesterday’s Understanding,” MIS Quarterly, 16 (2), 173-186.

Lohmeyer, D. F., McCrory, J. and Pogreb, S. (2002), “Managing Information Security,” McKinsey Quarterly, Special Edition, 12-15.

Luftman, J. and Brier, T. (1999), “Achieving and Sustaining Business-IT Alignment,” California Management Review, 42 (1), 109-122.

Lyle, D., Chan, Y. and Head, E. (1999), “Improving Information-Network Performance: Reliability Versus Invulnerability,” IIE Transactions, 31, 909-919.

Lyytinen, K. and Hirschheim, R. (1989), ‘Information Systems and Emancipation: Promise or Threat?’ in Systems Development for Human Progress, eds. H. K. Klein and K. Kumar, Elsevier Science Publishers, Amsterdam, 115-139.

Machan, T. R. and Hook, S. (1988), “Essentials of Marxist Philosophy and Political Economy,” International Journal of Social Economics, 15 (11/12), 3-131.

Mayer, R. C., Davis, J. H. and Schoorman, F. D. (1995), “An Integrative Model of Organisational Trust,” Academy of Management Review, 20 (3), 709-734.


McBride, N. and Wood-Harper, A. T. (2002), “Towards User-Oriented Control of End-User Computing in Large Organizations,” Journal of End User Computing, 14 (1), 33-41.

Miller, H. E. and Engemann, K. G. (1996), “A Methodology for Managing Information-Based Risk,” Information Resources Management Journal, 9 (2), 17-24.

Mingers, J. (2001), “Combining IS Research Methods: Towards a Pluralist Methodology,” Information Systems Research, 12 (3), 240-259.

Mingers, J. (2004), ‘Re-Establishing the Real: Critical Realism and Information Systems’ in Social Theory and Philosophy for Information Systems, eds. J. Mingers and L. Willcocks, John Wiley & Sons, Chichester, 372-406.

Mitchell, R. C., Marcella, R. and Baxter, G. (1999), “Corporate Information Security Management,” New Library World, 100 (1150), 213-227.

Moulton, R. and Coles, R. S. (2003), “Applying Information Security Governance,” Computers & Security, 22 (7), 580-584.

National Cyber Security Partnership Governance Task Force (2004), “Information Security Governance: A Call to Action,” National Cyber Security Partnership. Accessed on 24th February 2005 from

Ngwenyama, O. K. and Lee, A. S. (1997), “Communication Richness in Electronic Mail: Critical Social Theory and the Contextuality of Meaning,” MIS Quarterly, 21 (2), 45-167.

Nissen, H.-E. (1989), ‘ISD for Responsible Human Action’ in Systems Development for Human Progress, eds. H. K. Klein and K. Kumar, Elsevier Science Publishers, Amsterdam, 99-113.

Normann, R. (1971), “Organizational Innovativeness: Product Variation and Reorientation,” Administrative Science Quarterly, 16 (2), 203-215.

Oquist, P. (1978), “The Epistemology of Action Research,” Acta Sociologica, 21 (2), 143-163.

Orlikowski, W. J. and Barley, S. R. (2001), “Technology and Institutions: What can Research on Information Technology and Research on Organizations Learn from Each Other?” MIS Quarterly, 25 (2), 145-165.

Parker, D. (1981), Computer Security Management, Reston Publishing, Reston.

Parker, D. B. (1998), Fighting Computer Crime - A New Framework for Protecting Information, John Wiley & Sons, New York.

Parker, H. (1990), “The Company Chairman - His Role and Responsibilities,” Long Range Planning, 23 (4), 35-43.

Patel, N. V. (2002), “Emergent Forms of IT Governance to Support Global E-Business Models,” Journal of Information Technology Theory and Application, 4 (2), 33-48.

Peak, D. and Guynes, S. (2003), “The IT Alignment Planning Process,” Journal of Computer Information Systems, 44 (1), 9-15.

Peterson, R. (2004), “Crafting Information Technology Governance,” Information Systems Management, 21 (4), 7-22.

Plotkin, J. (2003), “Corporate Governance - The Impact on your IT Staff,” KVS inc. Accessed on 24th February 2005 from

Posthumus, S. and Von Solms, R. (2004), “A Framework for the Governance of Information Security,” Computers & Security, 23 (8), 638-646.

Rau, K. G. (2004), “Effective Governance of IT: Design Objectives, Roles, and Relationships,” Information Systems Management, 21 (4), 35-42.

Rees, J., Bandyopadhyay, S. and Spafford, E. H. (2003), “PFIRES: A Policy Framework for Information Security,” Communications of the ACM, 46 (7), 101-107.

Reich, B. H. and Benbasat, I. (2000), “Factors that Influence the Social Dimension of Alignment Between Business and Information Technology Objectives,” MIS Quarterly, 24 (1), 81-113.

Rickards, T. (1999), Creativity and the Management of Change, Blackwell Publishers, Oxford.

Rockart, J. F., Earl, M. J. and Ross, J. W. (1996), “Eight Imperatives for the New IT Organization,” Sloan Management Review, 38 (1), 43-55.

Sambamurthy, V. and Zmud, R. W. (1999), “Arrangements for Information Technology Governance: A Theory of Multiple Contingencies,” MIS Quarterly, 23 (2), 261-290.

Sanders, W. G. and Carpenter, M. A. (1998), “Internationalization and Firm Governance: The Roles of CEO Compensation, Top Team Composition, and Board Structure,” Academy of Management Journal, 41 (2), 158-178.

Schaffer, B. S. (2002), “Board Assessments of Managerial Performance: An Analysis of Attribution Processes,” Journal of Managerial Psychology, 17 (2), 95-115.

Schreyögg, G. and Steinmann, H. (1987), “Strategic Control: A New Perspective,” Academy of Management Review, 12 (1), 91-103.

Searle, J. R. (1969), Speech Acts: An Essay in the Philosophy of Language, Cambridge University Press, New York.

Seeman, M. (1975), ‘Alienation Studies’ in Annual Review of Sociology, ed. A. Inkeles, Palo Alto, CA.

Shankar, V., Urban, G. L. and Sultan, F. (2002), “Online Trust: A Stakeholder Perspective, Concepts, Implications, and Further Directions,” Journal of Strategic Information Systems, 11, 325-244.

Sharma, S. K. and Gupta, J. N. D. (2002), “Securing Information Infrastructure from Information Warfare,” Logistics Information Management, 15 (5/6), 414-422.

Shaver, K. G. (1985), The Attribution of Blame: Causality, Responsibility and Blameworthiness, Springer-Verlag, New York.

Sherwood, J. (1996), “SALSA: A Method for Developing the Enterprise Security Architecture and Strategy,” Computers & Security, 15 (6), 501-506.

Simons, R. (1991), “Strategic Orientation and Top Management Attention to Control Systems,” Strategic Management Journal, 12 (1), 49-62.

Siponen, M. T. (2001), ‘An Analysis if the Recent IS Security Development Approaches: Descriptive and Prescriptive Implications’ in Information Security Management: Global Challenges in the New Millennium, ed. G. Dhillon, Idea Group Publishing, Hershey.

Smaczny, T. (2001), “Is an Alignment between Business and Information Technology the Appropriate Paradigm to Manage IT in Today’s Organisations?” Management Decision, Vol. 39, No. 10, pp. 797-802.

Stiles, P. and Taylor, B. (2001), Boards at Work: How Directors View their Roles and Responsibilities, Oxford University Press, Oxford.

Straub, D. W. (1990), “Effective IS Security: An Empirical Study,” Information Systems Research, 1 (3), 255-276.

Straub, D. W. and Nance, W. D. (1990), “Discovering and Disciplining Computer Abuse in Organizations: A Field Study,” MIS Quarterly, 14 (1), 45-60.

Straub, D. W. and Welke, R. J. (1998), “Coping With Systems Risk: Security Planning Models for Management Decision Making,” MIS Quarterly, 22 (4), 441-469.

Taylor, B. (2001), “From Corporate Governance to Corporate Entrepreneurship,” Journal of Change Management, 2 (2), 128-147.

Thomson, K.-L. and Von Solms, R. (2003), “Integrating Information Security into Corporate Governance,” 18th International Federation for Information Processing (IFIP) International Information Security Conference, Athens, Greece.

Trauth, E. M. and Jessup, L. M. (2000), “Understanding Computer-Mediated Discussions: Positivist and Interpretive Analyses of Group Support System Use,” MIS Quarterly, 24 (1), 43-79.

Travis, R. (1986), “On Powerlessness and Meaninglessness,” The British Journal of Sociology, 37 (1), 61-73.

Truex, D. P., Baskerville, R. and Klein, H. (1999), “Growing Systems in Emergent Organizations,” Communications of the ACM, 42 (8), 117-123.

Tyre, M. J. and Hauptman, O. (1992), “Effectiveness of Organizational Responses to Technological Change in the Production Process,” Organization Science, 3 (3), 301-320.

Vermeulen, C. and Von Solms, R. (2002), “The Information Management Toolbox - Taking the Pain Out of Security Management,” Information Management & Computer Security, 10 (3), 119-125.

Von Solms, B. (2001a), “Information Security: A Multidimensional Discipline,” Computers & Security, 20 (6), 504-508.

Von Solms, B. (2001b), “Corporate Governance and Information Security,” Computers & Security, 20 (3), 215-218.

Von Solms, B. and Von Solms, R. (2004), “The 10 Deadly Sins of Information Security Management,” Computers & Security, 23 (5), 371-376.

Von Solms, R. (1996), “Information Security Management: The Second Generation,” Computers & Security, 15 (4), 281-288.

Von Solms, R. (1999), “Information Security Management: Why Standards Are Important,” Information Management & Computer Security, 7 (1), 50-57.

Ward, J. and Peppard, J. (2002), Strategic Planning for Information Systems, John Wiley & Sons Ltd., Baffins Lane, Chichester.

Ward, P. and Smith, C. L. (2002), “The Development of Access Control Policies for Information Technology Systems,” Computers & Security, 21 (4), 356-371.

Warman, A. R. (1992), “Organizational Computer Security Policy: The Reality,” European Journal of Information Systems, 1 (5), 305-310.

Webler, T., Rakel, H. and Ross, R. J. S. (1992), “A Critical Theoretical Look at Technical Risk Analysis,” Industrial Crisis Quarterly, 6, 23-38.

Whitley, E. A. and Pouloudi, A. (2001), “Studying the Translations of NHSnet,” Journal of End User Computing, 13 (3), 30-40.

Whitman, M. E. (2003), “Enemy at the Gate: Threats to Information Security,” Communications of the ACM, 46 (8), 91-95.

Willcocks, L. and Margetts, H. (1994), “Risk Assessment and Information Systems,” European Journal of Information Systems, 3 (2), 127-138.

Willmott, H. (1993), “Breaking the Paradigm Mentality,” Organization Studies, 14 (5), 681-719.