You are here: Home Contents V3 N3 V3N3_Tryfonas.html
Personal tools

On Security Metaphors and How They Shape the Emerging Practice of Secure Information Systems Development



Full text

Journal of Information System Security
Volume 3, Number 3 (2007)
Pages 2150
ISSN 1551-0123
Theodore Tryfonas — University of Glamorgan, UK
Information Institute Publishing, Washington DC, USA




This paper revisits the roots of the emergent professional practice of developing secure information systems. A review of how security practice is advocated within the field of systems development reveals that the current practice is shaped, and thus biased, by an engineering perspective and the author argues that this has major implications in producing less secure systems. This observation raises the importance for the information security expert to develop a professional mindset capable of understanding different angles of the contemporary systems security field, both from an engineering and a holistic point of view. The author argues that there is a need to define the actions of the information security practitioner through ways that take into account social, organisational and political concerns as well as the security engineering perspective. To highlight this, we focus on the organisational aspects of information systems security and we use the concept of organisational metaphors to explore the multiple perceptions of information systems security that emerge through the organisational discourse on security and explore their implications for scholars and practitioners of the professional practice.




Security Perceptions, Organisational Discourse, Metaphor




Anderson, R.J. (2001), Security Engineering – A guide to building dependable distributed systems, Wiley.

Anderson, R.J. (1993) “Why cryptosystems fail”, Communications of the ACM, 37(11), pp. 32-44.

Backhouse, J. & Dhillon, G. (1996) “Structures of responsibilities and security of information systems”, European Journal of Information Systems, 5(1), pp. 2-10.

Barnard, L. & von Solms, R. (2000) “A Formalized Approach to the Effective Selection and Evaluation of Information Security Controls”, Computers & Security, 19(2), pp.185-194.

Baskerville, R. (1988) Designing Information Systems Security, Wiley.

Baskerville, R. (1993) “Information Systems Security Design Methods: Implications for Information Systems Development”, ACM Computing Surveys, 25(4), pp. 375-414.

BCS (2005) ‘British Computer Society survey of IT management issues’,, 1 June 2005.

Beer, S. (1984) “The viable system model: its provenance, development, methodology and pathology”, Journal of Operational Research Society, 35, pp. 7-26.

Bell, D.E. and LaPadula, L.J. (1973). Secure Computer Systems: Mathematical Foundations. MITRE Corporation.

Blatchford, C. (1998) “Computer Security Controls – Diffusion Into The Smaller Firm: Part 1”, Computer Fraud & Security, December Issue.

Blatchford, C. (1999) “Computer Security Controls – Diffusion Into The Smaller Firm: Part 2”, Computer Fraud & Security, January Issue.

Boland, R.J. (1989) ‘Metaphorical traps in developing information systems for human progress’, in Systems Development for Human Progress, Klein, H.K. and Kumar, K. (eds), pp.277-290, Elsevier Science Publishers.

Brownsword, L., Oberndorf, T. and Sledge, C.A. (2000) “Developing New Processes for COTS-Based Systems”, IEEE Software, July/August Issue, pp. 48-55.

BS (2000) Code of practice for Information Security Management, British Standardisation Institute.

BSI (2003) IT Baseline Protection Manual. Bundesamt fur Sicherheit in der Informationstechnik (Institute for Security in Information Technologies),, 1 May 2005.

Chadwick, D.W. and Basden, A. (2001) “Evaluating Trust in a Public Key Certification Authority”, Computers & Security, 20(7), pp. 592-611.

Checkland, P. (1981) Systems thinking, systems practice, Wiley.

Commission of the European Communities (1992) Amended proposal for a Council Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data, COM(92) 422 final, SYN 287, Brussels, October.

Computer Security Institute (2004) Issues and Trends: 2004 CSI/FBI Computer Crime and Security Survey, USA.

Computing (2005) ‘Institute for IT security to launch in January’,, 21 Sep 2005.

Corbato, F.J. (1991) “On Building Systems That Will Fail”, Communications of the ACM, 34(9), 72-81.

CRAMM (2005) CCTA Risk Analysis & Management Method v5.0,, 1 May 2005.

Culnan, M.J. (1993) “How did they get my name? An explanatory investigation of consumer attitudes toward secondary information use”, MIS Quarterly, 17(3), pp. 341-363.

Deloitte & Touche (2001), “Insurance/Financial Services Organisation Has Success with Security Policy/Management Case Example”,, 1 July 2004.

Dhillon, G. & Backhouse, J. (2001) “Current directions in IS security research: towards socio-organizational perspectives”, Information Systems Journal, 11, pp. 127–153.

Dhillon, G. & Moores, S. (2001) “Computer crimes: theorizing about the enemy within”, Computers & Security, 20(8), pp. 715-723.

Downs, E., Clare, P. and Coe, I. (1992) SSADM: Application and Context, Prentice Hall.

Ellison et al. (2002) “Foundations for Survivable Systems Engineering”, CROSSTALK The Journal of Defense Software Engineering, July issue, pp. 10-15.

Eloff, M., & Von Solms, B. (2000) ‘Information Security: Process Evaluation and Product Evaluation’, in Information Security for Global Information Infrastructures, Qing, S. and Eloff, J. (eds), pp. 11-19, Kluwer Academic Publishers.

Ernst & Young (2004) Annual Global Information Security Survey,, 1 May 05.

Evertsson, U., Orthberg, U. & Yngström, L. (2003) ‘Integrating Security into Systems Development’ in Security and Privacy in the Age of Uncertainty, Gritzalis, D. et al. (eds.), Kluwer Academic Publishers, 313-324.

Fillery, P. & Chantler A. (1994) ‘Is Lack of Serious Acceptance and Application of Software Quality Assurance Principles a Password to Information Security Problems?’, in Proceedings of IFIP/SEC94.

Finne, T. (1998) A conceptual framework for information security management. Computers & Security, 17, pp. 303-307.

Fitzgerald, B. (1998) “An empirical investigation into the adoption of systems development methodologies”, Information & Management, 34, pp. 317-328.

Frisinger, A. (2001) ‘Improving the Protection of Assets in Open Distributed Systems by Use of X-ifying Risk Analysis’, in Trusted Information: The new decade challenge, Dupuy, M. and Paradinas, P. (eds), pp. 293-303, Kluwer Academic Publishers.

Frisinger, A. & Yngström, L. (2000) ‘An approach to use knowledge about user’s security requirements in a risk analysis’, in IFIP/SEC 2000: Information Security, Qing, S. and Eloff, J. (eds), pp. 172-174, International Academic Publishers.

Frosdick, S. & Odell, A. (1996) “Practical management of programme risk: the case of the National Strategy for Police Information Systems for England and Wales”, Information Management & Computer Security, 4(5), pp. 24-33.

Hayam, A. & Oz, E. (1993) “Integrating Data Security into the Systems Development Life Cycle”, Journal of Systems Management, 8(44), pp. 16-20.

Henderson, S. & Snyder, C. (1999) “Personal information privacy: implications for MIS managers”, Information & Management, 36, pp. 213-220.

Hitchings, J. (1995a) “Deficiencies of the traditional approach to information security and the requirements for a new methodology”, Computers & Security, 14, pp. 377-383.

Hitchings, J. (1995b) ‘Achieving an Integrated Design: The Way Forward for Information Security’, in Information Security – the next decade, Ellof, J. and von Solms, S. (eds), pp. 369-383, Chapman & Hall.

Information Security Forum (2005), The Standard of Good Practice for Information Security, v4.1,

Irvine, C.E. et al. (2002) “An Approach to Security Requirements Engineering for a High Assurance System”, Requirements Engineering, 7, 192-206.

Jarvinen, P.H. (2000) ‘Research Questions Guiding Selection of an Appropriate Research Method’, in Proceedings of the 8th European Conference on Information Systems (ECIS), July 2-5, Vienna, Austria.

Karyda, M., Kokolakis, S. and Kiountouzis, E. (2001) ‘Redefining Information Systems Security: Viable Information Systems’, in Trusted Information: The new decade challenge, Dupuy, M. and Paradinas, P. (eds), pp. 453-467, Kluwer Academic Publishers.

Katsikas, S. (1995) ‘Risk Management in Information Systems’, in Information Security: Technical, Legal and Social Issues by Alexandris, Kiountouzis & Trapezanoglou, published by the Greek Computer Society.

Kephart, J.O. (1994) ‘A Biologically Inspired Immune System for Computers’, in Artificial life IV, Brooks, R. and Maes, P. (eds), MIT Press.

Kokolakis, S.A. & Kiountouzis, E.A. (2000) “Achieving Interoperability in a Multiple-Security-Policies Environment”, Computers & Security, 19(3), pp. 267-281.

Lambrinoudakis, C. (2000) “Smart card technology for deploying a secure information management framework”, Information Management & Computer Security, 8(4), pp.173-183.

Liechtenstein, S. (1996) “Factors in the selection of a risk assessment method”, Information Management & Computer Security, 4(4), pp. 20-25.

Liechtenstein, S. (1998) “Internet Risks for Companies”, Computers & Security, 17, pp. 143-150.

Loukis, E. & Spinellis, D. (2001) “Information systems security in the Greek public sector”, Information Management & Computer Security, 9(1), pp. 21-31.

Lyytinen, K. (1988) “Stakeholders, IS failures and soft systems methodology: an assessment”, Journal of Applied Systems Analysis, 15, pp. 61-81.

Martin, J. & Finkelstein, C. (1981) Information Engineering Vol 1 and 2, Prentice Hall, Englewood Cliffs, NJ.

McDermott, J. & Fox, C. (1999) ‘Using abuse case models for security requirements’, in Proceedings of the 15th Annual Computer Security Applications Conference (ACSAC).

Morgan, G. (1997) Images of Organization. SAGE Publications, California.

Muir, S. (1997) “After the break-in occurs: How to handle the student hacker”, Library High Tech, 15(1/2), pp. 92-95.

Mumford, E. (1985) “Defining System Requirements to meet Business Needs: a Case Study Example”, The Computer Journal, 28(2), 97-104.

Mumford, E. (1998) “Problems, knowledge, solutions: solving complex problems”, Journal of Strategic Information Systems, 7, pp. 255-269.

Norman, D. (2004) Emotional Design, 2004, Basic Books, New York.

Pfleeger, C. (1997) Security in Computing. Prentice-Hall, New Jersey.

Pouloudi, A. (1999) ‘Aspects of the stakeholder concept and their implications for information systems development’, in Proceedings of the Thirtieth-second Hawaii International Conference on Systems Sciences (HICSS-32), IEEE Computer, January 5-8, Maui, Hawaii.

President’s Commission on Critical Infrastructure Protection (1997) Critical Foundations: Protecting America’s Infrastructures, General Accounting Office, USA.

Purser, S. (2001) “A Simple Graphical Tool For Modelling Trust”, Computers & Security, 20(6), pp. 479-484.

Quang, P.T. & Chartier-Kastler, C. (1991) MERISE in Practice, Macmillan Education, London.

SBA (2005) ‘IT Security By Analysis’,, 1 May 2005.

Schultze, U. & Orlikowski, W.J. (2001) “Metaphors of virtuality: shaping an emergent reality”, Information and Organization, 11, 45-77.

Siponen, M. (2001) ‘An Analysis of the Recent IS Security Development Approaches: Descriptive and Prescriptive Implications’, in Information Security Management: Global Challenges in the New Millennium, Dhillon, G. (ed), pp. 101-124, Idea Group Publishing.

Siponen, M. (2003) ‘New directions on IS security methods: The process view’, in Security and Privacy in the Age of Uncertainty, Gritzalis, D. et al. (eds.), Kluwer Academic Publishers, 325-336.

Smith, E. & Eloff, J.H.P. (2001) ‘Transaction Based Risk Analysis – Using Cognitive Fuzzy Techniques’, in Advances in Information Security Management & Small Systems Security, Eloff, J.H.P. et al. (eds), Kluwer Academic Publishers.

Spinellis, D., Kokolakis, S. and Gritzalis, S. (1999) “Security requirements, risks, and recommendations for small enterprise and home-office environments”, Information Management & Computer Security, 7(3), pp.121-128.

Spurling, P. (1995) “Promoting security awareness and commitment”, Information Management & Computer Security, 3(2), pp. 20-26.

Stapleton, J. (1997) DSDM, Addison-Wesley.

Taylor, F.W. (1911) Principles of scientific management. Harper & Row, New York.

Tryfonas, T. (2003) ‘The Contribution of Organisational Images of Information Systems Security to the Implementation of Secure Information Systems’, Dept. of Informatics, Athens University of Economics and Business, Greece, Unpublished PhD thesis.

Tryfonas, T. and Kiountouzis, E. (2003), ‘Perceptions of security contributing to the implementation of secure IS’, in Gritzalis, D. et al. (Eds.), Security and Privacy in the Age of Uncertainty, IFIP/SEC’03, Kluwer Academic Publishers, pp. 313-324.

Tsoukas, H. (1991) “The Missing Link: A Transformational View of Metaphors in Organisational Science”, Academy of Management Review, 16(3), 566-585.

Walsham, G. (1991) “Organisational metaphors and information systems research”, European Journal of Information Systems, 1(2), pp. 83-94.

Walsham, G. (1995) “Interpretive case studies in IS research: nature and method”, European Journal of Information Systems, 4, pp. 74-81.

Warren, M.J. & Batten, L.M. (2002) ‘Security Management: An Information System Setting’, in Proceedings of the ACISP 2002 Conference, Batten, L., Seberry, J. (eds.), Springer-Verlag LNCS 2384, 257-270.

Wood, C.C. (1995) “Shifting IS Security Responsibility from User Organisations to Vendor/Publisher Organisations”, Computers & Security, 14, pp. 283-284.

Wood, C.C. & Snow, K. (1995) “ISO 9000 and Information Security”, Computers & Security, 14, pp. 287-288.

Yngström, L. (1996) ‘A holistic approach to IT security’, in Information Security – The Next Decade, Ellof, J. and von Solms, S. (eds), Chapman & Hall, London.