Benchmarking Methodology for Information Security Policy (BMISP): Artifact Development and Evaluation (original) (raw)
References
Alberts, C. J., & Dorofee, A. (2002). Managing information security risks: The OCTAVE approach. Boston: Addison-Wesley Longman Publishing. Google Scholar
Allen, D., & Karanasios, S. (2011). Critical factors and patterns in the innovation process. Policing, 5(1), 87–97. Article Google Scholar
Allen, D. K., Brown, A., Karanasios, S., & Norman, A. (2013). How should technology-mediated organizational change be explained? A comparison of the contributions of critical realism and activity theory. MIS Quarterly, 37(3), 835–854. Article Google Scholar
Amsenga, J. (2008). An introduction to standards related to information security. ISSA, 1–18.
Banaeianjahromi, N., & Smolander, K. (2017). Lack of communication and collaboration in enterprise architecture development. Information Systems Frontiers, 57, 1–32. Google Scholar
Baskerville, R., & Pries-Heje, J. (2010). Explanatory design theory. Business & Information Systems Engineering, 2(5), 271–282.
Baskerville, R. L., Kaul, M., & Storey, V. C. (2015). Genres of inquiry in design-science research: justification and evaluation of knowledge production. MIS Quarterly, 39(3), 541–564. Article Google Scholar
Berinato, S. (2002). Finally, a real return on security spending. CIO, 15(9), 432–432. Google Scholar
Brecht, M., & Nowey, T. (2013). A closer look at information security costs. In The economics of information security and privacy (pp. 3–24). Springer, Berlin, Heidelberg.
Briggs, R. O., & Schwabe, G. (2011). On expanding the scope of design science in IS research. In International conference on design science research in information systems (pp 92–106). Berlin: Springer.
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548. Article Google Scholar
Cavusoglu, H., Cavusoglu, H., Son, J. Y., & Benbasat, I. (2015). Institutional pressures in security management: direct and indirect influences on organizational investment in information security control resources. Information Management, 52(4), 385–400. Article Google Scholar
Code U (2018) USC § 3542 (b)(1).
D’Arcy, J., & Hovav, A. (2009). Does one size fit all? Examining the differential effects of IS security countermeasures. Journal of Business Ethics, 89(1), 59–71. Article Google Scholar
D'Arcy, J., & Hovav, A. (2007). Deterring internal information systems misuse. Communications of the ACM, 50(10), 113–117. Article Google Scholar
D'Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Information Systems Research, 20(1), 79–98. Article Google Scholar
Dattakumar, R., & Jagadeesh, R. (2003). A review of literature on benchmarking. Benchmarking: An International Journal, 10(3), 176–209. Article Google Scholar
Demetz, L., & Bachlechner, D. (2013). To invest or not to invest? Assessing the economic viability of a policy and security configuration management tool. The economics of information security and privacy (pp. 25–47). Berlin: Springer. Google Scholar
Dhillon, G. (2004). Realizing benefits of an information security program. Business Process Management Journal, 10(3), 21–22. Article Google Scholar
Doherty, N. F., & Fulford, H. (2006). Aligning the information security policy with the strategic information systems plan. Computers & Security, 25(1), 55–63. Article Google Scholar
Dorsch, J. J., & Yasin, M. M. (1998). A framework for benchmarking in the public sector: literature review and directions for future research. International Journal of Public Sector Management, 11(2/3), 91–115. Article Google Scholar
Engeström, Y. (2000). Activity theory as a framework for analyzing and redesigning work. Ergonomics, 7(43), 960–974. Article Google Scholar
Engeström, Y. (2001). Expansive learning at work: toward an activity theoretical reconceptualization. Journal of Education and Work, 14(1), 133–156. Article Google Scholar
Engeström, Y. (2014). Learning by expanding. Cambridge: Cambridge University Press. Book Google Scholar
Engeström, Y., Miettinen, R., & Punamäki, R. L. (Eds.). (1999). Perspectives on activity theory. Cambridge: Cambridge University Press. Google Scholar
Fossi, M., Turner, D., Johnson, E., Mack, T., Adams, T., Blackbird, J., Wueest, C. (2009). Symantec global internet security threat report. White paper, symantec enterprise security, 1.
Fuentes, R., Gómez-Sanz, J. J., & Pavón, J. (2004). Social analysis of multi-agent systems with activity theory. Current topics in artificial intelligence (pp. 526–535). Berlin: Springer. Book Google Scholar
Goldstein, A., & Frank, U. (2016). Components of a multi-perspective modeling method for designing and managing IT security systems. Information Systems and e-Business Management, 14(1), 101–140. Article Google Scholar
Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security (TISSEC), 5(4), 438–457. Article Google Scholar
Gregor, S., & Hevner, A. R. (2013). Positioning and presenting design science research for maximum impact. MIS Quarterly, 37(2), 337–355. Article Google Scholar
Guy, E. S. (2005). ... real, concrete facts about what works...: integrating evaluation and design through patterns. In Proceedings of the 2005 international ACM SIGGROUP conference on supporting group work.
Hevner, A. R., March, S. T., Park, J., & Ram, S. (2004). Design science in information systems research. MIS Quarterly, 28(1), 75–105. Article Google Scholar
HM Government (2015). 2015 information security breaches survey – technical report. Department for Business Innovation and Skills. URN BIS/15/302.
Höne, K., & Eloff, J. H. P. (2002). Information security policy—what do international information security standards say? Computers & Security, 21(5), 402–409. Article Google Scholar
Hoo, K. J. S. (2000). How much is enough? A risk management approach to computer security. Stanford: Stanford University. Google Scholar
Hovav, A., & D’Arcy, J. (2012). Applying an extended model of deterrence across cultures: an investigation of information systems misuse in the US and South Korea. Information Management, 49(2), 99–110. Article Google Scholar
Hovav, A., & Putri, F. F. (2016). This is my device! Why should I follow your rules? Employees’ compliance with BYOD security policy. Pervasive and Mobile Computing, 32, 35–49. Article Google Scholar
Hu, Q., Xu, Z., Dinev, T., & Ling, H. (2011). Does deterrence work in reducing information security policy abuse by employees? Communications of the ACM, 54(6), 54–60. Article Google Scholar
Huang, C. D., Hu, Q., & Behara, R. S. (2008). An economic analysis of the optimal information security investment in the case of a risk-averse firm. International Journal of Production Economics, 114(2), 793–804. Article Google Scholar
Hull, R., & King, R. (1987). Semantic database modeling: survey, applications, and research issues. ACM Computing Surveys (CSUR), 19(3), 201–260. Article Google Scholar
Jeon, S., & Hovav, A. (2015). Empowerment or control: Reconsidering employee security policy compliance in terms of authorization. In Hawaii International Conference on System Sciences (HICSS-48), January 5–8, 2015, pp. 3473–3482. IEEE.
Johnson, M. E., & Goetz, E. (2007). Embedding information security into the organization. IEEE Security and Privacy, 5(3), 16–24. Article Google Scholar
Kaptelinin, V. (2005). The object of activity: making sense of the sense-maker. Mind, Culture, and Activity, 12(1), 4–18. Article Google Scholar
Kaptelinin, V., Kuutti, K., & Bannon, L. (1995, July). Activity theory: Basic concepts and applications. In International Conference on Human-Computer Interaction (pp. 189-201). Springer, Berlin, Heidelberg.
Kim, J., Conesa, J., & Ramesh, B. (2015). The use of ontology in knowledge intensive tasks: ontology driven retrieval of use cases. Asia Pacific Journal of Information Systems, 25(1), 25–60. Article Google Scholar
Knapp, K. J., Marshall, T. E., Kelly Rainer, R., & Nelson Ford, F. (2006). Information security: management’s effect on culture and policy. Information Management & Computer Security, 14(1), 24–36. Article Google Scholar
Kriglstein, S., Leitner, M., Kabicher-Fuchs, S., & Rinderle-Ma, S. (2016). Evaluation methods in process-aware information systems research with a perspective on human orientation. Business & Information Systems Engineering, 58(6), 397–414. Article Google Scholar
Leitner, M., & Rinderle-Ma, S. (2014). A systematic review on security in process-aware information systems–constitution, challenges, and future directions. Information and Software Technology, 56(3), 273–293. Article Google Scholar
Li, T., & Ma, Z. (2017). Object-stack: an object-oriented approach for top-k keyword querying over fuzzy XML. Information Systems Frontiers, 19(3), 669–697. Article Google Scholar
Liu, W., Tanaka, H., & Matsuura, K. (2008). Empirical-analysis methodology for information-security investment and its application to reliable survey of Japanese firms. Information and Media Technologies, 3(2), 464–478. Google Scholar
Lowry, P. B., & Moody, G. D. (2015). Proposing the control-reactance compliance model (CRCM) to explain opposing motivations to comply with organizational information security policies. Information Systems Journal, 25(5), 433–463. Article Google Scholar
Markus, M. L., Majchrzak, A., & Gasser, L. (2002). A design theory for systems that support emergent knowledge processes. MIS quarterly, 179–212.
MacLean, D., MacIntosh, R., & Grant, S. (2002). Mode 2 management research. British Journal of Management, 13(3), 189–207. Article Google Scholar
Martins, A., & Elofe, J. (2002). Information security culture. In Security in the information society (pp. 203–214). Springer, Boston, MA.
McCumber, J. (2004). Assessing and managing security risk in IT systems: A structured methodology. Boca Raton: CRC Press. Book Google Scholar
Moore, T., Dynes, S., & Chang, F. R. (2016). Identifying how firms manage cybersecurity investment. Berkeley: University of California. Google Scholar
Morin, J.-H., & Hovav, A. (2012). Strategic value and drivers behind organizational adoption of enterprise DRM: the Korean case. Journal of Service Science Research, 4(1), 143–168. Article Google Scholar
Nancylia, M., Mudjtabar, E. K., Sutikno, S., & Rosmansyah, Y. (2014). The measurement design of information security management system. In 2014 8th International Conference on Telecommunication Systems Services and Applications (TSSA). IEEE.
Naveh, E., & Marcus, A. (2005). Achieving competitive advantage through implementing a replicable management standard: installing and using ISO 9000. Journal of Operations Management, 24(1), 1–26. Article Google Scholar
Odell, J. J. (1998). Advanced object-oriented analysis and design using UML (p. 12). Cambridge: Cambridge University Press. Google Scholar
Papazafeiropoulou, A., & Spanaki, K. (2016). Understanding governance, risk and compliance information systems (GRC IS): the experts view. Information Systems Frontiers, 18(6), 1251–1263. Article Google Scholar
Peckham, J., & Maryanski, F. (1988). Semantic data models. ACM Computing Surveys (CSUR), 20(3), 153–189. Article Google Scholar
Peffers, K., Tuunanen, T., Rothenberger, M. A., & Chatterjee, S. (2007). A design science research methodology for information systems research. Journal of Management Information Systems, 24(3), 45–77. Article Google Scholar
Pressman, R. S. (2005). Software engineering: A practitioner's approach. Basingstoke: Palgrave Macmillan. Google Scholar
Purao, S., Baldwin, C. Y., Hevner, A., Storey, V. C., Pries-Heje, J., Smith, B., & Zhu, Y. (2008). The sciences of design: Observations on an emerging field. Harvard Business School Finance Working Paper: 09–56.
Rumbaugh, J., Blaha, M., Premerlani, W., Eddy, F., & Lorensen, W. E. (1991). Object-oriented modeling and design, 199(1). Englewood Cliffs: Prentice-hall. Google Scholar
Runeson, P., Host, M., Rainer, A., & Regnell, B. (2012). Case study research in software engineering: Guidelines and examples. Hoboken: John Wiley & Sons. Book Google Scholar
Shabtai, A., Elovici, Y., & Rokach, L. (2012). A survey of data leakage detection and prevention solutions. Springer Science & Business Media.
Schatz, D., & Bashroush, R. (2017). Economic valuation for information security investment: a systematic literature review. Information Systems Frontiers, 19(5), 1205–1228. Article Google Scholar
Shirtz, D., & Elovici, Y. (2011). Optimizing investment decisions in selecting information security remedies. Information Management & Computer Security, 19(2), 95–112. Article Google Scholar
Strecker, S., Heise, D., & Frank, U. (2011). RiskM: a multi-perspective modeling method for IT risk assessment. Information Systems Frontiers, 13(4), 595–611. Article Google Scholar
Susanto, H., Almunawar, M. N., Syam, W. P., Tuan, Y. C., & Bakry, S. H. (2011). I-SolFramework Views on ISO 27001 Information Security Management System: Refinement Integrated Solution’s Six Domains.
Talbot, J., & Jakeman, M. (2011). Security risk management body of knowledge. Hoboken: John Wiley & Sons. Google Scholar
Talbot et al. (2011). Security risk management body of knowledge (Vol. 69). John Wiley & Sons.
Vaishnavi, V. K., & Kuechler, W. (2015). Design science research methods and patterns: Innovating information and communication technology. Boca Raton: CRC Press. Book Google Scholar
Van Aken, J. E. (2005). Management research as a design science: articulating the research products of mode 2 knowledge production in management. British Journal of Management, 16(1), 19–36. Article Google Scholar
Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: insights from habit and protection motivation theory. Information Management, 49(3), 190–198. Article Google Scholar
Vygotsky, L. S. (1980). Mind in society: The development of higher psychological processes. Cambridge: Harvard University Press. Book Google Scholar
Walls, Joseph G., George R. Widmeyer, and Omar A. El Sawy. "Building an information system design theory for vigilant EIS." Information systems research 3.1 (1992): 36–59. Article Google Scholar
Whitman, M. E. (2003). Enemy at the gate: threats to information security. Communications of the ACM, 46(8), 91–95. Article Google Scholar
Whitman, M.E. (2008). Security Policy: From Design to Maintenance. In: D.W. Straub, S.E. Goodman and R. Baskerville (Eds.), Information security : policy, processes, and practices. Advances in management information systems (pp. 123-151). London, England Armonk, New York: M.E. Sharpe.
Whitman et al. (2013). Management of information security. Boston: Cengage Learning.
Whitman, M., & Mattord, H. (2013). Management of information security. Boston: Cengage Learning. Google Scholar
Yasin, M. M. (2002). The theory and practice of benchmarking: then and now. Benchmarking: An International Journal, 9(3), 217–243. Article Google Scholar
Zairi, M. (1992). The art of benchmarking: using customer feedback to establish a performance gap. Total Quality Management, 3(2), 177–188. Article Google Scholar
Zowghi, D., & Coulin, C. (2005). Requirements elicitation: A survey of techniques, approaches, and tools. In Engineering and managing software requirements (pp. 19–46). Springer, Berlin,