8/16/2019 Artikel #6a Puput Anzaini Adilla

1/4

User Participation in Information System Security Risk Management

(Eksekutif summary telaah kritis artikel)

Reviewed byPuput Anzaini Adilla

I. Cerita Konteks

Practical gaps

The occurrence of IS security breaches by internal personnel may be

reduced if greater emphasis were placed on internal threats to IS security that can

occur when employees handle information in their day-to-day jobs Instead! it iswidely believed that organizational efforts to manage IS security are typically

focused on vulnerabilities in technological assets such as hardware! software! and

networ"ing! at the e#pense of managing other sources of vulnerabilities! such as

 people! policies! processes! and culture $see %alliday et al &''() %u et al *++()

,ahner and rcmar *++.) Spears *++.) Straub and /el"e &''0) von Solms and

von Solms *++12 3oreover! technology-focused IS security is typically centered

on e#ternal threats! such as hac"ers and viruses $see! 4oherty and 5ulford *++.)

/hitman *++12! leaving organizations open to breaches from the inside

Empirical aps

There are at least two reasons why user participation in IS security ris" 

management can be valuable 5irst! user awareness of the ris"s to IS security is

widely believed to be fundamental to effective IS security $Aytes and 6onnolly

*++1) 5urnell *++0) 7oodhue and Straub &''&) %u et al *++() Siponen *+++a!

*+++b) Straub and /el"e &''0) /hitman *++12 That is! organizational security

controls $ie! policies! procedures! safeguards! and countermeasures that prevent!

detect! or minimize an IS security breach2 can only be effective to the e#tent that

 people handling the information in their day-to-day jobs $eg! functional business

users2 are aware of those measures and adhere to them Indeed! 7ood hue and

Straub $&''&! p &82 suggested that 9since protective measures often re:uire

significant managerial vigilance! an appropriate level of awareness and concern

8/16/2019 Artikel #6a Puput Anzaini Adilla

2/4

may be a pre-re:uisite for ade:uate security protection;

8/16/2019 Artikel #6a Puput Anzaini Adilla

3/4

A combination of data collection and analysis methods were used on

separate samples to e#amine user participation in SR3 Interviews were

conducted with one sample! followed by a survey study on a different sample of 

 professionals who had wor"ed on compliance with the Sarbanes-=#ley Act for 

their respective organizations This multi-method * $also referred to as mi#ed-

method and pluralist2 approach was chosen based on the premise that separate and

dissimilar data sets drawn on the same phenomena would provide a richer picture

$Sawyer *++&! p &0+2 of the concept of and outcomes associated with user 

 participation than would a mono-method approach A se:uential design $%anson

et al *++.) 3ingers *++&2 was used in that the :ualitative e#ploratory study

informed a subse:uent confirmatory study

I#. $emuan penelitian

The findings of the two studies converged and indicated that user 

 participation contributed to improved security control performance through

greater awareness! greater alignment between IS security ris" management and the

 business environment! and improved control development /hile the IS security

literature often portrays users as the wea" lin" in security! the current study

suggests that users may be an important resource to IS security by providing

needed business "nowledge that contributes to more effective security measures

8/16/2019 Artikel #6a Puput Anzaini Adilla

4/4

ris"s within their business processes y having users participate in SR3!

security becomes more relevant to users and security measures become better 

aligned with business objectives As such! user participation becomes a valuable

awareness strategy for users! IS! and security professionals

!UES$I%&

&