Perception of risk and thestrategic impact of existing IT oninformation security strategy at

board levelElspeth McFadzean, Jean-Noel Ezingeard and David BirchallCentre for Business in the Digital Economy, Henley Management College,

Henley on Thames, UK

Abstract

Purpose – Information security is becoming increasingly more important as organisations areendangered by a variety of threats from both its internal and external environments. Many theoristsnow advocate that effective security policies should be created at senior management level. This isbecause executives are able to evaluate the organisation using a holistic approach as well as havingthe power to ensure that new systems and procedures are implemented in a timely manner. There is,however, a continuing lack of understanding regarding the strategic importance of managinginformation security. In addition, there is a gap in the literature on the relationship between directorsand information security strategy. This paper attempts to close this gap by exploring how directorsperceive their organisation’s security and what factors influence their decisions on the developmentand implementation of information security strategy.

Design/methodology/approach – The research is based on constructivist grounded theory.Forty-three interviews were conducted at executive level in 29 organisations. These interviews werethen coded and analysed in order to develop new theory on directors’ perception of risk and its effecton the development and implementation of information security strategy.

Findings – The analysis shows that senior managers’ engagement with information security isdependent on two key variables: the strategic importance of information systems to their organisationand their perception of risk. Additionally, this research found that these two variables are affected byboth organisational contextual factors and the strategic and operational actions undertaken within thebusiness. Furthermore, the results demonstrated that the two board variables also have an impact onthe organisation’s environment as well as its strategic and operational actions. This paper uses thedata gathered from the interviews to develop a model of these factors. In addition, a perception grid isconstructed which illustrates the potential concerns that can drive board engagement.

Practical implications – The paper illustrates the advantages of using the perception grid tounderstand and develop current and future information security issues.

Originality/value – The paper investigates how organisational directors perceive informationsecurity and how this perception influences the development of their information security strategy.

Keywords Boards, Information control, Data security, Perception, Governance

Paper type Research paper

IntroductionInformation security has become an increasingly important factor for manyorganisations. Over the past decade, there has been a rapid diffusion of electroniccommerce and a rising number of interconnected networks, resulting in an escalationof security threats (Abouzakhar and Manson, 2002). In addition, many organisations

The current issue and full text archive of this journal is available at

www.emeraldinsight.com/1468-4527.htm

OIR31,5

622

Refereed article received31 March 2007Revision approved forpublication 8 June 2007

Online Information ReviewVol. 31 No. 5, 2007pp. 622-660q Emerald Group Publishing Limited1468-4527DOI 10.1108/14684520710832333

today see information as an important asset and therefore it is essential that theconfidentiality, integrity and availability of this resource are kept intact. Thus, due tothe growing risk and value of information, there has been a call for greaterresponsibility to be undertaken by the board of directors regarding informationsecurity issues (Von Solms, 2001). Indeed, according to Dutta and McCrohan (2002,p. 68), “. . . if the firm has not exercised due diligence in protecting its informationassets, it will encounter significant corporate, and possibly personal, liability”.

Unfortunately, research has shown there is still too often a lack of understanding of thestrategic importance of managing information security (Ernst & Young, 2003; KPMG,2002). In fact, KPMG (2002) found that over half the companies that they surveyeddevolved information security to lower levels, normally to functions or departments witha technical orientation. The roles and responsibilities of board members and seniorexecutives for information security have received little attention in the academic literatureto date. Consequently, the purpose of this paper is to investigate the actions undertakenby directors and senior executives that pertain to their organisation’s informationsecurity. In addition, the paper aims to explore how boards perceive information securityand how this perception influences their own actions as well as the development, adoptionand use of their information security strategy. The research presented here used agrounded theory approach to examine directors’ perceptions and actions. The papermakes a theoretical contribution by arguing that directors’ engagement is essentiallydriven by the strategic importance of IS and perceptions of risk. Implications forpractitioners and for future research are also considered.

The paper is structured in five main sections. In the next section, the reasons why theboards of directors[1] should be engaged in information security are discussed andsubsequently, three research questions are presented. Next, the methodology and researchdesign are described. The grounded theory approach is explained and justified. Inaddition, the analysis procedures for this research are described and illustrated with anumber of intermediate memos. The third section presents the results, which aresubsequently used to construct a model showing the relationships between the board ofdirectors, the organisation’s contextual factors and the strategic and operational actions ofthe business. The fourth section discusses these results and proposes a Perception Gridthat illustrates the potential concerns that can drive board engagement. Implications fordirectors, IS practitioners and researchers are presented in the final section.

Why should boards engage in information security?In today’s environment information systems and technologies are becomingincreasingly more important to organisations. For instance, information systemshave long been used for automated operational transactions as a means of reducingcosts (Ward and Griffiths, 1996). The information held in an organisation’s system,however, can be much more valuable than merely managing operational transactions(Levy et al., 2001; Zuboff, 1988). Companies are now realising, for example, thatinformation sharing, e-commerce and data warehousing can be highly beneficial(Cachon and Fisher, 2000; Faber et al., 2002; Higgins, 1999; Rodgers et al., 2002; Teo andPian, 2003; Yu et al., 2002). In fact, Ward and Peppard (2002, p. 26) suggest that thereare four key types of strategic systems that can prove advantageous for organisations:

(1) those that share information via technology-based systems with customersand/or suppliers;

Perception ofrisk

623

(2) those that produce more effective integration of the use of information in theorganisation’s value-adding processes;

(3) those that enable the organisation to develop, produce, market and deliver newor enhanced products or services based on information; and

(4) those that provide executive management with information to support thedevelopment and implementation of strategy

In addition, Chan et al. (1997, p. 125) suggest that information systems are also often usedto “. . .leverage unique business competencies, merge companies, restructure industries,and facilitate global competition”. As a result of the increasing importance of informationand technology within organisations, managers are being compelled to implementeffective security measures in order to protect their assets (Austin and Darby, 2003;Dutta and McCrohan, 2002). Many publications, for instance, therefore exhort boards totake greater responsibility for the issue (Von Solms, 2001). There are three furtherreasons for greater board involvement in information security planning and control.

The first and perhaps most obvious reason is that directors are responsible, oftenlegally, for their organisation’s risk management system and internal control. Forinstance, the OECD (2004) Principles of Corporate Governance suggest that a company’sboard should have responsibility for developing a risk policy and ensuring the integrityof systems for monitoring risk. Furthermore, fraudulent behaviour and lapses inorganisational governance have forced the USA security and exchange commission toproduce the Sarbanes-Oxley Act. The Act, like many in other countries, has a simplepremise: “. . .good corporate governance and ethical business practices are no longeroptional niceties” (IT Governance Institute, 2004, p. 12). Its aim, therefore, is to enhancecorporate governance and strengthen internal checks. Thus, institutional investors areincreasingly paying closer attention to the governance practices of the companies inwhich they invest or avoid, seeking out organisations with good governance practices asa positive indication of a shareholder-value focus (Stiles and Taylor, 2001).

The second reason why boards ought to take a greater interest in informationsecurity matters is that of competitive advantage through good IT governance. Theidea of competitive advantage from information technology has long been at the originof much of the thinking around the concept of IT governance, often discussed in theinformation systems literature and referring to how the IT function is organised(Sambamurthy and Zmud, 1999). Much of the IT governance literature is concernedwith the alignment between IT and business strategy (Venkatraman, 1993), and it hasbeen argued since the 1980s that good IT governance can be a source of competitiveadvantage (Tavakolian, 1989). The fact that the word “governance” has been used todescribe the organisation of IT indicates that many consider board involvement in thefunction to be essential as well as the representation of the function at board level.

It is now widely accepted that a good level of alignment between an organisation’sinformation resources and its business strategy can be a significant source ofcompetitive advantage. Therefore, it can be argued that because the board should beengaged in discussing IT governance issues, it should also be engaged in discussionsabout information security as the latter forms part of good IT governance (Chan et al.,1997; Reich and Benbasat, 2000).

The third reason supporting the call for greater board involvement in informationsecurity matters is that it could be a factor that affects the success of an organisation’s

OIR31,5

624

information security initiative. There are a number of important facets that contributeto the success of implementing standards including an information security policy thatreflects business objectives, an implementation approach that is compatible with anorganisation’s culture, and the support and commitment from management(Baskerville and Siponen, 2002). The latter was confirmed as a success factor ofinformation security policies in recent research (Fulford and Doherty, 2003). It isdifficult to conceive how these three critical success factors can be achieved withoutactive board engagement. Consequently, it is imperative that directors increase theirinvolvement in their organisation’s security matters. The aim of this research,therefore, is to explore the following three issues:

(1) How do boards perceive information security risk?

(2) What are the roles and responsibilities of the Board of Directors regardinginformation security?

(3) How do these roles and responsibilities relate to other areas of the organisation?

Research methodologyChoice of constructivist grounded theoryAs stated in the introduction, there has been very little research undertaken on boardsof directors and information security. Consequently, this research is exploratory andseeks to generate new theory. As such, some form of interpretive research was needed.Looking at data from an interpretive paradigm has several advantages. First, itencourages researchers to look at the problem from a more holistic point-of-view ratherthan a simple, one-dimensional position, the outputs of which lack applicability in thefield of information security (Dhillon and Backhouse, 2001). Second, it permits humanbehaviour and interactions to be identified and understood (Backhouse and Dhillon,1996). Third, it allows the researchers to examine and evaluate the phenomenonthrough the subjects’ eyes and from the subjects’ perspective (Charmaz, 2000; Straussand Corbin, 1998). Finally, it permits the integration of technical and human aspects ofinformation security. One consequence of this is that managers may gain a betterunderstanding of the different facets of security and therefore may be better able tomake informed choices (Kokolakis et al., 2000).

There have been several calls for information security research to follow a moreinterpretive path. According to Beatson (1991, p. 30), “Within the corporate culture,security should be given prominence. Because security involves people, it is also veryimportant that other elements within the corporate culture are recognized”. Eventhough this is the case, Siponen (2001) points out that there has been very little researchundertaken on the socio-technical aspects of information security (See for instanceBackhouse and Dhillon, 1996; Hitchings, 1996). Furthermore, from a pragmaticpoint-of-view, studies have found that senior executives are reluctant to completequestionnaires and are further disinclined to provide information about their securityprocesses (Kotulic and Clark, 2004). We felt, therefore, that we could collect more datausing interviews rather than any other research method.

Constructivist grounded theory method (GTM) is often quoted as a usefulinterpretive method for theory generation (Bryant, 2002; Parry, 1998; Strauss andCorbin, 1998). According to Charmaz (2000, p. 510), “Constructivism assumes therelativism of multiple social realities, recognizes the mutual creation of knowledge by

Perception ofrisk

625

the viewer and the viewed, and aims toward interpretive understanding of subjects’meanings.” The overall aim of using this method here is to generate a descriptive andexplanatory theory of the factors associated with company information securitydecision-making rooted in the experiences of specific company directors and seniorexecutives. Grounded theory method has been used successfully in both organisationaland information systems research in the past (Orlikowski, 1993; Sarker et al., 2001;Trauth and Jessup, 2000; Urquhart, 1997).

Data collectionGathering primary data on information security at board level can be difficult. Kotulicand Clark (2004) found a number of reasons for this. The first and perhaps the mostimportant reason is that organisations are reluctant to share information aboutsecurity policies with individuals from outside the company. In fact, according toKotulic and Clark (2004, p. 604), “Information security research is one of the mostintrusive types of organization research, and there is undoubtedly a general mistrust ofany ‘outsider’ attempting to gain data about the actions of the security practitionercommunity.” Second, senior managers are unwilling to spend valuable time for aresearch project that may not provide sufficient benefits for them. As a result of this,we knew that it would be difficult to acquire a large number of subjects. Moreover,since senior management time is precious, we did not want to spend long periodsinterviewing them. Thus, our primary data was gathered in two phases.

The first phase consisted of a series of 23 in-depth interviews. The intervieweeswere senior managers; most sat on the board of their respective companies. Theseorganisations ranged from SMEs to large multi-national corporations. The list wasdrawn up from personal and organisational contacts and aimed to provide an adequaterepresentation of different types of companies. The sampling strategy we used is thatdescribed by Strauss and Corbin (1990) as “open sampling” where participants areselected to maximise the opportunities for augmenting the pool of relevant data. Thetriangulation of sources is one method of improving research validity for groundedtheory (Creswell, 2003; Trauth and Jessup, 2000). We therefore sought a broad crosssection of sources as a form of triangulation.

The interviews were conducted for 60 to 90 minutes. They were open-ended anddiscovery oriented (Flint et al., 2002). Although we used “seed questions” at the start ofthe interview, we also tried to maintain a continuous “conversation” rather than followa rigid list of questions or themes. Senior executives were engaged with this form ofinterviewing and we felt they were happy to enter into fairly detailed discussions,perhaps more than they would have been with an interaction based on questions andanswers. The data collection focused on the areas of context, security practices, keyplayers and their behaviour, technology, risk and change processes. Amongst otherthings, it sought information on:

(1) Human factors. Internal and external threats; training and awarenessprogrammes; perception of risk; roles and responsibilities regarding securityand how customers and other stakeholders view security processes

(2) Technology factors. Evolution of technology and security devices; penetrationtesting; and insourcing or outsourcing

OIR31,5

626

(3) Environmental factors. Compliance issues; standards and codes of practice;legal issues and insurance benefits

(4) Business process factors. Reputation; security versus ease of doing business;how security issues affect information sharing, creativity, culture and employeecompetencies; communication and reporting processes; and the extent ofcorporate/IT/information security alignment.

Once these interviews were analysed, we were able to discover gaps where we requiredfurther information or areas where we needed greater depth. Phase two, therefore,consisted of a further 20 interviews so that we could explore some of these issues in moredetail (see Table I for more information on the subjects). These interviews also lasted upto 90 minutes and were, again, with senior executives from a range of companies.

Few guidelines exist on the optimum size of the data pool in grounded theory. Forinstance, Pries-Heje (1992) used 19 interviews in nine firms to study informationsystems development, whereas Orlikowski (1993) only used two firms but a total of 159interviews in her well-known study. Furthermore, as pointed out by Glaser and Strauss(1967, p. 61), the researcher “. . .cannot state at the outset how many groups he willsample during the entire study; he can only count up the groups at the end”. In practicethe notion of theoretical saturation is normally recommended (Locke, 2001) as a guideto sample size - this is the notion we used in the work reported here. As a result, we didnot set out to interview a pre-determined number of participants or groups.

Analysis procedureWe used open, axial and selective coding to analyse our results (Strauss and Corbin,1990). Every interview was recorded and transcribed verbatim. We subsequentlyimported each transcript into the qualitative analysis software package Atlas-ti wherewe undertook the open coding process.

Open coding is “the analytic process through which concepts are identified and theirproperties and dimensions are discovered in data” (Strauss and Corbin, 1998, p. 101).Each interview transcript was examined and coded line-by-line, by sentence orparagraph (Sarker et al., 2001). Although this open coding process is procedurallyguided, it is fundamentally interpretive in nature and must include the perspectivesand voices of the people that are studied (Strauss and Corbin, 1998). Open codingallowed us to name similar events, occurrences and objects so that we could categorisethem under common headings. In addition, we also undertook “micro-analysis” at thistime. Here, we examined the data so we could determine the properties and dimensionsof certain words or sentences. This analysis together with our interpretations andthoughts were recorded in memos. These memos helped us to collate and provide anoverview of the growing complexity of information that arises from the groundedtheory methodology. They can be used to maintain clarity, to support, amend or extendconceptual thinking, and to record the entire research journey. According to Straussand Corbin (1998, p. 218) “Memos serve the dual purpose of keeping the researchgrounded and maintaining that awareness for researchers”. An example of one of ourearly memos is presented in Figure 1. This illustrates our initial thoughts on theproperties and dimensions of one of the concepts found during analysis.

Axial coding reassembles the data that was fractured during open coding in order todiscover relationships between categories and sub-categories along the lines of their

Perception ofrisk

627

Su

bje

ctco

de

Pos

itio

nIn

du

stry

Com

pan

yB

oard

mem

ber

Las

ttu

rnov

erfi

gu

re($

m)a

S1

CE

OF

inan

ceS

ub

sid

iary

ofU

Kp

ub

lic

qu

oted

Yes

Not

pu

bli

shed

(3,4

00em

plo

yee

s)S

2E

-com

mer

ced

evel

opm

ent

dir

ecto

rF

inan

ceS

ub

sid

iary

ofU

Kp

ub

lic

qu

oted

No

Not

pu

bli

shed

(3,4

00em

plo

yee

s)S

3A

dv

isor

Def

ence

UK

gov

ern

men

td

epar

tmen

tY

esN

otap

pli

cab

leC

hai

rman

En

erg

yU

Kp

ub

lic

qu

oted

Yes

11,1

88.2

S4

Ch

ief

info

rmat

ion

secu

rity

offi

cer

and

VP

oper

atio

ns

Ele

ctro

nic

sU

SA

pu

bli

cq

uot

edY

es12

8.3

S5

ITd

irec

tor

Fin

ance

UK

sub

sid

iary

ofS

wis

sp

ub

lic

qu

oted

No

12.6

S6

Ch

ief

oper

atin

gof

fice

rF

inan

ceU

Ksu

bsi

dia

ryof

Sw

iss

pu

bli

cq

uot

edY

es12

.6

S7

Com

pan

yse

cret

ary

En

erg

yU

Kp

ub

lic

qu

oted

Yes

5,03

7.3

S8

Man

agin

gd

irec

tor

Man

ufa

ctu

rin

gU

Kp

riv

ate

Yes

3.1

S9

Man

agin

gd

irec

tor

Con

sult

ing

UK

pu

bli

cq

uot

edY

es99

3.9

S10

Ch

ief

Info

rmat

ion

Offi

cer

Con

sult

ing

UK

Pu

bli

cQ

uot

edY

es99

3.9

S11

Ch

ief

info

rmat

ion

secu

rity

offi

cer

ITU

Ksu

bsi

dia

ryof

US

Ap

ub

lic

qu

oted

No

Not

pu

bli

shed

(1,6

00em

plo

yee

s)

S12

Ch

ief

exec

uti

ve

offi

cer

Com

mu

nic

atio

ns

UK

pu

bli

cn

ot-q

uot

edY

es16

,227

.4S

13S

enio

rm

anag

er,

bu

sin

ess

pro

cess

ind

ust

rial

pro

du

cts

Con

sult

ing

Pri

vat

eY

es66

.4

S14

Gro

up

secu

rity

adv

iser

Fin

ance

UK

pu

bli

cq

uot

edN

o1,

113.

6fo

rU

Kop

erat

ion

sS

15D

irec

tor

offi

nan

cean

dco

rpor

ate

serv

ices

Pu

bli

cse

ctor

UK

pu

bli

cse

ctor

auth

orit

yY

es29

5.3

S16

Ch

ief

fin

ance

offi

cer

Ph

arm

aceu

tica

lU

Ksu

bsi

dia

ryof

Sw

iss

pu

bli

cq

uot

edY

es61

.8

S17

ITd

irec

tor

Ph

arm

aceu

tica

lU

Ksu

bsi

dia

ryof

Sw

iss

pu

bli

cq

uot

edN

o61

.8

S18

Dir

ecto

rof

glo

bal

secu

rity

En

erg

yU

Kp

ub

lic

qu

oted

No

208,

440

S19

Fin

ance

dir

ecto

rF

inan

ceU

Kp

ub

lic

qu

oted

Yes

297.

2S

20F

inan

ced

irec

tor

Ele

ctro

nic

sP

riv

ate

Yes

66.4

S21

ITd

irec

tor

Ele

ctro

nic

sP

riv

ate

No

66.4

(continued

)

Table I.Information on interviewsample

OIR31,5

628

Su

bje

ctco

de

Pos

itio

nIn

du

stry

Com

pan

yB

oard

mem

ber

Las

ttu

rnov

erfi

gu

re($

m)a

S22

Ch

ief

tech

nol

ogy

offi

cer

Tra

nsp

orta

tion

and

log

isti

csM

ult

i-n

atio

nal

sub

sid

iary

ofU

SA

pu

bli

cq

uot

edN

o1,

800

S23

Dir

ecto

rof

fin

ance

,p

erso

nn

elan

din

form

atio

nsy

stem

sE

du

cati

onP

riv

ate

Yes

41.1

S24

Dir

ecto

rof

fin

ance

,p

erso

nn

elan

din

form

atio

nsy

stem

sE

du

cati

onP

riv

ate

Yes

41.1

S25

Ch

ief

exec

uti

ve

offi

cer

Con

sult

ing

Pri

vat

eY

esU

nav

aila

ble

S26

Gro

up

mar

ket

ing

dir

ecto

rC

onsu

ltin

gM

ult

i-n

atio

nal

sub

sid

iary

ofU

SA

pu

bli

cq

uot

edY

es43

0.4

S27

Mar

ket

ing

dir

ecto

rC

onsu

ltin

gM

ult

i-n

atio

nal

sub

sid

iary

ofU

SA

pu

bli

cq

uot

edN

o43

0.4

S28

Info

rmat

ion

secu

rity

pro

ject

man

ager

ITG

erm

ansu

bsi

dia

ryof

US

Ap

ub

lic

qu

oted

No

For

Ger

man

sub

sid

iary

:re

ven

ue:

$96.

5n

etin

com

e:$8

.4S

29C

hie

fin

form

atio

nse

curi

tyof

fice

rE

lect

ron

ics

US

Ap

ub

lic

qu

oted

Yes

128.

3S

30S

enio

rn

anag

er,

bu

sin

ess

pro

cess

ind

ust

rial

pro

du

cts

Con

sult

ing

Pri

vat

eY

es66

.4

S31

Ch

ief

secu

rity

offi

cer

Fin

ance

Sw

iss

pu

bli

cq

uot

edN

o25

,785

.3S

32A

dv

isor

Def

ence

UK

gov

ern

men

td

epar

tmen

tY

esN

otap

pli

cab

leC

hai

rman

En

erg

yU

Kp

ub

lic

qu

oted

Yes

11,1

88.2

S33

Kn

owle

dg

em

anag

erF

inan

ceS

ub

sid

iary

ofS

pan

ish

pu

bli

cq

uot

edN

oO

per

atin

gin

com

e:$5

,018

S34

Sen

ior

civ

ilse

rvan

tP

ub

lic

sect

orU

KG

over

nm

ent

Dep

artm

ent

Not

app

lica

ble

Not

app

lica

ble

S35

Ch

ief

fin

ance

offi

cer

Ph

arm

aceu

tica

lU

Ksu

bsi

dia

ryof

Sw

iss

pu

bli

cq

uot

edY

es61

.8

S36

Info

rmat

ion

assu

ran

cep

rog

ram

me

dir

ecto

rC

omm

un

icat

ion

sU

Kp

ub

lic

qu

oted

No

Gro

up

resu

lts:

$6,5

36.9

S37

Gro

up

secu

rity

adv

iser

Fin

ance

UK

pu

bli

cq

uot

edN

o1,

113.

6fo

rU

Kop

erat

ion

sS

38H

ead

ofIT

Ele

ctro

nic

trad

ing

Su

bsi

dia

ryof

UK

pu

bli

cq

uot

edY

esU

nav

aila

ble

S39

Ben

chm

ark

pro

gra

ms

man

ager

Sci

enti

fic

solu

tion

sU

SA

pu

bli

cq

uot

edN

o27

,349

(continued

)

Table I.

Perception ofrisk

629

Su

bje

ctco

de

Pos

itio

nIn

du

stry

Com

pan

yB

oard

mem

ber

Las

ttu

rnov

erfi

gu

re($

m)a

S40

Hea

dof

info

rmat

ion

Fin

ance

Glo

bal

org

anis

atio

nw

ith

list

ing

sin

Lon

don

,Hon

gK

ong

and

New

Yor

kN

oG

rou

p’s

tota

lop

erat

ing

inco

me:

50,5

87S

41IT

dir

ecto

rF

inan

ceU

Ksu

bsi

dia

ryof

Sw

iss

pu

bli

cq

uot

edN

o12

.5

S42

CE

OF

inan

ceS

ub

sid

iary

ofU

Kp

ub

lic

qu

oted

Yes

Not

pu

bli

shed

.(3

,400

emp

loy

ees)

S43

ITD

irec

tor

Fin

ance

Su

bsi

dia

ryof

UK

pu

bli

cq

uot

edN

oN

otp

ub

lish

ed.

(3,4

00em

plo

yee

s)

Notes:

aW

her

ere

sult

sar

eav

aila

ble

ina

curr

ency

oth

erth

anU

Sd

olla

rs,t

he

exch

ang

era

tep

ub

lish

edat

Tru

stN

et(h

ttp

://w

ww

.tru

stn

et.c

om/g

ener

al/r

ates

.as

p)

on10

Mar

ch20

05w

asu

sed

for

con

ver

tin

gth

ere

ven

ue

fig

ure

s;S

ome

ofth

eab

ove

sub

ject

sw

ere

inte

rvie

wed

twic

ein

ord

erto

gat

her

mor

ein

form

atio

n

Table I.

OIR31,5

630

properties and dimensions. Strauss and Corbin (1998) suggest that this should beachieved by using a coding paradigm involving conditions, actions/interactions andconsequences. However, Sarker et al. (2001) found this procedure problematical andexcessively constraining because the data were too complex and the procedure toomechanistic. Consequently, they linked their categories hierarchically with theirsub-categories. We decided to use a coding paradigm that involved linking ourcategories with the concepts, beliefs and behaviours of organisational stakeholders(Ryan and Bernard, 2000). Fifteen major categories or families were developed duringthis stage of analysis. We then created an integrative memo on each of the majorcategories “. . .that was interpretive in nature, attempting to integrate as manysub-categories as possible within a memo on a category” (Sarker et al., 2001, p. 46). Thiswas achieved through intermediate, very detailed process models. An example of oneconceptual model is shown in Figure 2. In addition, we also used mini-frameworks toexamine possible relationships (see Figure 3 for an example). Both the conceptual modelsand the mini-frameworks enabled us to establish whether we had any gaps in ourevolving theory so that we could gather further data, if necessary.

Finally, selective coding was employed to identify the core families to be used todevelop our theory. The major core family that was chosen was “Board of Directors”,which included four sub-families. Two of these sub-families – Perception of Risk and Aimof the Organisation – were subsequently used to develop the Perception Grid presented inthe Discussion section.

Furthermore, selective coding was used to link the core category to two other majorgroups – “Institutional Context” and “Strategic and Operational Action for Planning,

Figure 1.An early memo showing

an initial view of theproperties and dimensions

of work effectivenessduring open coding

Perception ofrisk

631

Figure 2.Axial coding forconsequences (ofawareness) category

Figure 3.An examination ofpossible relationshipsusing a mini-framework

OIR31,5

632

Adopting and Using Information Security Tools and Procedures” – in order to gain amore holistic and contextual view. This integration often occurs as a process model,which illustrates how the concepts, beliefs and behaviours of organisational stakeholdersare linked to the primary category. In order to choose our principal category, we needed toensure that all our other major families could be linked to this central idea. Consequently,we produced a memo showing the major categories and their relationships with thecentral theme (see Figure 4). We then used all our memos, conceptual models,mini-frameworks and interview quotes to develop and refine our theory.

Generating the theoryThere are a number of variations of grounded theory procedures to describe thephenomena of interest. In our case, in order to answer our research questions, we neededto ascertain what the critical elements are within companies that shape senior executives’perception of information security risk. In addition, we also needed to determine howthese perceptions influenced their decision making regarding information security issues.

For the former question, we explored the “information needs” of senior executivesthat could aid in the formation of their perception of their organisation’s informationsecurity requirements. These information needs were ascertained for the twosub-families within our key category. They were also linked to the beliefs andbehaviours of the senior executives.

For the latter question, we explored the consequences of these perceptions on twoother related families that were developed during axial coding, namely the institutionalcontext and strategic and operational action. Here, the coding paradigm linked these

Figure 4.Identification of core

concept and majorcategories during

selective coding

Perception ofrisk

633

two families to their sub-categories (concepts), the study’s core category, broken downinto the two sub-families and the major potential consequences.

Galal (2001) suggests using “need theory” to develop a meaningful framework thatrelates the board’s perception of risk and cognisance regarding corporate goals tostrategic and operational action and the institutional context. The majority ofcompanies aim to meet their corporate goals and to effectively satisfy their customers’needs. Information security systems and procedures should not disrupt the processesrequired to fulfil these objectives. Need theory is a theoretical formulation devised foreach organisational level at which work effectiveness and corporate goal requirementshave been recognised. In addition, this theory can help us to understand therequirements of other stakeholders who are outside the organisation’s boundaries butwho have a strong link with one or more hierarchical levels within the company, in thiscase board level.

By using the different organisational levels, researchers can obtain a succession ofneed theories, which can be explored in order to ascertain how these levels fit together,and to establish the potential risk and constraints as well as strengths and opportunitiesfor fulfilling work effectiveness and corporate goals (see Figure 5). In our case, the firsttwo research questions will focus on the board level requirements and the third researchquestion will centre on strategic and operational actions and institutional context.

The models in the results section of this paper emerged from the three coding levels,the coding paradigms and the need theory framework. Emerging concepts wereintegrated with a substantial literature base to both complement and confirm findings– a process which, according to Eisenhardt (1989, p. 545) is “. . . particularly crucial intheory building research”. In fact, Eisenhardt suggests that “tying the emergent theorywith existing literature enhances the internal validity, generalizability and theoreticallevel of theory building.” Moreover, she also states that existing literature can help tocorroborate the findings that they are often supported by only a limited number ofinterviews. Additionally, because our sample was self selected and consisted of boardmembers normally well versed in public relations, we also felt that a substantial use ofthe literature in the conceptualisation exercise also helped us adhere to the “principle ofsuspicion” advocated by Klein and Myers (1999).

Figure 5.Need theory

OIR31,5

634

ResultsThe roles and responsibilities of the board of directorsAs explained above, we chose the roles and responsibilities of the board of directors asour core category. This was the central theme of our analysis and it related well to theother categories including the contextual factors. From the analysis of the interviews,we found two high-level sub-families within the core category. These are perception ofrisk and the aim of the organisation. We also found two other sub-families in thiscategory: control and governance. These results concur with Stiles and Taylor (2001)who found three areas of responsibility for boards. These are their:

(1) Strategic role. This includes setting the parameters of the organisation’sactivities and screening proposals for strategic and operational goals (this issimilar to our sub-family: aim of the organisation).

(2) Control role. This entails ensuring alignment of managerial actions withshareholders’ interests and includes evaluating budgets and plans, monitoringthe environment and benchmarking against competitors (this is similar to oursub-family: control).

(3) Institutional role. This involves acquiring critical resources, buildingrelationships with shareholders and mediating between internal and externalcoalitions (this is similar to our sub-family: governance).

We found that the directors’ perception of their environment and particularlyperception of risk had an impact on these three roles. Consequently, in order to beconsistent with the literature, we used Stiles and Taylor’s terms to develop our modelof our core category (see Figure 6). This model is based on need theory: whatinformation do board members require in order to make decisions and how does thisrelate to the above three roles?

The model can be explained as follows: information is attained by the directors fromboth internal and external sources; each director perceives this information in differentways. This includes their perception of risk, which will have an impact on the board’sstrategic role (Arrow A). For example, the decisions made during the screeningprocedure for strategic and operational goals will be influenced by their perception ofrisk. The higher the risk, the greater the necessity for stringent security controls.Likewise, the intentions of the organisation will have an impact on perception of risk(Arrow B). Directors whose organisations use information systems as a strategicweapon, for instance, will view risk in a different way from those whose organisationsutilise IS as an operational necessity. Directors’ perception of risk and their strategicrole within the board will have an impact on their control and institutional roles (ArrowC). Budgetary and regulatory considerations for information security will be dependenton the level of risk and the aim of the organisation. A company that uses its IS as acompetitive weapon within a high risk environment, for example, will spend more onsecurity than a company that uses IS as an operational necessity in a low riskenvironment. Moreover, shareholders are also demanding tighter accountability fromdirectors especially regarding financial, regulatory and security practices.

In the following sections perception of risk and the strategic role of the board arediscussed in more detail.

Perception ofrisk

635

Figure 6.The roles of the board ofdirectors

OIR31,5

636

Perceptions of information security risksWe found that the directors’ perception of both internal and external risks has a majorimpact on information security. Perception and interpretation involves arranging datainto sets of corporate-world norms, beliefs and values (Brewer, 2002; Parsons, 1995). Itis these attitudes, opinions and values that have an effect on the perceivers’ actions anddecision making processes (Barnett and Vaicys, 2000; Brewer, 2002; Frey, 2000). Thus,directors’ perception of risk will have an impact on their own roles and actionsincluding the development of the organisation’s information security strategy.

Human behaviour was recognised by all our interviewees as one of the majorinformation security risks. In particular, they identified their own employees aspotential threats. Responses to human risks, and in particular employee driven risks,varied significantly with some organisations relying on informal education whilstothers had very strict procedural controls in place.

Internal human risk, however, is not the only concern for senior executives. Wefound that the communities outside the boundaries of the organisation are also provingto be possible threats. For instance, customers and suppliers are seen as potentiallyhazardous especially in industries that transact online:

Being able to articulate clearly where the customer’s responsibility lies and what risk iscontained in that is always critical (CEO, Finance).

“Employees” implies that they are working for [us], but we are hugely out-sourced, so oursupply chain involves humans across multiple companies in the supply chain. And then wehave got the customer base, and. . .you are very reliant on the customer doing their bit as well(Group Security Adviser, Finance).

The aim of the organisation and the strategic role of the boardThere have been numerous studies undertaken on boards of directors and theiractivities. One such project carried out by Stiles and Taylor (2001, p. 119) found thefollowing (the emphasis is that of the original authors):

The data from this study show that boards are not involved to any great extent in thestrategy formulation process, but rather set the parameters within which strategic discussiontakes place. This is achieved first through determining and maintaining (and adjusting) thecorporate definition (what business we are in).

Like Stiles and Taylor, we found that board members did not develop informationsecurity strategy but they did review strategic proposals given to them by seniormanagers. Many executives admitted, however, that discussing information security atthis level was often quite difficult. Two clear reasons for this emerged from the data:

(1) the information security discourse used by specialists tends to be in technicallanguage which many board members find difficult to engage in; and

(2) some boards see the issue as “operational” and prefer to delegate it to thesecurity specialists in their organisations.

In addition, we also found that the review of their corporate definition, the aim of theorganisation, had an impact on information security. Business information systemscan be used to facilitate the fulfilment of organisational goals (Chan et al., 1997;McFarlan et al., 1983). Two different perceptions regarding the aim of information

Perception ofrisk

637

systems and security were found. Some executives suggested that their informationsystems and security could be used as a competitive weapon whilst others did notperceive their information systems and security as being important. In the latter cases,the organisations use their information systems as an operational necessity rather thanto gain competitive advantage. Surprisingly, there was no correlation between the useof IS and the industry or the size of the company.

Relating the board to its organisation and environmentUsing need theory, the roles and responsibilities of the board of directors can be linkedto two other families that were found during the analysis. These are the institutionalcontextual factors and the strategic and operational actions undertaken by employees(see Figure 7). This model illustrates the salient categories found in each of the threefamilies as well as how they relate to one another.

This framework is based on the “structurational principle” that human playersinteract with their organisation’s internal and external contextual factors over a periodof time (DeSanctis and Poole, 1994; Giddens, 1984; Orlikowski and Robey, 1991). It canbe explained as follows.

The organisation’s contextual factors were found to include both internal andexternal variables. These included governmental laws and compliance issues; externaland internal threats such as theft, denial of service attacks, viruses and datacorruption; organisational culture as well as the current position of information andsecurity systems within the firm. These contextual factors were found to have a directinfluence on the board’s perception of risk (Arrow 1). Whilst perceiving andinterpreting the contextual factors, executives can often influence their ownenvironment, often unintentionally (Arrow 2). For instance, when articulating theneed for tighter security measures, senior managers may inadvertently encourage achange in culture, developing a less trustworthy and open environment.

As discussed above, we found that the board of directors tended to undertake threedifferent roles – the strategic role, the control role and the institutional role. Our resultsalso showed that senior managers’ perception of risk has a direct impact on these threeroles. Moreover, both their perception of risk and their board roles affect the strategicand operational action undertaken by their subordinates (Arrow 3). In the same way,these actions will also have an impact on the directors; shaping their perception of riskand their decisions regarding information security (Arrow 4).

Strategic and operational actions for planning, adopting and using informationsecurity tools and procedures will also be influenced by the organisation’s contextualfactors (Arrow 5). For instance, security systems will need to be altered if a new andunexpected threat is targeted towards the company. In a similar manner to the board ofdirectors, employees undertaking these strategic and operational actions can ofteninfluence their own environment; perhaps, for example, changing their culture, or theircustomer’s security expectations or their varying feedback, monitoring and controlsystems (Arrow 6). In the following sections, institutional context and strategic andoperational action are discussed in more detail.

Institutional contextOur results showed that there are four major categories of contextual variables:environmental, information security, organisational and political/legal:

OIR31,5

638

Figure 7.The relationships between

the board, institutionalcontext and strategic and

operational action

Perception ofrisk

639

(1) Environmental context. The environmental contextual variables includeexternal conditions that could have an impact on the organisation’sinformation systems and its security. Our results showed that customers,shareholders and other business organisations can all influence the securityparameters set by the board. For example, one interviewee stated, “In ourbusiness we have a high percentage of transactions that’s going through our ITinfrastructure. . .Therefore, many of our customers want to know what kind ofback-up we have, what kind of fail-safe or protection we have, especially for thisinformation” (Director of Global Security, Energy).

(2) Information security context. Our research found a number of informationsecurity contextual issues that included internal and external threats, thepresent role of security in the firm, existing information security infrastructuresand processes, information policies and practices, technology, current securitystaff and existing monitoring, control and feedback mechanisms. The risks ofinternal or external threats, for instance, played a large part in both corporateand security decision making within the organisation. In addition, securitydevelopment and implementation was found to be an iterative and dynamicprocess because of the changing nature of the environment. As one intervieweestated, “Just as we put in more and more clever technical systems, so there areclever people out there who seem to enjoy hacking into technical systems”(Managing Director, Consulting).

(3) Organisational context. The organisation’s contextual variables includecorporate aims and strategies, skills and knowledge, culture and trust,organisation structure and employee education. Our research found that thecompany’s aims and strategies have a huge influence on information security.For instance, organisations with a culture of innovation and informationsharing will develop different security procedures from those organisations thatdo not depend on information sharing. According to one interviewee, “If youwant openness in your organisation, you have to allow people access and if youdo, they can do what they like to an extent and it’s a question of building trustwith your employees” (COO, Finance).

(4) Political/legal context. Axial coding revealed that four main political/legalcontextual factors influence security development. These are codes of practice,compliance, insurance and security standards. According to one interviewee, forinstance, some companies lag behind in fully developing the processes thatfulfil compliance and legislative demands whilst others find codes of practiceuseful to help structure and manage internal risks. Some of our intervieweesalso noted that insurance companies are now becoming more reluctant to takeon what they see as big risks. Thus, in some cases, effective informationsecurity promotes greater harmony between the organisation and their insurers.

Strategic and operational actionWe found that in response to the perceived changes in the environment and the board’sstrategic, control and institutional roles, senior managers will analyse informationsecurity needs; develop an information security strategy; communicate and implementthe strategy; and evaluate the consequences of adopting the strategy:

OIR31,5

640

(1) Analyse information security needs. Our results showed that there are five majorissues involved in analysing information security needs. These are:. Risk analysis. The development of risk management frameworks and

undertaking security audits. The value of business and security goals. The importance of aligning

information security with the organisation’s objectives.. Technology. The need for technical expertise. This expertise can be gained

from both internal IT specialists and/or external technical or securitysupport companies.

. Security standards. These include codes of practice, security standards andcompliance issues. Tailored control and measurement frameworks arefrequently developed from voluntary codes of practice.

. Stakeholders. Employees and customers are both seen as potential threats toorganisational security.

(2) Develop an information security strategy. We found a number of factors that aretaken into account during this stage:. Internal issues. These include the complexity of the security interface and the

technology, the complexity of the security procedures, the distribution andsharing of information, ease of use and work effectiveness, employeesatisfaction, employee empowerment and trust, insourcing v. outsourcing,monitoring and control systems and the quality of information.

. Financial issues. Although this is an important consideration in informationsecurity development, we found that the cost of information security wasoften hidden within the IT budget and, therefore, many senior managers hadno knowledge of the amount spent by the organisation on security each year.This was also the case for those organisations that saw information securityas an investment rather than a cost.

. Contingency and backup plans. Our interviewees suggested that these plansinclude: testing the contingency plans during a “real” situation; designingsecurity procedures in the event of staff redundancies; backing up data in anoff-site location; establishing roles and responsibilities in the event of a majordisaster occurring; creating internal and external lines of communication inthe event of a major threat or disaster; and ensuring recovery and backupsystems are in place for the organisation’s critical systems.

. Innovation, learning and growth issues. Creativity and innovation were seenas important drivers for business by some of the organisations that wetalked to. There was a concern by some managers, however, that stringentsecurity could prohibit the sharing of information and therefore thedevelopment of novel ideas. Moreover, we found that most organisations setup security training and awareness programs.

. Stakeholders’ issues. In many instances, customers and suppliers caninfluence the stringency of an organisation’s security. Generally,stakeholders demand a robust security system although this has to bebalanced with ease of use.

Perception ofrisk

641

(3) Communicate and implement information security strategy. We found a numberof issues involved in the communication and implementation of informationsecurity strategy. These include:. Business processes. Co-ordination between business and security actions was

found to be important during the implementation phase. The ChiefExecutive Officer for a financial organisation suggested that there is abalance between “technical and management issues.” Decisions have to bemade about “the rights and responsibilities [of employees undertakingsecurity and business processes]; all of which are a compromise”.

. Employee issues. Information security processes must be accepted byemployees in order to be effective. This can be achieved by training andawareness programmes, the development of policy documents andpractising contingency actions.

. Systems and technology. Technology is often used to force employees toundertake the required security protocols. For example, smart cards may bethe only method of entering a building. Consequently, each member of staffis made aware or his or her authority and responsibilities by the protocolsand procedures that are put in place.

. Education and awareness. Many of the organisations we spoke to have someform of security training for their employees. In addition, communicationand awareness regarding security issues were seen to be important.

. Contingency processes. Many organisations we spoke to implementedcontingency and backup processes. Again, these ranged from simplecontingency plans for common security breaches to more sophisticated plansand running “live” disaster training sessions.

(4) Evaluating the consequences of adopting information security strategy. We founda number of potential consequences of adopting a particular information securitystrategy. The strategy affected both internal and external factors (see Table II).

Due to the changing nature of the environment, the processes of planning, adoptingand implementing information security tools and procedures are constantly evolving.As one interviewee put it:

I liken it to a Darwinian effect. You raise the bar once and you try to get rid of that rabble ofproblems and concerns, whether it’s customers or whether it’s attacks and you get rid of themass. You raise the bar, but there will always be that top-level concern or top-level hacker outthere. . .but you make it as costly as possible for them (otherwise you have to raise the baragain) (Managing Director, Manufacturing).

DiscussionThe results presented above illustrate that there are links between the board of directors,the institution’s contextual variables and the action required to plan, adopt and useinformation security tools and procedures. This section discusses these relationships inmore depth. Specifically, we explore how directors’ perceptions of risk and their viewregarding the role of information systems in supporting their organisations’ directioninfluences the planning, adoption and use of organisational security.

OIR31,5

642

Since the turn of the new century, senior executives are becoming increasingly awareof potential security breaches and malicious attacks. However, certain industries – andorganisations – are more at risk than others. High profile companies such as Microsoftand E-Bay and vulnerable sectors such as the financial industry have been targeted byhackers and fraudsters. On the other hand, there are some organisations that are lessvulnerable to attack; as one interviewee suggested, some organisations aren’tparticularly appealing to hackers and are therefore at less risk. We did find oneinteresting anomaly, however. We asked one subject whether his organisation had amechanism for communicating to employees about information security, itsimportance, the risks of sharing passwords and so on. His reply was, “No, becausethe short answer is we never felt we needed to do so” (Finance Director, Financial

Processes and actions that can be enhanced throughimplementing a successful information security strategy

Internal consequences Resilient internal processes and superior business continuity through theuse of uninterrupted, stable and accurate informationSuccessful new control, monitoring and auditing processesImproved responsiveness to security breaches and attacksEffective information usage through an improvement in the quality,integrity, availability, and reliability of all the organisation’s informationConstructive up-to-date policy documents that present information onsecurity processes, roles and responsibilities, lines of communication andcontingency plansCost-effective and straightforward processes for fulfilling compliance andgovernment legislation regarding securityAn enhanced understanding of potential business opportunities throughthe use of accurate and accessible market intelligenceCompetent technical support – in-house or outsourced – to ensure thereliability of information and security systemsBetter governance through an enhancement of feedback systems that willkeep senior managers and directors apprised of potential problems or risksIncreased sales through an improvement in customer confidence regardingsecurity issuesLower costs due to a decrease in security breaches, disruption anddowntime

External consequences Improved customer services through secure and easy-to-accesscommunication media such as via the Internet or telephoneAn enhanced reputation for secure systems and safe transactionsA demonstration of social responsibility by companies especially those thataffect society if a breach or an attack occurs such as oil companies, banksand chemical companiesAn improvement in trust between the organisation and its externalstakeholders thus increasing commitment from both customers andsuppliersMaintaining or increasing shareholder value due to a reduction in riskAn enhancement in relationships with other interested parties such as thepolice, governing bodies and security groups such as the IAACCompetitive advantage through an improvement in both competitor andmarketing intelligence as well as the commitment gained from suppliersand customers

Table II.Consequences of

adopting informationsecurity strategy

Perception ofrisk

643

Sector). Thus, he implied that his perception of risk was low and therefore there was noneed to raise awareness amongst employees. However, other subjects within thisindustry – the financial sector – took the opposite view of this risk.

The evidence suggests, therefore, that there is a continuum of risk perception bysenior managers and board members. Some see a breach in security as a negligiblerisk, and that if it were to occur, it would not have dire ramifications. On the otherhand, there are many other managers who continuously explore their organisation’sown security procedures looking for potential gaps in their defences.

According to McFarlan et al. (1983, p. 149), “For some organisations, IS activitiesrepresent an area of great strategic importance, while for others they will always play acost-effective and useful, but distinctly supporting role.” Premkumar and King (1992)also found that senior executives’ assessment of how information technology contributesto organisational performance was closely related to the role of IT in their corporations.

About three-quarters of the organisations we spoke to used information systems forstrategic purposes. Strategic applications are critical for business success. They createor support processes which organisations use to conduct its business, with the ultimateaim of obtaining competitive advantage (Barney, 1991; Sambamurthy et al., 2003;Ward and Peppard, 2002). In addition, many of these companies gain an advantageover their competitors by creating innovative new products, developing creative andnovel procedures and systems and by producing a resourceful and inventive strategyfor the future. These processes can only be undertaken effectively if information isdisclosed to the relevant employees (see Figure 8).

In order to facilitate appropriate information sharing, quicker response times and animprovement in efficiency and effectiveness, many of these companies have highlycomplex information systems, including versatile computer networks, integratedenterprise management systems, customer relationship management systems as wellas a reliance on Internet technologies to facilitate daily business transactions andsupply chain relationships. A major disadvantage of these types of systems is that theycause these organisations to be much more vulnerable to abuse. To counter this, wefound that many of these organisations view information security as an investment –to a similar degree as other IS procurements – rather than a cost.

Alternatively, some organisations see both their information systems and theirsecurity as operational necessities. In other words, their security is put in place in order tokeep the company’s information safe but plays no part in their overall strategy. Accordingto McFarlan et al. (1983), Tallon et al. (2000) and Ward and Griffiths (1996), seniormanagers in this type of company cannot be expected to devote the same amount of timeon information systems strategy, including security issues, as managers in companieswho use IS as a strategic tool. Thus, the evidence suggests that there is a continuum forthe use of information, communication and technology within organisations, rangingfrom using them as an operational tool to using them as a strategic weapon.

From the above, it can therefore be seen that board members gain informationabout: the role information systems play in supporting the strategic direction of theorganisation; and the risk their company faces from both internal and external threats.Each organisation and/or board member will perceive this information in differentways (Brewer, 2002). It is this perception that will have an impact on informationsecurity strategy. A perception grid can, therefore, be developed showing the strategicimportance of information systems and the perception of risk (see Figure 9).

OIR31,5

644

Figure 8.Using ICT for competitive

advantage

Perception ofrisk

645

The horizontal axis refers to the strategic importance of current information systemsbecause this can have an influence on the decision making process for informationsecurity. For example, a company such as Amazon will see itself at the forefront ofselling over the internet. This aspect of their business is a major and very importantpart of the organisation. Thus, this policy should have a considerable impact on itsinformation security strategy. In other words, organisations such as Amazon may need

Figure 9.Perception grid

OIR31,5

646

to take a leading role regarding its security awareness and processes in order tomaintain its reputation and the confidence of its customers (Brooke, 2001; Gohring,2000; O’Connor, 2000).

The vertical axis refers to perception of risk. According to Dixon and Dogan (2003,p. 40), “Corporate directors have selective screens through which they receiveknowledge of how the corporate world works and how other people behave in it.”Cutting and Kouzmin (2002) suggest that perception, or meaningful interpretation, canbe factually or objectively focused (sensate), imaginative and systematic (intuitive) orsymbolic or imaginative (aesthetic). Perception involves arranging data into sets ofcorporate-world norms, beliefs and values (Brewer, 2002; Parsons, 1995). It is theseattitudes, opinions and values that have an effect on the perceivers’ actions anddecision making processes (Barnett and Vaicys, 2000; Brewer, 2002; Frey, 2000).Consequently, directors’ perception of risk will have an impact on their own roles andactions including the development of the organisation’s information security strategy.The grid consists of four quadrants.

(1) Operational stability

[Public sector organisations] aren’t particularly interesting to hack into (Director of Financeand Corporate Services, Public Sector).

It’s a bit like sending information over the web. Yes, it’s a risk, but someone’s got to be veryinterested in your particular information to start looking for it. And there’s got to be a very,very significant advantage for them (Managing Director, Manufacturing).

In this quadrant, perception of risk and the strategic importance of current informationsystems are both low (see Figure 10). In other words, organisations in this quadrant donot use their information systems and technology as a strategic tool. Rather, they areused to improve business efficiency and management effectiveness. In addition, theirtechnology may be used to sustain existing business operations in order to avoid anydisadvantages compared with their competitors. Electronic point of sales andautomated teller machines are good examples. These types of technology do not give astrategic advantage to their companies but would prove to be disadvantageous if acompany did not have them (Ward and Peppard, 2002). Thus, in this quadrant, IT andIS investments are made on applications that support processes in which the businesscurrently depends on success.

The perception of risk by board members, senior managers, customers, suppliers andother stakeholders is low in this sector. This results in a smaller information securitybudget. Consequently, the information security introduced into the organisation willensure compliance as well as support for current business processes. These businessprocesses, however, will rarely be changed to ensure safety. Instead, security technology(e.g. firewalls, anti-virus software) is implemented to ensure compliance. The informationsecurity processes may be modified within the parameters set by the board, whennecessary, but it will never go through radical change.

(2) Strategic stability

We don’t really have a detailed contingency plan for security breaches but we’re pretty preparedfor the most common ones because we’ve already had them. We don’t have a formal disaster

Perception ofrisk

647

Figure 10.Relating board processes,institutional context andorganisational actionunder conditions ofoperational stability

OIR31,5

648

recovery plan. There’s a good case for saying that security decisions are risk managementdecisions and we think that if there was a total disaster, if there was a fire [in the organisation]that wiped out the building or a bomb struck or a meteor hit or whatever, the reality is thecompany’s gone (Chief Information Security Officer and VP Operations, Electronics).

[Our security is] not leading edge. Because of our scale, we have some very big systemsinternally, but they tend to be internal. It’s not like the Ministry of Defence where, ifsomething went wrong in there, it would have much wider effects. It would have an effect onus, it might have an effect on customers, but not massively and, therefore, we’re different(CEO, Communications).

In this quadrant, perception of risk is low but the strategic importance of currentinformation systems is high (see Figure 11). Here, the technological applications withinthe organisation are critical to current and future business success. They supportcurrent processes or create new processes that help provide the business with acompetitive advantage. In addition, some of these companies may have innovative andnew applications or processes that may, in the future, gain the organisation a furthercompetitive advantage. Investment in IT and IS is undertaken on applications that arecritical to sustaining both current and future business strategy.

As in Operational Stability, the perception of risk by board members and otherstakeholders is low resulting in a smaller information security budget. Thus,compliance tends to be ensured by using technology rather than changing businessprocesses.

(3) Operational uncertainty

We have lots of guidelines [ranging] from ethical to behaviour, to accounting compliance, toall kinds of discrimination, and also security and safety. These audits apply a bit of commonsense. They look at things like shredder quality or what happens with the bins and they lookat who can get into the building. They don’t do testing by [undertaking] a dawn raid... wedon’t do these things (Chief Finance Officer, Pharmaceutical Industry).

In this quadrant, perception of risk is higher but the strategic importance of currentinformation systems is low (see Figure 12). As in Operational stability, organisations inthis quadrant use their technology to improve business efficiency and managementeffectiveness as well as supporting existing processes which the business currentlydepends on for success.

As a result of this higher perception of risk, senior executives may increase theorganisation’s information security budget. In addition, security changes are madewithin the company by using information security technology as well as modifyingprocesses to ensure safety and compliance.

(4) Strategic uncertainty

In this world of extraordinary volatile markets, boards are very conscious that protecting thesecurity of their environment gives them a competitive advantage (International Advisor andNon-Executive Director, multiple industries).

In this quadrant, both the perception of risk and the strategic importance of currentinformation systems are high (see Figure 13). As in Strategic stability, thetechnological applications within these organisations are critical to current and future

Perception ofrisk

649

Figure 11.Relating board processes,institutional context andorganisational actionunder conditions ofstrategic stability

OIR31,5

650

Figure 12.Relating board processes,institutional context and

organisational actionunder conditions of

operational uncertainty

Perception ofrisk

651

Figure 13.Relating board processes,institutional context andorganisational actionunder conditions ofstrategic uncertainty

OIR31,5

652

business success and are there to provide the firm with a competitive advantage.Ettredge and Richardson (2003) call these companies internet firms. They rely almostcompletely on information technology to conduct their fundamental operations such asbuying and selling goods and services. When the information technology goes wrongin these firms, it can have serious effects. For example, online auction company eBayexperienced operating system problems in June 1999. Consequently, the eBay web sitewas shut down for 22 hours. Over the subsequent two day period, eBay lost six billiondollars, or 25 percent, of its stock value (Glover et al., 2001).

Moreover, in this quadrant, the perception of risk by board members, seniormanagers, customers, suppliers and other stakeholders is also high. This will result ina larger information security budget. In addition, changes are made within theorganisation by using information security technology as well as radically changingprocesses to ensure safety and compliance. Consequently, procedures are changed andsecurity technology is implemented in order to ensure an environment that is as safe,secure and reliable as possible.

Implications and further researchOur research has shown that although all board members are aware of informationsecurity, their perceptions of risk and their level of engagement vary. The mainpurpose of the Perception Grid is to serve as a tool for discussing information securityat the strategic level:

(1) The Perception Grid acts as a starting point for the development of aninformation security strategy. It encourages directors to focus on both thecurrent internal and external risks faced by the company. In addition, itencourages executives to think about the existing aims of their company andhow information security corresponds to these aims. The former involves riskanalysis, which, according to Baskerville (1991, p. 121), “. . .is the predominanttechnique used by informational security professionals to establish thefeasibility of information systems controls”. However, focusing on both risk andthe company’s aim can help executives to communicate their policies to the restof the organisation. Moreover, it allows executives to consider the norms,culture and purpose of the organisation when regarding information security(Backhouse and Dhillon, 1996).

(2) The Perception Grid is also a useful tool for encouraging directors to focus onactual or potential future risks and the future aims of the organisation. In otherwords, executives can plot a “strategic course” within the Grid showing wherethey see themselves in five or ten year’s time. For instance, the board may see thestrategic importance of their information technology changing from operational tostrategic or they may see their internal or external risks increasing in the future.This may be due to a change in strategy or a potential future environmental threat.Thus, for example, the board may see the organisation in Operational Stability atthe present time but may see it in the Strategic Uncertainty quadrant in five yearstime. Consequently, the executives need to develop a strategy to deal with thismovement from Operational Stability to Strategic Uncertainty. Further research,however, needs to be undertaken in this area.

Perception ofrisk

653

(3) The Perception Grid can also encourage directors to explore factors that mayinfluence their strategy. For example, the processes that are put in place in orderto fulfil the aims of the organisation may come into direct conflict with theprocesses needed to improve information security. An innovative company, forinstance, may have creative individuals and an empowering environment whereinformation is shared. However, if this organisation is in a high riskenvironment, information security measures may reduce or even precludeinformation sharing. Consequently, a dichotomy can occur between highinformation security and creative output. Executives must therefore develop anapproach that will help balance these two potentially conflicting processes.

(4) The Perception Grid can help executives to review the alignment of informationsecurity strategy and the organisation’s overall strategy. According to Kelly(1999, p. 23), “[A] lack of alignment with overall strategy means organisationsrush to implement narrowly targeting security “point solutions” – a firewall here,a virus protection there. But these quick fixes may do more harm than good.There is little confidence that the selected technologies actually do what theyshould, and managing them has become a logistical nightmare.” To be effective,information security must add value to the organisation’s aims and objectivesand to its business processes, business operations, employees and customers.

(5) Research undertaken by Ettredge and Richardson (2003) found that investorsemployed certain heuristics in order to examine whether internet firms could beharmed or helped by future denial of service attacks. They discovered that itwas not only companies that were attacked by hackers that experienced adecrease in share price. Internet organisations both in the same industry andoutside the industry also suffered abnormal returns even though thesecompanies were not attacked. In addition, this same effect occurred forcompanies that were of similar size to the company that was attacked. Thus,these results show that investors believe that Internet firms similar in size tothose actually attacked are most at risk in future even if these companies are notin the same industry. The above research demonstrates that it could be valuablefor senior managers to place competitors on the Perception Grid, as well as theirown company, in order to gather information regarding security incidents andshare prices across the grid’s quadrants.

(6) The Perception Grid may also help executives to manage their applicationsportfolio. For example, organisations in the Operational Stability quadrantshould only enhance their information systems “ . . . in response to changes in thebusiness that threaten to put the business at risk through a reduction ofcompetitive capability” (Ward and Peppard, 2002, p. 328). These systems areexpected to have an extended working life where they will make a significantcontribution to operational processes. Dedicated resources to strategic systemsare not justified. Thus, expertise and resources are shared between systems inorder to reduce costs. As a result, sophisticated information security systems arenot necessary. Basic systems should be put in place and only upgraded to ensurecompliance and safety against the more popular means of attack. Organisationsin the Strategic Uncertainty quadrant, on the other hand, will manage theirapplications portfolio differently. For example, continuous business-driven

OIR31,5

654

innovation and improvements will occur based on the need to sustain or increasecompetitive advantage (Noble et al., 2002; Tidd et al., 1997; Ward and Peppard,2002). Consequently, managers dealing with the information systems need tounderstand how these systems can be used to enhance business processes (Chan,2002; Reich and Benbasat, 2000). In addition, they must have the ability todevelop their information systems to improve process performance and to addvalue to the organisation. Thus, both business processes and informationsystems may be constantly changing. This has a very real effect on informationsecurity, which also must be continuously changed and improved.

Furthermore, the Perception Grid is beneficial because it encourages senior executivesand IS practitioners to look at two areas: risk and current IS strategy.

Conventional methods of examining risk include checklists, risk analysis andevaluation (Baskerville, 1993; Birch and McEvoy, 1992; Dhillon and Backhouse, 2001).According to Miller and Engemann (1996), these techniques are deficient because theymay encourage perpetrators to learn the system and then circumnavigate it, or theymay become obsolete if technology were to change, or, if checklists are used, they maynot contain all potential security risks. In addition, these techniques do not include thesocio-organisational aspects of information security, which researchers have found tobe an important element in the development of a security strategy (Backhouse andDhillon, 1996; Dhillon and Backhouse, 2001; Dobson, 1991). Consequently, other riskanalysis techniques have been postulated. These include Information SecurityManagement Planning (ISMP), which is based on scenario and decision analysis (Millerand Engemann, 1996), and the Entity-Relation model, which is based on enterprisemodelling (Dobson, 1991). Further research needs to be undertaken on risk analysis,process modelling and the development of an information security strategy. Forinstance, Dhillon and Backhouse (2001, p. 145) wrote:

The majority of information systems security research tends to focus on formalised rolestructures in designing security. Although important, exclusive reliance on formalisedstructures is not sufficient when designing security.

As a result, social issues are now being seen as a central component in informationsecurity and risk analysis (Backhouse and Dhillon, 1996; Dhillon and Backhouse, 2001;Dobson, 1991). Thus, further research needs to be undertaken on patterns of behaviour,social causality, structures of responsibility, perception of risk and formal and informalroles within the information security and risk analysis processes. In addition, thePerception Grid is a useful framework to use to help us understand the above issues ina more holistic manner. For example, what are the relationships between highperception of risk, the use of ICT as a competitive weapon, security processes andpatterns of employee behaviour and social causality?

According to Chan et al. (1997), Floyd and Wooldridge (1990) and Reich andBenbasat (2000), it is important that information systems strategy is aligned tocorporate strategy. In the same way, information security must be aligned with both ISand corporate strategy (Kelly, 1999). Thus, there is a link between IS mission,objectives and plans; corporate mission, objectives and plans and information security.Senior executives, therefore, must ensure that the information security strategy isconsistent with the stated business mission and plans as well as the stated IS missionand plans. In addition, corporate, IS and security planning should be comprehensive

Perception ofrisk

655

and balanced with respect to the external environment (Reich and Benbasat, 1996). Forexample, if new technology exists that may have an effect on the company’s strategyand direction, it should also be included in both the IT strategy and the informationsecurity strategy (Zviran, 1990). Moreover, there must be a mutual understanding ofand a commitment to the company’s corporate, IT and information security strategiesby organisational members (Reich and Benbasat, 1996). Consequently, informationsecurity strategy must be communicated to all employees to ensure its alignment withcorporate and IS strategies. Further research needs to be undertaken on thedevelopment of information security strategy and how this can be appropriatelyaligned with both corporate and IS strategy. For example, conflict may occur betweenbusiness processes and security. Thus, should there be a compromise betweenbusiness processes and security or can new processes be developed to fulfil both theaims and the security needs of the business?

This paper has shown that information security strategy is an important part ofmany companies. Both contextual variables and the roles and responsibilities of thesenior executives have been shown to influence the development, adoption and use ofinformation security strategy. In addition, it has proposed that the board’s perceptionof risk and the use of information technology within the organisation can have animpact on the development and implementation of this strategy.

Note

1. The use of the words ‘board of directors’ or ‘board’ should be seen in this context as referringto the committee in charge of directing the organisation.

References

Abouzakhar, N.S. and Manson, G.A. (2002), “An intelligent approach to prevent distributedsystems attack”, Information Management & Computer Security, Vol. 10 No. 5, pp. 203-9.

Austin, R.D. and Darby, C.A. (2003), “The myth of secure computing”, Harvard Business Review,Vol. 81 No. 6, pp. 120-6.

Backhouse, J. and Dhillon, G. (1996), “Structures of responsibility and security of informationsystems”, European Journal of Information Systems, Vol. 5, pp. 2-9.

Barnett, T. and Vaicys, C. (2000), “The moderating effect of individuals’ perceptions of ethicalwork climate on ethical judgments and behavioral intentions”, Journal of Business Ethics,Vol. 27 No. 4, pp. 351-62.

Barney, J. (1991), “Firm resources and sustained competitive advantage”, Journal ofManagement, Vol. 17 No. 1, pp. 99-120.

Baskerville, R. (1991), “Risk analysis: an interpretive feasibility tool in justifying informationsystems security”, European Journal of Information Systems, Vol. 1 No. 2, pp. 121-30.

Baskerville, R. (1993), “Information systems security design methods: implications forinformation systems development”, ACM Computing Surveys, Vol. 25 No. 4, pp. 375-414.

Baskerville, R. and Siponen, M. (2002), “An information security meta-policy for emergentorganizations”, Logistics Information Management, Vol. 15 Nos 5/6, pp. 337-46.

Beatson, J.G. (1991), “Security - a personnel issue: the importance of personnel attitudes andsecurity education”, in Dittrich, K., Rautakivi, S. and Saari, J. (Eds), Computer Security andInformation Integrity, Elsevier Science Publishers, Amsterdam, pp. 29-38.

OIR31,5

656

Birch, G.D.W. and McEvoy, N.A. (1992), “Risk analysis for information systems”, Journal ofInformation Technology, Vol. 7, pp. 44-53.

Brewer, B. (2002), Perception and Reason, Oxford University Press, Oxford.

Brooke, P. (2001), “DDoS: internet weapons of mass destruction”, Network Computing, Vol. 12No. 1, pp. 67-70.

Bryant, A. (2002), “Re-grounding grounded theory”, Journal of Information Technology Theoryand Application, Vol. 4 No. 1, pp. 25-42.

Cachon, G.P. and Fisher, M. (2000), “Supply chain inventory management and the value of sharedinformation”, Management Science, Vol. 46 No. 8, pp. 1032-48.

Chan, Y.E. (2002), “Why haven’t we mastered alignment? The importance of the informalorganization structure”, MIS Quarterly Executive, Vol. 1 No. 2, pp. 97-112.

Chan, Y.E., Huff, S.L., Barclay, D.W. and Copeland, D.G. (1997), “Business strategic orientation,information systems strategic orientation, and strategic alignment”, Information SystemsResearch, Vol. 8 No. 2, pp. 125-50.

Charmaz, K. (2000), “Grounded theory: objectivist and constructivist methods”, in Denzin, N. andLincoln, Y. (Eds), The Handbook of Qualitative Research, Sage, Thousand Oaks, CA,pp. 509-35.

Creswell, J.W. (2003), Research Design: Qualitative, Quantitative, and Mixed MethodsApproaches, 2nd ed., Sage Publications, Thousand Oaks, CA.

Cutting, B. and Kouzmin, A. (2002), “Evaluating corporate board cultures and decision making”,Corporate Governance, Vol. 2 No. 2, pp. 27-45.

DeSanctis, G. and Poole, M.S. (1994), “Capturing the complexity in advanced technology use:adaptive structuration theory”, Organization Science, Vol. 5 No. 2, pp. 121-47.

Dhillon, G. and Backhouse, J. (2001), “Current directions in IS security research: towardssocio-organizational perspectives”, Information Systems Journal, Vol. 11 No. 2, pp. 127-53.

Dixon, J. and Dogan, R. (2003), “Corporate decision making: contending perspectives and theirgovernance implications”, Corporate Governance, Vol. 3 No. 1, pp. 39-57.

Dobson, J. (1991), “A methodology for analysing human and computer-related issues in securesystems”, in Saari, J. (Ed.), Computer Security and Information Integrity, Elsevier SciencePublishers, Amsterdam, pp. 151-70.

Dutta, A. and McCrohan, K. (2002), “Management’s role in information security in a cybereconomy”, California Management Review, Vol. 45 No. 1, pp. 67-87.

Eisenhardt, K.M. (1989), “Building theories from case study research”, Academy of ManagementReview, Vol. 14 No. 4, pp. 532-50.

Ernst & Young (2003), Ernst & Young Global Information Security Survey 2003, Ernst & YoungLLP, London.

Ettredge, M. and Richardson, V.J. (2003), “Information transfer among internet firms: the case ofhacker attacks”, Journal of Information Systems, Vol. 17 No. 2, pp. 71-82.

Faber, N., de Koster, R.B.M. and van de Velde, S.L. (2002), “Linking warehouse complexity towarehouse planning and control structure: an exploratory study of the use of warehousemanagement information systems”, International Journal of Physical Distribution &Logistics Management, Vol. 32 No. 5, pp. 381-95.

Flint, D.J., Woodruff, R.B. and Gardial, S.F. (2002), “Exploring the phenomenon of customers’desired value change in a business-to-business context”, Journal of Marketing, Vol. 66,pp. 102-17.

Perception ofrisk

657

Floyd, S.W. and Wooldridge, B. (1990), “Path analysis of the relationship between competitivestrategy, information technology, and financial performance”, Journal of ManagementInformation Systems, Vol. 7 No. 1, pp. 47-64.

Frey, B.F. (2000), “The impact of moral intensity on decision making in a business context”,Journal of Business Ethics, Vol. 26 No. 3, pp. 181-95.

Fulford, H. and Doherty, N.F. (2003), “The application of information security policies in largeUK-based organizations: an exploratory investigation”, Information Management &Computer Security, Vol. 11 No. 3, pp. 106-14.

Galal, G.H. (2001), “From contexts to constructs: the use of grounded theory in operationalisingcontingent process models”, European Journal of Information Systems, Vol. 10 No. 1,pp. 2-14.

Giddens, A. (1984), The Constitution of Society, Polity Press, Cambridge.

Glaser, B.G. and Strauss, A.L. (1967), The Discovery of Grounded Theory: Strategies forQualitative Research, Aldine Publishing Company, New York, NY.

Glover, S., Liddle, S. and Prawitt, D. (2001), E-Business: Principles and Strategies for Accountants,Prentice Hall, Upper Saddle River, NJ.

Gohring, N. (2000), “But is it safe?”, Telephony, Vol. 238 No. 23, p. 116.

Higgins, H.N. (1999), “Corporate system security: towards an integrated management approach”,Information Management & Computer Security, Vol. 7 No. 5, pp. 217-22.

Hitchings, J. (1996), “A practical solution to the complex human issues of information securitydesign”, in Gritzalis, D. (Ed.), Information Systems Security: Facing the Information Societyof the 21st Century, Chapman & Hall, London, pp. 3-12.

IT Governance Institute (2004), “IT control objectives for Sarbanes-Oxley”, available at: www.isaca.org/Template.cfm?Section ¼ Downloads5&CONTENTID ¼ 17090&TEMPLATE ¼/ContentManagement/ContentDisplay.cfm (accessed 3 March 2005).

Kelly, B.J. (1999), “Preserve, protect and defend”, Journal of Business Strategy, Vol. 20 No. 5,pp. 22-5.

Klein, H.K. and Myers, M.D. (1999), “A set of principles for conducting and evaluatinginterpretive field studies in information systems”, MIS Quarterly, Vol. 23 No. 1, pp. 67-93.

Kokolakis, S.A., Demopoulos, A.J. and Kiountouzis, E.A. (2000), “The use of business processmodelling in information systems security analysis and design”, InformationManagement & Computer Security, Vol. 8 No. 3, pp. 107-16.

Kotulic, A.G. and Clark, J.G. (2004), “Why there aren’t more information security researchstudies”, Information & Management, Vol. 41 No. 5, pp. 597-607.

KPMG (2002), “Information security survey“, available at: www.kpmg.com/microsite/informationsecurity/isssurvey.html (accessed 12 January 2005).

Levy, M., Powell, P. and Yetton, P. (2001), “SMEs: aligning IS and the strategic context”, Journalof Information Technology, Vol. 16 No. 3, pp. 133-44.

Locke, K.D. (2001), Grounded Theory in Management Research, Sage, London.

McFarlan, F.W., McKenney, J.L. and Pyburn, P. (1983), “The information archipelago - plotting acourse”, Harvard Business Review, Vol. 61 No. 1, pp. 145-56.

Miller, H.E. and Engemann, K.G. (1996), “A methodology for managing information-based risk”,Information Resources Management Journal, Vol. 9 No. 2, pp. 17-24.

Noble, C.H., Sinha, R.K. and Kumar, A. (2002), “Market orientation and alternative strategicorientations: a longitudinal assessment of performance implications”, Journal ofMarketing, Vol. 66 No. 4, pp. 25-39.

OIR31,5

658

O’Connor, R.J. (2000), “Trading net privacy at e-checkout”, Inter@ctive Week, Vol. 7 No. 36,pp. 10-11.

OECD (2004), OECD Principles of Corporate Governance, Organisation for EconomicCo-Operation and Development, Paris.

Orlikowski, W.J. (1993), “CASE tools as organizational change: investigating incremental andradical changes in systems development”, MIS Quarterly, Vol. 17 No. 3, pp. 309-40.

Orlikowski, W.J. and Robey, D. (1991), “Information technology and the structuring oforganizations”, Information Systems Research, Vol. 2 No. 2, pp. 143-69.

Parry, K.W. (1998), “Grounded theory and social process: a new direction for leadershipresearch”, Leadership Quarterly, Vol. 9 No. 1, pp. 85-105.

Parsons, W. (1995), Public Policy: An Introduction to the Theory and Practice of Policy Analysis,Edward Elgar, Cheltenham.

Premkumar, G. and King, W.R. (1992), “An empirical assessment of information systemsplanning and the role of information systems in organizations”, Journal of ManagementInformation Systems, Vol. 9 No. 2, pp. 99-125.

Pries-Heje, J. (1992), “Three barriers for continuing use of computer-based tools in informationsystems development: a grounded theory approach”, Scandinavian Journal of InformationSystems, Vol. 4, pp. 119-36.

Reich, B.H. and Benbasat, I. (1996), “Measuring the linkage between business and informationtechnology objectives”, MIS Quarterly, Vol. 20 No. 1, pp. 55-81.

Reich, B.H. and Benbasat, I. (2000), “Factors that influence the social dimension of alignmentbetween business and information technology objectives”, MIS Quarterly, Vol. 24 No. 1,pp. 81-113.

Rodgers, J.A., Yen, D.C. and Chou, D.C. (2002), “Developing e-business: a strategic approach”,Information Management & Computer Security, Vol. 10 No. 4, pp. 184-92.

Ryan, G.W. and Bernard, H.R. (2000), “Data management and analysis methods”, in Denzin, N.K.and Lincoln, Y.S. (Eds), Handbook of Qualitative Research, Sage Publications, ThousandOaks, CA, p. CA.

Sambamurthy, V., Bharadwaj, A. and Grover, V. (2003), “Shaping agility through digital options:reconceptualizing the role of information technology in contemporary firms”, MISQuarterly, Vol. 27 No. 2, pp. 237-63.

Sambamurthy, V. and Zmud, R.W. (1999), “Arrangements for information technologygovernance: a theory of multiple contingencies”, MIS Quarterly, Vol. 23 No. 2, pp. 261-90.

Sarker, S., Lau, F. and Sahay, S. (2001), “Using an adapted grounded theory approach forinductive theory building about virtual team development”, The DATA BASE forAdvances in Information Systems, Vol. 32 No. 1, pp. 38-56.

Siponen, M.T. (2001), “An analysis of the recent IS security development approaches: descriptiveand prescriptive implications”, in Dhillon, G. (Ed.), Information Security Management:Global Challenges in the New Millennium, Idea Group Publishing, Hershey, PA.

Stiles, P. and Taylor, B. (2001), Boards at Work: How Directors View their Roles andResponsibilities, Oxford University Press, Oxford.

Strauss, A. and Corbin, J. (1990), Basics of Qualitative Research: Grounded Theory Proceduresand Techniques, Sage, Thousand Oaks, CA.

Strauss, A. and Corbin, J. (1998), Basics of Qualitative Research: Techniques and Procedures forDeveloping Grounded Theory, Sage Publications, Thousand Oaks, CA.

Perception ofrisk

659

Tallon, P.P., Kraemer, K.L. and Gurbaxani, V. (2000), “Executives’ perceptions of the businessvalue of information technology: a process-oriented approach”, Journal of ManagementInformation Systems, Vol. 16 No. 4, pp. 145-73.

Tavakolian, H. (1989), “Linking the information technology structure with organizationalcompetitive strategy: a survey”, MIS Quarterly, Vol. 13 No. 3, pp. 309-17.

Teo, T.S.H. and Pian, Y. (2003), “A contingency perspective on Internet adoption and competitiveadvantage”, European Journal of Information Systems, Vol. 12 No. 2, pp. 78-92.

Tidd, J., Bessant, J. and Pavitt, K. (1997), Managing Innovation: Integrating Technological Marketand Organizational Change, John Wiley & Sons, Chichester.

Trauth, E.M. and Jessup, L.M. (2000), “Understanding computer-mediated discussions: positivistand interpretive analyses of group support system use”, MIS Quarterly, Vol. 24 No. 1,pp. 43-79.

Urquhart, C. (1997), “Exploring analyst-client communication: using grounded theory techniquesto investigate interaction in informal requirements gathering”, in Lee, A.S., DeGross, J.I.and Liebenau, J. (Eds), Information Systems and Qualitative Research, Chapman & Hall,London, pp. 149-81.

Venkatraman, N. (1993), “Continuous strategic alignment: exploiting information technologycapabilities for competitive success”, European Management Journal, Vol. 11 No. 2,pp. 139-49.

Von Solms, B. (2001), “Corporate governance and information security”, Computers & Security,Vol. 20 No. 3, pp. 215-8.

Ward, J. and Griffiths, P.M. (1996), Strategic Planning for Information Systems, John Wiley,Chichester.

Ward, J. and Peppard, J. (2002), Strategic Planning for Information Systems, John Wiley & SonsLtd, Chichester.

Yu, Z., Yan, H. and Cheng, T.C.E. (2002), “Modelling the benefits of information sharing-basedpartnerships in a two-level supply chain”, Journal of the Operational Research Society,Vol. 53 No. 4, pp. 436-46.

Zuboff, S. (1988), The Age of the Smart Machine, Heinemann, Oxford.

Zviran, M. (1990), “Relationships between organizational and information systems objectives:some empirical evidence”, Journal of Management Information Systems, Vol. 7 No. 1,pp. 65-84.

Corresponding authorElspeth McFadzean can be contacted at: Elspeth.McFadzean@henleymc.ac.uk

OIR31,5

660

To purchase reprints of this article please e-mail: reprints@emeraldinsight.comOr visit our web site for further details: www.emeraldinsight.com/reprints