8/16/2019 Artikel #6a Puput Anzaini Adilla
1/4
User Participation in Information System Security Risk Management
(Eksekutif summary telaah kritis artikel)
Reviewed byPuput Anzaini Adilla
I. Cerita Konteks
Practical gaps
The occurrence of IS security breaches by internal personnel may be
reduced if greater emphasis were placed on internal threats to IS security that can
occur when employees handle information in their day-to-day jobs Instead! it iswidely believed that organizational efforts to manage IS security are typically
focused on vulnerabilities in technological assets such as hardware! software! and
networ"ing! at the e#pense of managing other sources of vulnerabilities! such as
people! policies! processes! and culture $see %alliday et al &''() %u et al *++()
,ahner and rcmar *++.) Spears *++.) Straub and /el"e &''0) von Solms and
von Solms *++12 3oreover! technology-focused IS security is typically centered
on e#ternal threats! such as hac"ers and viruses $see! 4oherty and 5ulford *++.)
/hitman *++12! leaving organizations open to breaches from the inside
Empirical aps
There are at least two reasons why user participation in IS security ris"
management can be valuable 5irst! user awareness of the ris"s to IS security is
widely believed to be fundamental to effective IS security $Aytes and 6onnolly
*++1) 5urnell *++0) 7oodhue and Straub &''&) %u et al *++() Siponen *+++a!
*+++b) Straub and /el"e &''0) /hitman *++12 That is! organizational security
controls $ie! policies! procedures! safeguards! and countermeasures that prevent!
detect! or minimize an IS security breach2 can only be effective to the e#tent that
people handling the information in their day-to-day jobs $eg! functional business
users2 are aware of those measures and adhere to them Indeed! 7ood hue and
Straub $&''&! p &82 suggested that 9since protective measures often re:uire
significant managerial vigilance! an appropriate level of awareness and concern
8/16/2019 Artikel #6a Puput Anzaini Adilla
2/4
may be a pre-re:uisite for ade:uate security protection;
8/16/2019 Artikel #6a Puput Anzaini Adilla
3/4
A combination of data collection and analysis methods were used on
separate samples to e#amine user participation in SR3 Interviews were
conducted with one sample! followed by a survey study on a different sample of
professionals who had wor"ed on compliance with the Sarbanes-=#ley Act for
their respective organizations This multi-method * $also referred to as mi#ed-
method and pluralist2 approach was chosen based on the premise that separate and
dissimilar data sets drawn on the same phenomena would provide a richer picture
$Sawyer *++&! p &0+2 of the concept of and outcomes associated with user
participation than would a mono-method approach A se:uential design $%anson
et al *++.) 3ingers *++&2 was used in that the :ualitative e#ploratory study
informed a subse:uent confirmatory study
I#. $emuan penelitian
The findings of the two studies converged and indicated that user
participation contributed to improved security control performance through
greater awareness! greater alignment between IS security ris" management and the
business environment! and improved control development /hile the IS security
literature often portrays users as the wea" lin" in security! the current study
suggests that users may be an important resource to IS security by providing
needed business "nowledge that contributes to more effective security measures
8/16/2019 Artikel #6a Puput Anzaini Adilla
4/4
ris"s within their business processes y having users participate in SR3!
security becomes more relevant to users and security measures become better
aligned with business objectives As such! user participation becomes a valuable
awareness strategy for users! IS! and security professionals
!UES$I%&
&