Abstract
End user development has grown in strength during the last decades. The advantages and disadvantages of this phenomenon have been debated over the years, but not extensively from an information security culture point of view. We therefore investigate information security design decisions made by an end user during an end user development project. The study is interpretative and the analysis is structured using the concept of inscriptions. Our findings show that end user development results in inscriptions that may induce security risks that organizations are unaware of. We conclude that it is a) important to include end user development as a key issue for information security management, b) to include end user developers as an important group for the development of a security-aware culture, and c) to address information security aspects in end user development policies.
Chapter PDF
Similar content being viewed by others
Keywords
References
Brancheau, J.C., Brown, C.V.: The Management of End-User Computing: Status and Directions. ACM Computing Surveys 25, 437–481 (1993)
Taylor, M.J., Moynihan, E.P., Wood-Harper, A.T.: End-user computing and information systems methodologies. Information Systems Journal 8, 85–96 (1998)
Da Veiga, A., Eloff, J.H.P.: A framework and assessment instrument for information security culture. Computers & Security 29, 196–207 (2010)
Veiga, A.D., Martins, N., Eloff, J.H.P.: Information security culture – validation of an assessment instrument. Southern African Business Review 11, 146–166 (2007)
Akrich, M., Latour, B.: A summary of a convenient vocabulary for the semiotics of human and nonhuman assemblies. In: Bijker, W.E., Law, J. (eds.) Shaping Technology/Building Society. Studies in Sociotechnical Change, pp. 259–264. MIT Press, Cambridge (1992)
Sutcliffe, A., Mehandjiev, N.: End-User Development. Communication of the ACM 47, 31–32 (2004)
McGill, T., Klisc, C.: End-User Perceptions of the Benefits and Risks of End-User Web Development. Journal of Organizational and End User Computing 18, 22–42 (2006)
Summer, M., Klepper, R.: Information Systems Strategy and End-User Application Development. ACM SIGMIS Database 18, 19–30 (1987)
Ditlea, S.: Spreadsheets can be hazardous to your health. Personal Computing 11, 60–69 (1987)
Panko, R.R., Halverson, R.P.: An Experiment In Collaborative Development To Reduce Spreadsheet Errors. Journal of the Association of Information Systems 2, 1–31 (2001)
Karlsson, F.: Using Two Heads in Practice. In: Fourth Workshop on End-User Software Engineering (WEUSE IV) ACM Digital Library (2008)
Kankuzi, B., Ayalew, Y.: An End-User Oriented Graph-Based Visualization for Spreadsheets. In: Fourth Workshop on End-User Software Engineering (WEUSE IV) ACM Digital Library (2008)
Edberg, D.T., Bowman, B.J.: User-developed applications: An empirical study of application quality and developer productivity. Journal of Management Information Systems 13, 167–185 (1996)
Panko, R.R., Sprague Jr., R.H.: Hitting the wall: errors in developing and code inspecting a ‘simple’ spreadsheet model. Decision Support Systems 22, 337–353 (1998)
Thomson, K.-L., von Solms, R., Louw, L.: Cultivating an organizational information security culture. Computer Fraud & Security, pp. 7–11 (October 2006)
Hitchings, J.: Achieving an Integrated Design: the Way Forward for Information Security. In: The IFIP TC11 11th International Conference on Information Security, pp. 269–283 (1995)
James, H.L.: Managing information systems security: a soft approach. In: Proceedings of the 1996 Information Systems Conference of New Zealand (ISCNZ 1996), pp. 10–20. IEEE Society Press (1996)
Siponen, M., Baskerville, R.: A new paradigm for adding security into IS development methods. In: Eloff, J., Labuschange, L., Solms, R., Dhillon, G. (eds.) Advances in Information Security Management & Small Systems Security, pp. 99–111. Kluwer Academic Publishers, Boston (2001)
Fabian, F., Gürses, S., Heisel, M., Santen, T., Schmidt, H.: A comparison of security requirements engineering methods. Requirements Engineering 15, 7–40 (2010)
Patton, M.Q.: Qualitative evaluation and research methods. Sage, Newbury Park (1990)
Walsham, G.: Interpretive case studies in IS research: nature and method. European Journal of Information Systems 4, 74–81 (1995)
Klein, H.K., Myers, M.D.: A set of principles for conducting and evaluating interpretative field studies in information system. MIS Quarterly 23, 67–94 (1999)
Latour, B.: Science in action: how to follow scientists and engineers through society. Harvard University Press, Cambridge (1987)
Akrich, M.: The De-Scription of Technical Objects. In: Bijker, W., Law, J. (eds.) Shaping Technology/Building Society. Studies in Sociotechnical Change. The MIT Press, Cambridge (1992)
Hanseth, O., Monteiro, E.: Inscribing behaviour in information infrastructure standards. Accounting, Management & Information Technology 7, 183–211 (1997)
Latour, B.: Technology is society made durable. In: Law, J. (ed.) A Sociology of Monsters: Essays on Power, Technology and Domination, pp. 103–131. Routledge, London (1991)
ISO: ISO/IEC 27001:2005, Information Technology - Security Techniques - Information Security Management Systems - Requirements. International Organization for Standardization (ISO) (2005)
Davis, G.B.: The Hidden Costs of End-User Computing. Accounting Horizons 2, 103–106 (1988)
Teo, T.S.H., Tan, M.: Spreadsheet development and ’what-if’ analysis: quantitative versus qualitative errors. Accounting Management and Information Technologies 9, 141–160 (1999)
Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requirements Engineering 10, 34–44 (2005)
Galletta, D.F., Hufnagel, E.M.: A model of end-user computing policy – context, process, content and compliance. Information & Management 22, 1–18 (1992)
Rittenberg, L.E., Senn, A.: End-user computing. The Intenal Auditor 50, 35–40 (1993)
Speier, C., Brown, C.V.: Differences in end-user computing support and control across user departments. Information & Management 32, 85–99 (1997)
Howard, P.D.: The Security Policy Life Cycle. In: Tipton, H.F., Krause, M. (eds.) Information Security Management Handbook. CRC Press, Boca Raton (2007)
Peltier, T.R.: Information security policies and procedures - a practitioner’s reference. Auerbach Publications, Boca Raton (2004)
Smith, R.: The Definitive Guide to Writing Effective Information Security Policies and Procedures. Createspace (2010)
Wood, C.C.: Information security policies made easy. Information Shield, Huston (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Karlsson, F., Hedström, K. (2014). End User Development and Information Security Culture. In: Tryfonas, T., Askoxylakis, I. (eds) Human Aspects of Information Security, Privacy, and Trust. HAS 2014. Lecture Notes in Computer Science, vol 8533. Springer, Cham. https://doi.org/10.1007/978-3-319-07620-1_22
Download citation
DOI: https://doi.org/10.1007/978-3-319-07620-1_22
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-07619-5
Online ISBN: 978-3-319-07620-1
eBook Packages: Computer ScienceComputer Science (R0)