More Web Proxy on the site http://driver.im/

research-article

Integration of Information Systems and Cybersecurity Countermeasures: An Exposure to Risk Perspective

Authors:

Richard Baskerville,

François-Charles WolffAuthors Info & Claims

ACM SIGMIS Database: the DATABASE for Advances in Information Systems, Volume 49, Issue 1

Pages 33 - 52

https://doi.org/10.1145/3184444.3184448

Published: 01 February 2018 Publication History

Abstract

This paper investigates the relationship between Information Systems (IS) integration and the use of cybersecurity countermeasures using an adapted exposure to risk perspective which considers both the probability of a risk through vulnerability points theory and the impact of the risk if it occurs. Based on an econometric analysis of a survey sample of 9,721 French firms, the study finds that higher degrees of system integration entail higher degrees of cybersecurity usage. Whereas previously it was thought that systems integration reduces the number of vulnerabilities and thus the need for cybersecurity countermeasures, we find that the more the system is integrated, the greater the use of self-protective cybersecurity countermeasures. We theorize that this finding comes from the elimination of many uncontrollable vulnerabilities and the presence of fewer, but controllable, vulnerability points. This finding holds both for internal and external integration but is stronger in the latter case. Moreover, results show that internal dynamism is positively correlated with cybersecurity countermeasures. Our reasoning applies to cybersecurity in terms of self-protective security measures but not necessarily to risk-transfer security measures.

References

[1]

Aubert, B., Patry, M., & Rivard, S. (1998). Assessing the risk of IT outsourcing. Paper presented at the 31st HICSS Hawaii International Conference on Systems Science, IEEE.

Digital Library

[2]

Aubert, B., Patry, M., & Rivard, S. (2005). A framework for information technology outsourcing risk management. The Data Base for Advances in Information Systems, 36(4), 9--28.

Digital Library

[3]

Austin, P.C., (2011). An introduction to propensity score methods for reducing the effects of confounding in observational studies. Multivariate Behavioral Research, 46(3), 399--424.

[4]

Bahill, A.P., & Smith, E. (2009). An industry standard risk analysis technique. Engineering Management Journal, 21(4), 16--29.

[5]

Barki, H., Rivard, S., & Talbot, J. (1993). Towards an assessment of software development risk. Journal of Management Information Systems, 10(2), 203--225.

Digital Library

[6]

Baskerville, R. (1991). Risk analysis: An interpretive feasibility tool in justifying information systems security. European Journal of Information Systems, 1(2), 121--130.

[7]

Baskerville, R., Spagnoletti, P., & Kim, J. (2014). Incident-centered information security: Managing a strategic balance between prevention and response. Information & Management, 51(1), 138--151.

Digital Library

[8]

Beretta, S. (2002). Unleashing the integration potential of ERP systems: The role of process-based performance measurement systems. Business Process Management Journal, 8(3), 254--277.

[9]

Besson, P., & Rowe, F. (2001). ERP project dynamics and enacted dialogue: Perceived understanding, perceived leeway and the nature of task-related conflicts. The Data Base for Advances in Information Systems, 33(4), 47--66.

Digital Library

[10]

Bia, M., & Mattei, A. (2008). A Stata package for the estimation of the dose-response function through adjustment for the generalized propensity score. Stata Journal, 8(3), 354--373.

[11]

Bidan, M., & Rowe, F. (2004). Urbanization practices and strategic behavior: Openness of architecture and enactment in two medium sized companies. Paper presented at the 9th Conference of the Association Information Management, Evry, France.

[12]

Bidan, M., Rowe, F., & Truex, D. (2012). An empirical study of IS architectures in French SMEs: Integration approaches. European Journal of Information Systems, 21(3), 287--302.

[13]

Boehm, B. (1989). Software risk management. In C. Ghezzi & J.A. McDermid (Eds.), Lecture Notes in Computer Science, Vol. 387 (pp. 1--19). Springer, Berlin, Heidelberg.

Digital Library

[14]

Brumley, D., Newsome, J., Song, D., Wang, H., & Jha, S. (2008). Theory and Techniques for Automatic Generation of Vulnerability-Based Signatures. IEEE Transactions on Dependable and Secure Computing, 5(4), 224--241.

Digital Library

[15]

Christopher, M., & Peck, H. (2004). Building the resilient supply chain. International Journal of Logistics Management, 15(2), 1--14.

[16]

D'Aubeterre, F., Singh, R., & Iyer, L. (2008). Secure activity resource coordination: Empirical evidence of enhanced security awareness in designing secure business processes. European Journal of Information Systems, 17(5), 528--542.

[17]

De Corbière, F., Rowe, F., & Wolff, F.C. (2012). De l'intégration interne du système d'information à l'intégration du système d'information de la chaîne logistique. Systèmes d'Information et Management, 16(1), 81--111.

[18]

Fisher, R. (1984). Information Systems Security. Englewood Cliffs: Prentice-Hall.

Digital Library

[19]

Furnell, S.M., & Dowland, P.S. (2000). A conceptual architecture for real-time intrusion monitoring. Information Management & Computer Security, 8(2), 65--75.

[20]

Galbreth, M., & Shor, M. (2010). The impact of malicious agents on the enterprise software industry. MIS Quarterly, 34(3), 595--612.

Digital Library

[21]

Gates, R. (2006). A Mata Geweke--Hajivassiliou--Keane multivariate normal simulator. Stata Journal, 6(2), 190--213.

[22]

Guardabascio, B., & Ventura, M. (2014). Estimating the dose-response function through a generalized linear model approach. Stata Journal, 14(1), 141--158.

[23]

Heckman, J., Ichimura, H., & Todd, P. (1998). Matching as an econometric evaluation estimator. Review of Economic Studies, 65(2), 261--294.

[24]

Hirano, K., & Imbens, G. W., (2004). The propensity score with continuous treatments. In A. Gelman & X.-L. Meng (Eds.), Applied Bayesian Modeling and Causal Inference from Incomplete-Data Perspectives (pp. 73--84). West Sussex: Wiley Interscience.

[25]

Huang, S., & Han, W. (2008). Exploring the relationship between software project duration and risk exposure: a cluster analysis. Information and Management, 45(3), 175--182.

Digital Library

[26]

Hughes. J., & Cybenko, G. (2014). Three tenets for secure cyber-physical system design and assessment. In I. V. Ternovskiy & P. Chin (Eds.), Cyber Sensing 2014: SPIE Defense+ Security (Vol. 9097, pp. 90970A-90915). International Society for Optics and Photonics.

[27]

ISO/IEC. (2013). ISO/IEC 27002: Information technology - Security techniques - Code of practice for information security management (International Standard No. ISO/IEC 27002:2013). Geneva: International Standards Organization

[28]

Jajodia, S., McCollum, C.D., & Ammann, P. (1999). Trusted recovery. Association for Computing Machinery. Communications of the ACM 42(7):71--75.

Digital Library

[29]

Jolliffe, I.T. (2002). Principal Component Analysis, Springer.

[30]

Jones, A., & Ashenden, D. (2005). Risk Management for Computer Security: Protecting Your Network & Information Assets. Oxford: Butterworth-Heinemann.

Digital Library

[31]

Keats, B.W., & Hitt, M.A. (1988). A causal model of linkages among environmental dimensions, macro organizational characteristics, and performance. Academy of Management Journal, 31(3), 570--598.

[32]

Kim, D., Kavusgil, S.T., & Calantone, R.J. (2006). Information systems innovations and supply chain management: Channel relationships and firm performance. Journal of the Academy of Marketing Science, 34(1), 40--54.

[33]

Koch, H., Zhang, S., Giddens. L., Milic, N., Yan, K., & Curry, P. (2014). Consumerization and IT Department conflict. Paper presented at the International Conference on System Sciences, Auckland, New Zealand.

[34]

Kotulic, A., & Clark, J. (2004). Why there aren't more information security research studies. Information and Management, 41(5), 597--607.

Digital Library

[35]

Lairet, G., Geoffroy, B., & Rowe, F. (2016). Understanding the undesirable effects of using interorganizational systems and integrated information systems: Case studies among supply chain partners. Paper presented at the European Conference on Information Systems, Istanbul, Turkey.

[36]

Lee, H., & Larsen, K. (2009). Threat or coping appraisal: Determinants of SMB executives' decision to adopt anti-malware software. European Journal of Information Systems, 18(2), 177--187.

[37]

Leifer, R. (1989). Understanding organizational transformation using a dissipative structure model. Human Relations, 42(10), 899--916.

[38]

Manadhata, P., & Wing, J. (2011). An attack surface metric. IEEE Transactions on Software Engineering, 37(3), 371--386.

Digital Library

[39]

Marciniak, R., El Amrani, R., Rowe, F., & Adam, F. (2014). Does ERP integration foster Cross-Functional Awareness? Challenging conventional wisdom for SMEs and Large French firms. Business Process Management Journal, 20(6), 865--886.

[40]

Markus, M.L. (2001). Reflections on the system integration enterprise. Business Process Management Journal, 7( 3), 1--9.

[41]

McDermott, J., & Fox, C. (1999). Using abuse case models for security requirements analysis, Paper presented at the Computer Security Applications Conference. (ACSAC '99) Proceedings. 15th Annual 1999: 55--64.

Digital Library

[42]

Monroe, I. (2010). Worms in the Apple? ABA Journal, 96(3), 33.

[43]

Nappa, A., Rafique, M.Z., & Caballero, J. (2015). The MALICIA dataset: Identification and analysis of drive-by download operations. International Journal of Information Security, 14(1), 15--33.

Digital Library

[44]

Oladimeji, E.A., Chung, L., Jung, H.T., & Kim, J. (2011). Managing security and privacy in ubiquitous eHealth information interchange. Paper presented at the 5th International Conference on Ubiquitous Information Management and Communication, Seoul, Korea.

Digital Library

[45]

Olhager, J., & Selldin, E. (2003). Enterprise resource planning survey of Swedish manufacturing firms. European Journal of Operational Research, 146(2), 365--373.

[46]

PCI Security Standards Council. (2016). PCI DSS Requirements and Security Assessment Procedures, Version 3.2. Wakefield Mass: PCI Security Standards Council.

[47]

Qian, Y., Fang, Y., & Gonzalez, J. (2012). Managing information security risks during new technology adoption. Computers and Security, 31(8), 859--869.

Digital Library

[48]

Rajaguru, R., & Matanda, M. (2013). Effects of inter-organizational compatibility on supply chain capabilities: Exploring the mediating role of inter-organizational information systems (IOIS) integration. Industrial Marketing Management, 42(4), 620--632.

[49]

Ransbotham, S., & Mitra, S. (2009). Choice and chance: A conceptual model of paths to information security compromise. Information Systems Research, 20(1), 121--139.

Digital Library

[50]

Raymond, L., Paré, G., & Bergeron, F. (1995). Matching information technology and organization structure: An empirical study with implications for performance. European Journal of Information Systems, 4(1), 3--16.

[51]

Robles, F. (2011). Export channel integration strategy and performance: A contingency approach. International Journal of Business and Management, 6(12), 3--12.

[52]

Sharif, A., & Irani, Z. (2005). Emergence of ERPII characteristics within an ERP integration context. American Conference on Information Systems, Omaha, USA.

[53]

She, W., & Thuraisingham, B. (2007). Security for Enterprise Resource Planning Systems. Information Systems Security, 16(3), 152--163.

Digital Library

[54]

Siponen, M., Willison, R., & Baskerville, R. (2008). Power and practice in information systems security research. Paper presented at the 29th International Conference on Information Systems, Paris, France.

[55]

Smith, G.E., Watson, K.J., Baker, W.H., & Pokorski, J.A. (2007). A critical balance: Collaboration and security in the IT-enabled supply chain. International Journal of Production Research, 45(11), 2595--2613.

[56]

Steiger J.H., (1980). Tests for comparing elements of a correlation matrix. Psychological Bulletin, 87, 195--201.

[57]

Steiger, J.H. (2005). Comparing correlations: Pattern hypothesis tests between and/or within independent samples. In A. Maydeu-Olivares & J.J. McArdle (Eds.), Contemporary Psychometrics: A Festschrift in Honor of Roderick P. McDonald (pp. 371--408). Mahwah.

[58]

Stewart, A. (2005). Information security technologies as a commodity input. Information Management & Computer Security, 13(1), 5--15.

[59]

Straub, D.W. (1990). Effective IS security: An empirical study. Information Systems Research, 1(3), 255--276.

Digital Library

[60]

Straub, D.W., & Welke, R. (1998). Coping with systems risk: Security planning models for management decision making. MIS Quarterly, 22(4), 441--469.

Digital Library

[61]

Suleiman, H., & Svetinovic, D. (2013). Evaluating the effectiveness of the security quality requirements engineering (SQUARE) method: A case study using smart grid advanced metering infrastructure. Requirements Engineering, 18(3), 251--279.

Digital Library

[62]

Sun, L., Srivastava, R.P., & Mock, T.J. (2006). An information systems security risk assessment model under the Dempster-Shafer theory of belief functions. Journal of Management Information Systems, 22(4), 109--142.

Digital Library

[63]

Sutton, S. G. (2006). Extended-enterprise systems' impact on enterprise risk management. Journal of Enterprise Information Management, 19(1/2), 97--114.

[64]

Tanriverdi, H., Rai, A., & Venkatraman, N. (2010). Reframing the dominant quests of information systems strategy research for complex adaptive business systems. Information Systems Research, 21(4), 822--834.

Digital Library

[65]

Tracy, R. P. (2007). IT security management and business process automation: Challenges, approaches, and rewards. Information Systems Security, 16(2), 114--122.

Digital Library

[66]

Van Everdingen, Y., Van Hillegersberg, J., & Waarts, E. (2000). Enterprise Resource Planning: ERP adoption by European midsize companies. Communications of the ACM, 43(4), 27--31.

Digital Library

[67]

Van Holsbeck, M., & Johnson, J. Z. (2004). Security in an ERP World. Online report. Downloaded from http://hosteddocs.ittoolbox.com/MH043004.pdf. 26 Oct 2015.

[68]

Venkatraman, N. (1994). IT-enabled business transformation: From automation to business scope redefinition. Sloan Management Review, 35(2), 73--87.

[69]

Wada, H., Suzuki, J., & Oba, K. (2008). A model-driven development framework for non-functional aspects in service oriented architecture. International Journal of Web Services Research, 5(4), 1--31.

[70]

Warkentin, M., & Willison, R. (2009). Behavioral and policy issues in information systems security: The insider threat. European Journal of Information Systems, 18(2),101--105.

[71]

Yee, K.P. (2004). Aligning security and usability. IEEE Security & Privacy, 2(5), 48--55.

Digital Library

[72]

Xue, L., Ray, G., Gu, B. (2011). Environmental uncertainty and IT infrastructure governance: A curvilinear relationship. Information Systems Research, 22(2), 389--399.

Digital Library

[73]

Zellner, A. (1962). An efficient method of estimating seemingly unrelated regression equations and tests for aggregation bias. Journal of the American Statistical Association, 57(298), 348--368.

Cited By

Li HKettinger WYoo S(2024)Dark Clouds on the Horizon? Effects of Cloud Storage on Security BreachesJournal of Management Information Systems10.1080/07421222.2023.230117741:1(206-235)Online publication date: 19-Feb-2024
https://doi.org/10.1080/07421222.2023.2301177
Li YPosey CStafford T(2024)Bureaucracies in information securing: Transitioning from iron cages to iron shieldsInformation and Organization10.1016/j.infoandorg.2024.10052634:3(100526)Online publication date: Sep-2024
https://doi.org/10.1016/j.infoandorg.2024.100526
Cruz DDio MRapadas KRebenque PDomingo KGutierrez J(2024)Analysis of the Adoption and Implementation of DICT’s Six-Stage Cybersecurity Incident Response Model in Philippine Government AgenciesFuture Data and Security Engineering. Big Data, Security and Privacy, Smart City and Industry 4.0 Applications10.1007/978-981-96-0437-1_1(3-15)Online publication date: 27-Nov-2024
https://doi.org/10.1007/978-981-96-0437-1_1
Show More Cited By

Index Terms

Integration of Information Systems and Cybersecurity Countermeasures: An Exposure to Risk Perspective

Recommendations

Implementing Data Exfiltration Defense in Situ: A Survey of Countermeasures and Human Involvement
In this article we consider the problem of defending against increasing data exfiltration threats in the domain of cybersecurity. We review existing work on exfiltration threats and corresponding countermeasures. We consider current problems and ...
The impact of internal integration and relationship commitment on external integration⋆
Abstract
Supply chain integration (SCI) among internal functions within a company, and external trading partners within a supply chain, has received increasing attention from academicians and practitioners in recent years. SCI consists of internal ...
Security beyond cybersecurity: side-channel attacks against non-cyber systems and their countermeasures
Abstract
Side-channels are unintended pathways within target systems that leak internal information, exploitable via side-channel attack techniques that extract the target information, compromising the system’s security and privacy. Side-channel attacks ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM SIGMIS Database: the DATABASE for Advances in Information Systems

ACM SIGMIS Database: the DATABASE for Advances in Information Systems Volume 49, Issue 1

February 2018

105 pages

ISSN:0095-0033

EISSN:1532-0936

DOI:10.1145/3184444

Editors:
Stacie Petter
Baylor University, Waco, TX
,
Tom Stafford
Louisiana Tech University, Ruston, LA
,
Xihui "Paul" Zhang
Northern Alabama University, Florence, AL

Issue’s Table of Contents

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 February 2018

Published in SIGMIS Volume 49, Issue 1

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Region des Pays de la Loire
OLASI program

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

29
Total Citations
View Citations
1,434
Total Downloads

Downloads (Last 12 months)181
Downloads (Last 6 weeks)12

Reflects downloads up to 09 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Li HKettinger WYoo S(2024)Dark Clouds on the Horizon? Effects of Cloud Storage on Security BreachesJournal of Management Information Systems10.1080/07421222.2023.230117741:1(206-235)Online publication date: 19-Feb-2024
https://doi.org/10.1080/07421222.2023.2301177
Li YPosey CStafford T(2024)Bureaucracies in information securing: Transitioning from iron cages to iron shieldsInformation and Organization10.1016/j.infoandorg.2024.10052634:3(100526)Online publication date: Sep-2024
https://doi.org/10.1016/j.infoandorg.2024.100526
Cruz DDio MRapadas KRebenque PDomingo KGutierrez J(2024)Analysis of the Adoption and Implementation of DICT’s Six-Stage Cybersecurity Incident Response Model in Philippine Government AgenciesFuture Data and Security Engineering. Big Data, Security and Privacy, Smart City and Industry 4.0 Applications10.1007/978-981-96-0437-1_1(3-15)Online publication date: 27-Nov-2024
https://doi.org/10.1007/978-981-96-0437-1_1
Miskon SMohamed NMahadi BHaghshenas H(2023)Determinants and Influences of Information Systems Integration in a Public Higher Education ContextInternational Journal of Asian Business and Information Management10.4018/IJABIM.33098714:1(1-24)Online publication date: 11-Oct-2023
https://dl.acm.org/doi/10.4018/IJABIM.330987
Alrobaian SAlshahrani SAlmaleh A(2023)Cybersecurity Awareness Assessment among Trainees of the Technical and Vocational Training CorporationBig Data and Cognitive Computing10.3390/bdcc70200737:2(73)Online publication date: 12-Apr-2023
https://doi.org/10.3390/bdcc7020073
Wu YLi HLuo RYu Y(2023)How digital transformation helps enterprises achieve high-quality development? Empirical evidence from Chinese listed companiesEuropean Journal of Innovation Management10.1108/EJIM-11-2022-061027:8(2753-2779)Online publication date: 28-Apr-2023
https://doi.org/10.1108/EJIM-11-2022-0610
Mollajan AHamedani-KarAzmoudehfar FAshofteh AShahdadi AIranmanesh S(2023)Design of integrated manufacturing information systems for reconfigurability and adaptability by modularizing the system architectureInternational Journal of Computer Integrated Manufacturing10.1080/0951192X.2023.222826237:5(509-549)Online publication date: 23-Jul-2023
https://doi.org/10.1080/0951192X.2023.2228262
Sadeghi R. KAzadegan AOjha D(2023)A path to build supply chain cyber-resilience through absorptive capacity and visibility: Two empirical studiesIndustrial Marketing Management10.1016/j.indmarman.2023.04.001111(202-215)Online publication date: May-2023
https://doi.org/10.1016/j.indmarman.2023.04.001
Mollajan AIranmanesh HKhezri AAbazari A(2022)Effect of applying independence axiom of Axiomatic Design theory on performance of an Integrated Manufacturing Information SystemSimulation10.1177/0037549721106289298:7(535-561)Online publication date: 1-Jul-2022
https://dl.acm.org/doi/10.1177/00375497211062892
Graham CLu Y(2022)Skills Expectations in Cybersecurity: Semantic Network Analysis of Job AdvertisementsJournal of Computer Information Systems10.1080/08874417.2022.211595463:4(937-949)Online publication date: 9-Sep-2022
https://doi.org/10.1080/08874417.2022.2115954
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents