No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Information Security Practices in Small-to-Medium Sized Businesses: A Hotspot Analysis
Information Resources Management Journal
Abstract
Small to medium-sized enterprises (SMEs) in North America do not always adequately address security. Based on responses from 232 SME owners and managers, the authors found that the adoption of security recommendations made by experts appear to be significantly influenced by the decisions of other local SMEs. A hot-spot analysis of information security practices suggested that local trends lead to prioritizing certain security practices and not adopting others. Follow-up interviews with business owners and Chamber of Commerce directors provided insights on how security hotspots developed or not. The study identified both hot spot and cold spot communities, and sought to assess how local business networking conduits like chambers of commerce help promote best security practices
... Also, SMEs might not realize that their employees should be supporting each other. Finally, they might not know that they can obtain security advice from other small businesses who are geographically close to them (Marett and Barnett, 2019). ...
Purpose
There is widespread concern about the fact that small- and medium-sized enterprises (SMEs) seem to be particularly vulnerable to cyberattacks. This is perhaps because smaller businesses lack sufficient situational awareness to make informed decisions in this space, or because they lack the resources to implement security controls and precautions.
Design/methodology/approach
In this paper, Endsley’s theory of situation awareness was extended to propose a model of SMEs’ cyber situational awareness, and the extent to which this awareness triggers the implementation of cyber security measures. Empirical data were collected through an online survey of 361 UK-based SMEs; subsequently, the authors used partial least squares modeling to validate the model.
Findings
The results show that heightened situational awareness, as well as resource availability, significantly affects SMEs’ implementation of cyber precautions and controls.
Research limitations/implications
While resource limitations are undoubtedly a problem for SMEs, their lack of cyber situational awareness seems to be the area requiring most attention.
Practical implications
The findings of this study are reported and recommendations were made that can help to improve situational awareness, which will have the effect of encouraging the implementation of cyber security measures.
Originality/value
This is the first study to apply the situational awareness theory to understand why SMEs do not implement cyber security best practice measures.
Small and medium-sized enterprises (SMEs) play a crucial role in the global economy, but they are also increasingly vulnerable to cyberattacks due to their limited resources and expertise in cybersecurity. Cyberattacks can have serious consequences for SMEs, including financial losses, reputational damage, and even bankruptcy. Therefore, it is essential for SMEs to be aware of the risks of cyberattacks and to implement effective cybersecurity measures to protect themselves. This research paper aims to investigate the impact of cyber security awareness on SMEs’ profitability and continuity in the Kingdom of Bahrain. The findings of this research paper are expected to contribute to the understanding of the importance of cyber security awareness for SMEs and the need for greater investment in this area. The research will highlight the challenges that SMEs face in implementing effective cybersecurity measures and the potential impact of cyberattacks on their profitability and continuity. The study will also provide recommendations for SMEs on how to improve their cyber security practices and mitigate the risks of cyberattacks. The research paper will make a significant contribution to the literature on cybersecurity awareness in SMEs and provide insights into the challenges and opportunities for SMEs in this area. The study will have important implications for policymakers, SME owners and managers, and other stakeholders interested in promoting the growth and sustainability of SMEs. By raising awareness of the importance of cybersecurity, SMEs can protect themselves from the increasing threat of cyberattacks and ensure their profitability and continuity.
The prevalence of security threats like ransomware continues to increase and victimize a wide range of targets, which includes municipal information systems. These attacks are commonly reported in media outlets available in attacked communities. This study seeks to understand how effective news reporting can be toward influencing the behavior of people who live within the proximity of the attack. The results suggest a geographic influence on individual behaviors that could well extend beyond the context of information security into other areas of behavioral IS research.
This tutorial provides a foundation on geographic information systems (GIS) as they relate to and are part of the IS body of knowledge. The tutorial serves as a ten-year update on an earlier CAIS tutorial (Pick, 2004). During the decade, GIS has expanded with wider and deeper range of applications in government and industry, widespread consumer use, and an emerging importance in business schools and for IS. In this paper, we provide background information on the key ideas and concepts of GIS, spatial analysis, and latest trends and on the status and opportunities for incorporating GIS, spatial analysis, and locational decision making into IS research and in teaching in business and IS curricula.
Mixed methods research is an approach that combines quantitative and qualitative research methods in the same research inquiry. Such work can help develop rich insights into various phenomena of interest that cannot be fully understood using only a quantitative or a qualitative method. Notwithstanding the benefits and repeated calls for such work, there is a dearth of mixed methods research in information systems. Building on the literature on recent methodological advances in mixed methods research, we develop a set of guidelines for conducting mixed methods research in IS. We particularly elaborate on three important aspects of conducting mixed methods research: (1) appropriateness of a mixed methods approach; (2) development of meta-inferences (i.e., substantive theory) from mixed methods research; and (3) assessment of the quality of meta-inferences (i.e., validation of mixed methods research). The applicability of these guidelines is illustrated using two published IS papers that used mixed methods. Copyright © 2013 by the Management Information Systems Research Center (MISRC) of the University of Minnesota.
The process of knowledge production exhibits a very distinctive geography. This article argues that this geography is fundamental, not incidental, to the innovation process itself: that one simply cannot understand innovation properly if one does not appreciate the central role of spatial proximity and concentration in this process. The goal of this article is to demonstrate why this is true, and to examine how innovation systems at the subnational scale play a key part in producing and reproducing this uneven geography over time. This article addresses four key issues. First, it looks at the reason why location matters when it comes to innovative activity. Second, it turns to examine regional innovation systems, and the role played by them in generating and circulating new knowledge leading to innovation. Third, the article considers the relationship between regional systems of innovation and institutional frameworks at the national level. Finally, the relationship between local and global knowledge flows is examined.
This study integrates tenets of the behavioral theory of the firm and neo-institutional theory to identify four recurring search mechanisms that are expected to influence hospital managers' information systems investment decisions. To account for the critical role of regulation in healthcare, senior managers' reliance on each of these four search mechanisms is hypothesized to be contingent upon their hospital's regulative legitimacy. Analyses of panel data from all 153 public nonspecialist hospital organizations in England reveal that hospital managers invest in IS not only to find solutions to performance shortfalls (problemistic search), but also to achieve continuity and predictability in resource allocation (institutionalized search) and signal conformity with external norms and expectations (mimetic search). We find that the desire to make adequate use of uncommitted financial resources (slack search) is salient only among hospitals with low levels of regulative legitimacy. These new insights into the motives that trigger- and constrain-senior managers' IS investment decisions will help IS managers to strengthen their case for IS investment and guide policy makers in how best to allocate resources to IS in healthcare and possibly beyond.
Drawing on institutional theory, we examine how the institutional logics—taken-for granted norms, structures, and practices—of different types of funding partners influence young firms and their search for innovations. We test our hypotheses in a longitudinal study of a complete population of ventures in the minimally invasive surgical device industry in the U.S., supplemented by interviews with industry informants. We find that types of funding partners vary significantly from one another: they all provide resources, but their institutional logics differ. Venture capitalists (VCs) pick young firms with significant patented technologies and help firms launch products, and high-status VCs strengthen both the patenting and product innovations of young firms. Corporate venture capitalists and government agencies also select patent-intensive firms but are less effective than VCs in helping ventures during the relationship because, though these partners often have impressive technical and commercial resources for innovation, their institutional logics constrain how effectively young firms can access their resources. Relative to other types of funding partners, VCs have a closer advisor relationship with the venture; greater power, influence, and access to resources; better-paced and more-motivating milestones; and better understanding of the commercialization process. Our results extend the institutional logics literature to interorganizational relationships and suggest that the choice among types of funding partners may have unanticipated effects on firms’ innovation beyond the financial resources gained through the relationship.
Multiple institutional logics present a theoretical puzzle. While scholars recognize their increasing prevalence within organizations, research offers conflicting perspectives on their implications, causing confusion and inhibiting deeper understanding. In response, we propose a framework that delineates types of logic multiplicity within organizations, and we link these types with different outcomes. Our framework categorizes organizations in terms of logic compatibility and logic centrality and explains how field, organizational, and individual factors influence these two dimensions. We illustrate the value of our framework by showing how it helps explain the varied implications of logic multiplicity for internal conflict. By providing insight into the nature and implications of logic multiplicity within organizations, our framework and analysis synthesize the extant literature, offer conceptual clarity, and focus future research.
Changes in corporate governance practices can be analyzed by linking the adaptations of individual firms to the structures of the networks in which firms' decision makers are embedded. Network structures determine the speed of adaptation and ultimate patterns of prevalence of governance practices by exposing a firm to particular role models and standards of appropriateness. The authors compare the spreads of two governance innovations adopted in response to the 1980s takeover wave: poison pills (which spread rapidly through a board-to-board diffusion process) and golden parachutes (which spread slowly through geographic proximity). The study closes with a discussion of networks as links between individual adaptation and collective structures.
Organizations can learn from the innovations made or adopted by other organizations. I present a framework for interorganizational learning that allows study of how learning is affected by the characteristics of the origin and destination organizations and their relationship. I survey recent findings within this framework and develop new propositions on the population-level consequences of interorganizational learning from innovations. I identify areas of work that have received insufficient attention and make new proposals for research.
This paper argues that research in organization theory has seen a shift in orientation from paradigm-driven work to problem-driven work since the late 1980s. A number of paradigms for the study of organizations were elaborated during the mid-1970s, including transaction cost economics, resource dependence theory, organizational ecology, new institutional theory, and agency theory in financial economics. These approaches reflected the dominant trends of the large corporations of their time: increasing concentration, diversification, and bureaucratization. However, subsequent shifts in organizational boundaries, the increased use of alliances and network forms, and the expanding role of financial markets in shaping organizational decision making all make normal science driven by the internally derived questions from these paradigms less fruitful. Instead, we argue that problem-driven work that uses mechanism-based theorizing and research that takes the field rather than the organization as the unit of analysis are the most appropriate styles of organizational research under conditions of major economic change - such as our own era. This sort of work is best exemplified by various studies under the rubric of institutional theory in the past 15 years, which are reviewed here.
Introduced in this paper is a family of statistics, G, that can be used as a measure of spatial association in a number of circumstances. The basic statistic is derived, its properties are identified, and its advantages explained. Several of the G statistics make it possible to evaluate the spatial association of a variable within a specified distance of a single point. A comparison is made between a general G statistic and Moran’s I for similar hypothetical and empirical conditions. The empirical work includes studies of sudden infant death syndrome by county in North Carolina and dwelling unit prices in metropolitan San Diego by zip-code districts. Results indicate that G statistics should be used in conjunction with I in order to identify characteristics of patterns not revealed by the I statistic alone and, specifically, the G
i
and G
i
∗ statistics enable us to detect local “pockets” of dependence that may not show up when using global statistics.
Modern economies can be characterised as 'learning economies' in which knowledge is the crucial resource and learning is the most important process. Different kinds of learning and economically relevant types of knowledge can likewise be identified. It is argued that pure market economies, if such existed, would have severe problems in terms of learning and innovation. The 'learning economy' is a mixed economy in a fundamental sense.
What makes organizations so similar? We contend that the engine of rationalization
and bureaucratization has moved from the competitive marketplace to the state and
the professions. Once a set of organizations emerges as a field, a paradox arises:
rational actors make their organizations increasingly similar as they try to
change them. We describe three isomorphic processes--coercive, mimetic, and
normative-leading to this outcome. We then specib hypotheses about the impact of
resource centralization and dependency, goal ambiguity and technical uncertainty,
and professionalization and structuration on isomorphic change. Finally, we suggest
implications for theories of organizations and social change.
We used resource-based theory and evidence from empirical studies to evolve a framework of IS competences in small and medium-sized enterprises (SMEs). The framework significantly improved our understanding of internal IS expertise in SMEs. We used relevant IS competence and SME literature, as well as empirical data from SME case studies. Our set of twenty two IS competences were organized around six macro competences. Each competence refers to a specific ability at the organizational rather than the individual level and they cover a broad range of activities, such as those associated with recognising business opportunities, IS planning, accessing IS knowledge, defining requirements, software and hardware sourcing, applications development, and managing relationships with IS suppliers. The framework was tested against prior literature, including studies of IS adoption, IS success, and entrepreneurial competence. Each competence was fully explained and discussed using evidence from the case studies. The framework creates a comprehensive set of IS competences that can be used in both SME practice and research.
The likelihood that the firm's information systems are insufficiently protected against certain kinds of damage or loss is known as "systems risk." Risk can be managed or reduced when managers are aware of the full range of controls available and implement the most effective controls. Unfortunately, they often lack this knowledge, and their subsequent actions to cope with systems risk are less effective than they might otherwise be. This is one viable explanation for why losses from computer abuse and computer disasters today are uncomfortably large and still so potentially devastating after many years of attempting to deal with the problem. Results of comparative qualitative studies in two information services Fortune 500 firms identify an approach that can effectively deal with the problem. This theory-based security program includes (1) use of a security risk planning model, (2) education/training in security awareness, and (3) Countermeasure Matrix analysis.
Our paper is motivated by one simple question: Why do so many action research efforts fail to persist over time? We approach this question, the problem of sustainability, building on a perspective on action research identifying the pivotal impor- tance of networks. More precisely, local action research interventions need to be conceptualized and approached as but one element in a larger network of action in order to ensure sustainability. A vital aspect of our perspective is that local interventions depend heavily on the support of similar action research efforts in other locations. This is essential for the necessary processes of learning and experience sharing. We suggest that the scaling (i.e., spreading) of intervention is a prerequisite, not a luxury, for sustainable action research. Empirically, we base our analysis on an ongoing, large-scale action research project within the health care sector (called HISP) in a number of developing countries. HISP provides a fruitful occasion to investigate key criteria for our ap- proach to action research, namely sustainability, scalability, and capacity to be politically relevant to the participants. We contribute to three discourses: (1) models of action research, (2) lessons for health information systems in developing coun- tries, and (3) more generally, IS implementations that are dispersed, large-scale, and have scarce resources.
What explains differences in firms’ abilities to acquire competitive capabilities? In this paper we propose that a firm’s embeddedness in a network of ties is an important source of variation in the acquisition of competitive capabilities. We argue that firms in geographical clusters that maintain networks rich in bridging ties and sustain ties to regional institutions are well‐positioned to access new information, ideas, and opportunities. Hypotheses based on these ideas were tested on a stratified random sample of 227 job shop manufacturers located in the Midwest United States. Data were gathered using a mailed questionnaire. Results from structural equation modeling broadly support the embeddedness hypotheses and suggest a number of insights about the link between firms’ networks and the acquisition of competitive capabilities. Copyright © 1999 John Wiley & Sons, Ltd.
Scholars have begun to investigate the prevalence of Corporate Social Responsibility (CSR) within the context of small and medium-sized enterprises (SMEs). This paper studies the implementation of non-financial sustainability reporting tools in Italian SMEs as part of their Small Business Social Responsibility (SBSR) long supply chain compact with large multinationals. The fundamental finding of this work is that because of the down-streaming effect of CSR reporting from large companies to small ones, SMEs approach sustainability as a standard management practice. The sample is composed of 73 Italian multi-certified entities (SA8000/ISO14001/EMAS) that have published their sustainability report online between 2011 and 2013. Principal Component Analysis (PCA) was used to discover three otherwise un-observable underlying effects.
Despite long-standing predictions that developments in, for example, personal and cloud computing practices would change the ways in which we approach security, small-scale IT users (SSITUs) remain ill-served by existing cyber security practices. Following an extensive study of the adoption of cyber security in UK-based SSITUs, this paper discusses results pertaining to technologies employed by such organisations, with respect to their ability to apply security measures. We determine: that the system architectures employed by SSITUs are significantly different to those employed by large corporate or government entities; that the architecture of a small organisation's digital footprint has far more impact on their overall security than would be the case for a large organisation; and that SSITUs do not hold sufficient influence within the supply chain to manage cyber security in their interactions with service providers. We show that improving small-scale cyber security architectures is not simply about developing new technology; rather, there are additional needs to consider, including technology use in the context of interactions that occur within a broader ecosystem of a supply chain, users with multiple roles, and the impact of the digital footprint on security.
Active sharing of information security advice among the employees has undeniable implications for developing a sustainable security environment. This research examines this topic from the network perspective, and focuses on the work relationships that promote sharing security advice. Exponential random graph modeling technique was employed to evaluate the relationship between team collaborative activities and sharing security advice. The findings revealed that those who share security advice also tend to give work- and IT-related knowledge. Moreover, employees who have similar tenure tend to exchange security advice with each other more. Furthermore, the network of sharing security advice is transitive and has a tendency to form separate clusters. Security managers are suggested to take into account the research findings to identify key employees who frequently share security advice in the workplace and devise appropriate strategies to manage them.
As organisations are developing people-centric security workplaces, where proactive security behaviours are fostered, it is important to understand more about the sources of security influence. This research applied social network analysis methods to investigate security influence within a large interior contractor in Vietnam. The findings revealed that security influence occurs between employees in the same department, especially comes from those at senior positions, have longer tenure, or younger age. Engagement in daily work and security-related activities can also increase the likelihood of influencing security behaviours. Moreover, we found the security influence network to be transitive and have a hierarchical structure.
With computer security spending on the rise, organizations seem to have accepted the notion that buying more—and more expensive—defenses allows them to better protect their computer systems. In the context of complex computer systems, however, defenses can also have the opposite effect, creating new, unforeseen vulnerabilities in the systems they are intended to protect. Advocacy for defense-in-depth and diverse security measures has contributed to this “more is better” mentality for defending computer systems, which fails to consider the complex interaction of different components in these systems, especially with regard to what impact new security controls may have on the operation and functionality of other, preexisting defenses. We give examples of several categories of perverse effects in defending computer systems and draw on the theory of unintended consequences and the duality of technology to analyze the origins of these perverse effects, and to develop a classification scheme for the different types and some methods for avoiding them.
Using the lens of Clegg's Circuits of Power (CoP) framework, this study examines the resistance to a UK information security certification scheme through three episodes of power that led to its withdrawal in 2000. The UK authorities sought to generate market competition between a generic certificate scheme with lower costs and international recognition and one based on technical rigor, but they failed in their objectives because of resistance from organizational players. This paper makes contributions to the understanding of the discursive nature of resistance to change in the research of standards and certification, and contributes to the literature by formulating the concept of discourse resilience: the property of discourses to resist change. It identifies the non-agentic nature of resistance in the absence of coercive power and presents a reflection on legitimacy as a required attribute for the acceptance of a certificate scheme. The research finds that what organizations deem to be legitimate is the result of power.
Information security is a relevant fact for current organizations. There are factors inextricably linked to this issue, and one cannot talk about information security in an organization without addressing and understanding the information security culture of that institution. Maximizing the organizational culture within an organization will enable the safeguard of information security. For that, we need to understand which the inhibiting and the enabling factors are. This paper contributes to point out those factors by presenting the results of a survey concerning information security culture in small and medium sized enterprises (SMEs). We discuss the results in the light of related literature, and we identify future works aiming to enhance information security within organizations.
Introduction:
Insufficient sleep is associated with cardiometabolic risk and neurocognitive impairment. Determinants of insufficient sleep include many social and environmental factors. Assessment of geographic hot/coldspots may uncover novel risk groups and/or targets for public health intervention. The aim of this study was to discern geographic patterns in the first data set to include county-level sleep data.
Methods:
The 2009 Behavioral Risk Factor Surveillance System was used. Insufficient sleep was assessed with a survey item and dichotomized. Data from n = 2231 counties were available. Tests for significant spatial concentrations of high/low levels of insufficient sleep (hotspots/coldspots) used the Getis-Ord G* statistic of local spatial concentration, chosen due to the nature of missing data.
Results:
Eighty-four counties were hotspots, with high levels of insufficient sleep (P < .01), and 45 were coldspots, with low insufficient sleep (P < .01). Hotspots were found in Alabama (1 county), Arkansas (1), Georgia (1), Illinois (1), Kentucky (25), Louisiana (1), Missouri (4), Ohio (7), Tennessee (12), Texas (9), Virginia (6), and West Virginia (16). Coldspots were found in Alabama (1 county), Georgia (2), Illinois (6), Iowa (6), Michigan (2), Minnesota (1), North Carolina (1), Texas (7), Virginia (12), and Wisconsin (6). Several contiguous hotspots and coldspots were evident. Notably, the 17 counties with the highest levels of insufficient sleep were found in a contiguous set at the intersection of Kentucky, Tennessee, Virginia, and West Virginia (all P < .0002).
Conclusions:
Geographic distribution of insufficient sleep in the United States is uneven. Some areas (most notably parts of Appalachia) experience disproportionately high amounts of insufficient sleep and may be targets of intervention. Further investigation of determinants of geographic variability needs to be explored, which would enhance the utility of these data for development of public health campaigns.
Human–Computer Interaction (HCI) researchers are increasingly examining how Information and Communication Technologies (ICTs) can help people eat more healthfully. However, within HCI, there has been little examination of the way that cultural values influence how people think about food and wellness, and how sociocultural context supports or impedes attempts to eat healthfully. Our work focuses on the diet-related health challenges of African Americans within low-income neighborhoods. This population disproportionately experiences diet-related disease, and as such, researchers have consistently advocated research that examines the way in which food practices are culturally situated.
Through formative focus groups with 46 participants we identified several design implications for tools that promote healthy eating while accounting for collectivism, a cultural value often ascribed to the African American population. Based on our design implications we developed, deployed and evaluated two systems that supported the sharing of community-held knowledge about making healthy eating decisions. In our discussion, we present implications for the design of collectivistic systems that address food practices. We conclude with recommendations for HCI research that investigates the relationship between culture and food more broadly.
We explore HRIS and e-HR security by presenting information security fundamentals and how they pertain to organizations. With increasing use of enterprise systems such as HRIS and e-HR, security of such systems is an area that is worthy of further exploration. Even then, there is surprisingly little research in this area, albeit that extensive work is present in regard to HRIS privacy. While focusing on HRIS and e-HR security, we introduce aspects of HRIS and e-HR security and how it can be enhanced in organizations. A research model is also presented along with propositions that can guide future research.
To examine the effects of interorganizational network structures on acquisition decisions, we propose a model whereby firms learn by sampling the diverse experiences of their network partners. We tested this model by examining the effect of diversity of network partners' experience on firms' acquisition decisions, using data on acquisition premiums and acquirers' stock market performance from 1986 to 1997. Results show that firms tied to others with heterogeneous prior premium experience tend to pay less for their acquisitions and have better-performing acquisitions than those tied to others with homogeneous experience. Firms also pay lower premiums when their network partners (1) have completed deals of diverse sizes, (2) have unique information, and (3) are themselves of diverse sizes. Firms that have multiplex relationships with their partners receive even more benefit. The results extend prior research on networks and learning by showing that collective network experience affects firms' decision quality.
A study of 230 private colleges over 16 turbulent years supports two arguments: (1) Strong ties to other organizations mitigate uncertainty and promote adaptation by increasing communication and information sharing. (2) Networks can promote social learning of adaptive responses, rather than other, less productive, forms of interorganizational imitation. Colleges that were members of smaller, older, and more homogeneous intercollegiate consortia were more likely to undertake fundamental curriculum changes. Colleges tended to imitate similar consortium partners that were performing well rather than larger and more prestigious partners. Implications for organizational adaptation and the growing network perspective within organization theory are considered.
The objective of this paper is to analyse the characteristics and nature of the networks that firms utilize to access knowledge and facilitate innovation. The paper draws on the notion of network resources, distinguishing two types: social capital-consisting of the social relations and networks held by individuals; and network capital-consisting of the strategic and calculative relations and networks held by firms. The methodological approach consists of a quantitative analysis of data from a survey of firms operating in knowledge-intensive sectors of activity. The key findings include: social capital investment is more prevalent among firms frequently interacting with actors from within their own region; social capital investment is related to the size of firms; firm size plays a role in knowledge network patterns; and network dynamism is an important source of innovation. Overall, firms investing more in the development of their inter-firm and other external knowledge networks enjoy higher levels of innovation. It is suggested that an over-reliance on social capital forms of network resource investment may hinder the capability of firms to manage their knowledge networks. It is concluded that the link between a dynamic inter-firm network environment and innovation provides an alternative thesis to that advocating the advantage of network stability.
This article develops theory relating to how differences in the human capital of academic entrepreneurs influence their ability to develop social capital that can address the barriers to venture development. We examine the development of social capital by three types of academic entrepreneurs with differing levels of entrepreneurship experience: nascent, novice, and habitual entrepreneurs. Using a longitudinal study, critical differences are observed between the structure, content, and governance of their social networks. We propose that entrepreneurs with prior business ownership experience have broader social networks and are more effective in developing network ties. Less experienced entrepreneurs likely encounter structural holes between their scientific research networks and industry networks. Support initiatives help attract industry partners for novice entrepreneurs from engineering and the material sciences but academics based within biological sciences encounter greater difficulties building such ties. Regardless of academic discipline, business ownership experience appears essential to learn to build relationships with experienced managers and potential equity investors.
Information system (IS) security continues to present a challenge for executives and professionals. A large part of IS security research is technical in nature with limited consideration of people and organizational issues. The study presented in this paper adopts a broader perspective and presents an understanding of IS security in terms of the values of people from an organizational perspective. It uses the value-focused thinking approach to identify ‘fundamental’ objectives for IS security and ‘means’ of achieving them in an organization. Data for the study were collected through in-depth interviews with 103 managers about their values in managing IS security. Interview results suggest 86 objectives that are essential in managing IS security. The 86 objectives are organized into 25 clusters of nine fundamental and 16 means categories. These results are validated by a panel of seven IS security experts. The findings suggest that for maintaining IS security in organizations, it is necessary to go beyond technical considerations and adopt organizationally grounded principles and values.
Knowledge sharing allows trading partners to orchestrate the operation of supply chain and capture positions of advantage. Yet, lack of knowledge sharing has been consistently found to be the most critical failure factor in supply chain management. This paper intends to study the factors affecting trading partners’ entering knowledge sharing ties. Drawing upon transaction cost economics and socio-political theories, we developed our research framework. The hypotheses derived were tested by data collected with six medium-sized companies. Data analysis showed that socio-political factors were more robust in affecting the focal firm’s decision on whether to share knowledge with a particular partner. In particular, trust towards the partner and the partner’s power were the primary factors leading the firm to enter the knowledge sharing ties. In contrast, asset specificity did not play an important role in affecting the firm’s knowledge sharing decision. Theoretical contribution and practical implications are discussed.
IT/IS assimilation in organizations has been analyzed mainly by large companies, where its greatest adoption is observed. However, studies that analyze the effects IT/IS have on SMEs (small and medium-sized enterprises) have also begun to appear. The institutional theory offers an approach to understanding IT/IS diffusion and the adoption process caused by isomorphism within the institutional environment, mainly industry. One of its main postulates is the institutionalization of organizations can be an answer to the pressures that organizations receive to be similar. With the purpose of analyzing this postulate, we have identified an IT/IS adoption typology through a sample of organizations coming from main industries, using multivariant analysis. This typology has allowed us to evaluate IT/IS institutionalization in SMEs, and to analyze the explanatory potential of the institutional theory in order to evaluate IT/IS assimilation in organizations.
Secure management of information systems is crucially important in information intensive organizations. Although most organizations have long been using security technologies, it is well known that technology tools alone are not sufficient. Thus, the area of end-user security behaviors in organizations has gained an increased attention. In information security observing end-user security behaviors is challenging. Moreover, recent studies have shown that the end users have divergent security views. The inability to monitor employee IT security behaviors and divergent views regarding security policies, in our view, provide a setting where the principal agent paradigm applies. In this paper, we develop and test a theoretical model of the incentive effects of penalties, pressures and perceived effectiveness of employee actions that enhances our understanding of employee compliance to information security policies. Based on 312 employee responses from 77 organizations, we empirically validate and test the model. Our findings suggest that security behaviors can be influenced by both intrinsic and extrinsic motivators. Pressures exerted by subjective norms and peer behaviors influence employee information security behaviors. Intrinsic motivation of employee perceived effectiveness of their actions was also found to play an important role in security policy compliance intentions. In analyzing the penalties, certainty of detection was found to be significant while surprisingly, severity of punishment was found to have a negative effect on security behavior intentions. We discuss the implications of our findings for theory and practice.
Spatial analysis looks for statistically significant patterns in observed events that occur at specified locations. Most examples of spatial analysis consider aggregate characteristics over a number of coarsely defined regions rather than point processes. However, criminal events are point processes and should be modeled as such. In this paper, we combine recent advances in discrete choice theory and data mining to develop point process models for spatial analysis. We use this new methodology to analyze and predict the spatial behavior of criminals, and more generally, latent decision makers. The paper compares the performance of this methodology to more traditional hot spot methods of crime analysis.
As organizations become increasingly dependent on information systems (IS) for strategic advantage and operations, the issue of IS security also becomes increasingly important. In the interconnected electronic business environment of today, security concerns are paramount. Management must invest in IS security to prevent abuses that can lead to competitive disadvantage. Using the literature on security practices and organizational factors, this study develops an integrative model of IS security effectiveness and empirically tests the model. The data were collected through a survey of IS managers from various sectors of the economy. Small and medium-sized enterprises were found to engage in fewer deterrent efforts compared to larger organizations. Organizations with stronger top management support were found to engage in more preventive efforts than organizations with weaker support from higher management. Financial organizations were found to undertake more deterrent efforts and have stiffer deterrent severity than organizations in other sectors. Moreover, greater deterrent efforts and preventive measures were found to lead to enhanced IS security effectiveness. Implications of these findings for further research and practice are discussed.
Knowledge-acquisition activities of small- and medium-sized enterprises (SMEs) are assumed to benefit from geographic proximity to similar firms and centres of research excellence. This paper will explore the knowledge-acquisition processes and critical interfaces of innovative SMEs and outline factors that contributed to an observed lack of geographic proximity-based knowledge search activity. A growth path based upon innovation driven, rapid internationalisation and subsequent customisation strategies fostered organisational proximity-based knowledge-acquisition from international sources. It is argued that local contextual factors will determine if organisational or geographic proximity (or both) are the key to knowledge-acquisition. The recognition of a diversity of potential growth trajectories is recommended for SME policies.
The application of real options techniques to information security is significantly different than in the case of general information technology investments due to characteristics unique to information security. Emerging research in the economics of information security has suggested real options analysis (ROA) as a potential technique for assessing the value of information security assets, but has focused primarily on the most effective level of investment and the configuration of intrusion prevention/detection systems. In this paper, we attempt to address significant gaps in the literature by developing an integrated real options model for information security investments using Bayesian statistics that incorporates learning and postauditing in the analysis. By using the proposed model with actual data on e-mail and spam, we demonstrate that ROA with Bayesian postauditing offers a systematic valuation and risk management framework for evaluating information security spending by firms. We also discuss the managerial implications.
Despite the significant opportunities to transform the way that organizations conduct trading activities, few studies have investigated the impetus for organizational strategic moves toward business-to-business (B2B) electronic marketplaces. Drawing on transaction cost theory and institutional theory, this paper identifies two groups of factors-efficiency-and legitimacy-oriented factors, respectively-that can influence organizational buyers' initial adoption of, and the level of participation in, B2B e-marketplaces. The effects of these factors on initial adoption of and participation level in B2B e-marketplaces are empirically tested with data collected, respectively, from 98 potential adopter and 85 current adopter organizations. The results of a partial least squares analysis of the data indicate that the two groups of factors exhibit different patterns in explaining initial adoption in the preadoption period and participation level in the postadoption period. Specifically, all three of the efficiency-oriented factors investigated in this study-product characteristics, demand uncertainty, and market volatility-and their subconstructs exhibit a significant influence on adoption intent or participation level, or both. The results demonstrate that two legitimacy-oriented factors-mimetic pressures and normative pressures-and their subconstructs have a significant impact on adoption intent, but not on participation level. Our findings also indicate that clearly different patterns exist between the two groups of factors in explaining adoption intent and participation level.
This research is an attempt to better understand how external and internal organizational influences shape organizational actions for improving information systems security. A case study of a multi-national company is presented and then analyzed from the perspective of neo-institutional theory. The analysis indicates that coercive, normative, and mimetic isomorphic processes were evident, although it was difficult to distinguish normative from mimetic influences. Two internal forces related to work practices were identified representing resistance to initiatives to improve security: the institutionalization of work mobility and the institutionalization of efficiency outcomes expected with the adoption of company initiatives, especially those involving information technology. The interweaving of top–down and bottom–up influences resulted in an effort to reinforce, and perhaps reinstitutionalize the systems component of information security. The success of this effort appeared to hinge on top management championing information system security initiatives and propagating an awareness of the importance of information security among employees at all levels of the company. The case shows that while regulatory forces, such as the Sarbanes-Oxley Act, are powerful drivers for change, other institutional influences play significant roles in shaping the synthesis of organizational change.
Contemporary business organizations are increasingly turning their attention to jointly creating value with a variety of stakeholders, such as individual customers and other business organizations. However, a review of the literature reveals that very few studies have systematically examined value cocreation within business-tobusiness (B2B) contexts. Using a revelatory case study of the relationship between an ERP vendor with a global reputation and its partners, and informed by the resource-based view of the firm and related theoretical perspectives, we develop an understanding of value cocreation in B2B alliances associated with selling, extending, and implementing packaged software, specifically ERP systems. Our study reveals that there are different mechanisms underlying value cocreation within B2B alliances, and also points to several categories of contingency factors that influence these mechanisms. In addition to providing insights about the phenomenon of cocreation itself, the study contributes to the stream of packaged software literature, where the implications of value cocreation in alliances between packaged software vendors and their partners for the client organizations have not been sufficiently explored.
We argue that because of important epistemo- logical differences between the fields of informa- tion technology and organization studies, much can be gained from greater interaction between them. In particular, we argue that information tech- nology research can benefit from incorporating institutional analysis from organization studies, while organization studies can benefit even more by following the lead of information technology research in taking the material properties of tech- nologies into account. We further suggest that the transformations currently occurring in the nature of work and organizing cannot be understood without considering both the technological changes and the institutional contexts that are reshaping eco- nomic and organizational activity. Thus, greater interaction between the fields of information tech- nology and organization studies should be viewed as more than a matter of enrichment. In the intel- lectual engagement of these two fields lies the potential for an important fusion of perspectives, a fusion more carefully attuned to explaining the nature and consequences of the techno-social phenomena that increasingly pervade our lives.
This study used Institutional Theory as a lens to understand the factors that enable the adoption of interorganizational systems. It posits that mimetic, coercive, and normative pressures existing in an institutionalized environment could influence organizational predisposition toward an information technology-based interorganizational linkage. Survey-based research was carried out to test this theory. Following questionnaire development, validation and pretest with a pilot study, data was collected from the CEO, the CFO and the CIO to measure the institutional pressures they faced and their intentions to adopt Financial Electronic Data Interchange (FEDI). A firm-level structural model was developed based on the CEO’s, the CFO’s, and the CIO’s data. LISREL and PLS were used for testing the measurement and structural models respectively. Results showed that all three institutional pressures: mimetic pressures, coercive pressures, and normative pressures had a significant influence on organizational intention to adopt FEDI. Except for perceived extent of adoption among suppliers, all other subconstructs were significant in the model. These results provide strong support for institutional-based variables as predictors of adoption intention for interorganizational linkages. These findings indicate that organizations are embedded in institutional networks and call for greater attention to be directed at understanding institutional pressures when investigating information technology innovations adoption.