Information systems security - “How much is enough?”

Authors

Farkhondeh Hassandoust, Auckland University of TechnologyFollow
Maduka Subasinghage, Auckland University of TechnologyFollow
Harminder Singh, Auckland University of TechnologyFollow

Paper Number

387

Abstract

While various information systems (IS) security control checklists and frameworks exist, there is little guidance to understand how these controls interact so that managers and researchers can evaluate the aggregate impact of IS security controls on an organization. Doing so is necessary to identify the level of security that is present in an organization and whether that level is adequate for its needs. The lack of research on this topic has meant that our understanding of the aggregate impact of IS security controls often relies on the intuition and atheoretical ‘best practices’ of practitioners. This paper addresses this issue by first defining the concept of “IS security adequacy” and then developing a model of the antecedents of IS security adequacy. Building on concepts from the behavioral theory of the firm, such as problemistic search, aspiration-seeking, and routines, propositions are offered based on the arguments embedded in the model.

Recommended Citation

Hassandoust, Farkhondeh; Subasinghage, Maduka; and Singh, Harminder, "Information systems security - “How much is enough?”" (2021). PACIS 2021 Proceedings. 254.
https://aisel.aisnet.org/pacis2021/254