While various information systems (IS) security control checklists and frameworks exist, there is little guidance to understand how these controls interact so that managers and researchers can evaluate the aggregate impact of IS security controls on an organization. Doing so is necessary to identify the level of security that is present in an organization and whether that level is adequate for its needs. The lack of research on this topic has meant that our understanding of the aggregate impact of IS security controls often relies on the intuition and atheoretical ‘best practices’ of practitioners. This paper addresses this issue by first defining the concept of “IS security adequacy” and then developing a model of the antecedents of IS security adequacy. Building on concepts from the behavioral theory of the firm, such as problemistic search, aspiration-seeking, and routines, propositions are offered based on the arguments embedded in the model.
Hassandoust, Farkhondeh; Nuwangi, Subasinghage Maduka; and Singh, Harminder, "Information systems security - “How much is enough?”" (2021). PACIS 2021 Proceedings. 254.
When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.