Research: System Security Effectiveness in Large Versus Small Businesses

Schuessler, J. H., Windsor, J., & Wu, Y. (2014). System Security Effectiveness in Large Versus Small Businesses. Journal Of Information System Security, 10(1), 3.

This publication came from my dissertation. If you are familiar with the research process, dissertations, and whatnot, you know that this is one of your more robust pieces of research. Looking back, I certainly believe this to be true. I was lucky in that I really loved my topic and it kept me engaged throughout the process.

Information systems security is a big deal. We all know it. We see stories on TV, read about breaches in the news, and if you are one of the unfortunate ones, you have to deal with consequences of some sort of information systems security compromise. Despite the recognition that security is largely a managerial issue (Hitchings, 1995), managers routinely rank security relatively low compared to other managerial issues (Luftman & Ben-Zvi 2010; Pimchangthong, Plaisent, & Bernard 2003). A lot of this issue is that they simply do not understand the gravity of the situation. Some of it has to do with with a lack of understanding of the issues. This paper seeks to model the threat landscape along with the use of countermeasures and the ultimate effect on information systems security effectiveness. The goal was to develop a model that hopefully is more intuitive for managers that can incorporate the dynamic nature of threats and the use of countermeasures. The result is a unique model that uses cross-sectional data (data gathered at one time) to assess a dynamic relationship that changes over time.

Using Deterrence Theory as its basis (Straub and Welke, 1998), the Security Action Cycle (SAC) which consists of deterrence, detection, prevention, and remedy as dimensions, can be useful for framing the use of countermeasures by organizations. Countermeasures are dynamic in nature in that they constantly change against a changing set of threats face by an organization. Threats are not limited to "hackers" but rather, come in the form of threats from nation states, equipment obsolescence, natural disasters, etc. As the threat landscape changes, so must the use of countermeasures in order to manage risk. The ultimate goal is to insure information system security effectiveness which was conceptualized as the user of SAC efforts to protect hardware, software, data, and services. Lastly, important characteristics such as industry and organizational size were considered, recognizing that these factors might have an impact on the study.

Data was gathered, using an online survey, from AITP  professional members due to the diverse nature of their membership and their participation in prior studies (Nance & Straub 1988; Straub & Nance 1990). Of the 1500 professional members surveyed, 73 responses were gathered. Though low, this is not unusual for security related research. For a great example, see Kotulic and Clark (2004). Using PLS, the results were analyzed. However, to take it to the next level and analyze the circular relationship, where the output results for deterrence, prevention, detection, and remedy became the input the threats construct to close the circle, a personal communication with PLS guru Dr. W. Chin, helped to conclude the analysis. The results can be seen below.

Some of the big take aways were that there is a clear positive relationship between threats and the use of countermeasures. That should not come as a surprise. In fact, it would be surprising if there were not such a relationship. Interestingly, the model did indeed show a relationship between two of the dimensions of the SAC and the threats faced by an organization thus validating the circular relationship between these two constructs. Additionally, three of the four SAC dimensions also showed a positive relationship to the information system security effectiveness construct clearly showing that our use of countermeasures is having the intended protective effects. The study also showed that there is a relationship between industry and the use of preventive measures but also between preventive measures and information systems security effectiveness. Perhaps most interesting of all, the study indicated a negative relationship between organizational size and the use of countermeasures. So, relatively speaking, smaller organizations tend to employ more countermeasures than their larger counterparts. However, when considered with the result of no relationship between organizational size and information systems security effectiveness, a logical conclusion could be that larger organizations do a better job of targeting the use of countermeasures to respond to specific threats whereas small organizations tend to "shotgun" their security measures.

This was a cool study to conduct. I learned a lot and ended up getting two publications out of it. It has helped to form my research stream. I have included the citation at the top of the post. If you are interested in more detail and academic writing does not deter you, please give it a good read and let me know what you think.