Module 3 Seminar2 post
Summary
After reading Spears & Barki (2010) case, below are the answers to the questions: The authors utilized a multi-method design approach in their research. The qualitative approach was done using interviews followed by survery conducted on sample of exports. Then, the quantitative methods evaluated the theoretical model that was created or derived from previous qualitative study.
The qualitative approach as per Spears & Barki (2010) yields a solid understanding of the behaviors and activites which define the user participation with regards to security risk management for regulatory compliance. On the other hand, Hypotheses that were derived from the previous qualitative study formed the variance model that tested the degree to which user participation explained variation in pre-specified outcome variables (Tsohou et al. 2008). Thus, the combination of both qualitative and quantitative methods provided both a rich context and testability to the study (Kaplan and Duchon 1988).
Spears & Barki (2010) mentioned that there are many reasons why user participation in IS security risk management can be important. For instance, , user awareness of the threats or risks to IS is argubbly critical to effective IS security (Aytes and Connolly 2004; Furnell 2008). Moreover, security controls should align with the business objectives to be effective (Alberts and Dorofee 2003; Halliday et al. 1996). The user participation in IS security risk analysis can arguably provide the needed business knowledge, thus contributing to a more comprehensive security measures.
The lack of user access can becomes challenging when it comes to gathering data and insights directly from users, which are crucial for understanding user behaviors, preferences, and potential security threats.
The lack of user access can indeed influence the choice between qualitative and quantitative assessment methods:
Qualitative Assessment: With limited user access, qualitative methods, such as interviews, surveys, and expert opinions, may become more prominent. These methods rely less on direct user data and more on subjective insights and expert judgment to assess risks and vulnerabilities.
Quantitative Assessment: Quantitative methods, which involve numerical data analysis and statistical modeling, often rely on large datasets, including user behavior data. The absence of such data may limit the effectiveness of quantitative approaches in risk assessment.
To mitigate issues arising from the lack of user access in both qualitative and quantitative assessment methods, organizations can consider the following strategies:
Use Proxy Data: While direct user access may not be available, organizations can leverage proxy data sources such as historical user behavior data, industry benchmarks, and threat intelligence feeds to inform risk assessments.
Collaborate with Stakeholders: Engage with stakeholders across different departments, including IT, security, compliance, and business units, to gather insights and perspectives on potential risks and their potential impact.
References
-Alberts, C, and Dorofee, A. 2003. Managing Information Security Risks: The Octave Approach, Upper Saddle River, NJ: Addison Wesley.
-Aytes, K., and Connolly, T. 2004. “Computer Security and Risky Computing Practices: A Rational Choice Perspective,” Journal of Organizational and End User Computing (16:3), pp. 22-40.
-Barki, H., and Hartwick, J. 1989. “Rethinking the Concept of User Involvement,” MS Quarterly (13:1), pp. 53-63.
-Furnell,S. 2008. “End-User Security Culture: A Lesson That Will Never Be Learnt?” Computer Fraud&Security (2008:4), pp. 6-9.
-Halliday, S., Badenhorst, K., and von Solms, R. 1996. “A Business Approach to Effective Information Technology Risk Analysis and Management,” Information Management & Computer Security (4:1), pp. 19-31.
-Kaplan, B., and Duchon, D. 1988. “Combining Qualitative and Quantitative Methods in Information Systems Research: A Case Study,” MS Quarterly (12:4), pp. 571-586.
-Spears, J.L. and Barki, H., 2010. User participation in information systems security risk management. MIS quarterly, pp.503-522.
-Tsohou, A., Kokolakis, S., Karyda, M., and Kiountouzis, E. 2008. “Process-Variance Models in Information Security Awareness Research,” Information Management & Computer Security (16:3), pp. 271-287.