Dissertation - Chapter 5
Joseph H. Schuessler Ph.D.
Joseph H. Schuessler Ph.D.
The results of the analysis illustrate the strength of the proposed model. While some hypotheses were not supported such as the relationship between threats and industry affiliation, the majority of hypotheses were in fact supported. Additionally, there were three relationships that were significant but contrary to the hypothesized direction. Each relationship between organizational size and each countermeasure were hypothesized to be positive indicating that the larger the organization, the greater the use of each countermeasure would be. The logic behind these hypotheses was that resource poverty would limit smaller organizationís ability to develop comprehensive countermeasures relative to their larger counterparts. However, this was not found in this dataset. This dataset suggests that perhaps smaller organizations in fact do have a more comprehensive set of countermeasures in place relative to their larger counterparts. This could be the result of fewer or less complicated assets requiring countermeasures but additional study would be required to ferret out the reasons for this finding. Another possible explanation could be that smaller businesses are simply throwing money at the problem while their larger counterparts are more methodical with their security investments.
Industry Affiliation was found to be related to prevention efforts but not the remaining countermeasure techniques. This suggests that each industry implements various countermeasures similarly with the exception of prevention countermeasures. With respect to remedies, which often take the form of reprimands, termination, criminal or civil proceedings or are otherwise subject to legal requirements, similarities are likely common business practices and jurisdictional similarities. What is interesting out of this finding though is that while industry does impact an organizationís choice of some countermeasures, they all face the similar threats. Essentially, this means that each industry faces similar threats but that organizations within each industry address those threats differently. This is likely due to different perceptions of threats across various industries and different priorities with respect to protecting IS assets.
Each countermeasure construct was also hypothesized to be positively related to ISSE. Both deterrence and prevention were found to be positively related to ISSE similar to Kankanhalli et al. (2003). However, part of the goal of this research was to extend the model developed by Kankanhalli et al. (2003) to include detection and remedy countermeasures as well. While detection was not found to be significantly related to ISSE, remedy efforts were. This suggests that remedy efforts can impact an organizationís ISSE meaning that clear, well defined, and well communicated policies regarding how an organization will address IS abuse will impact their ability to effectively protect their systems.
Threats were hypothesized to be positively related to each countermeasure. All four hypotheses were supported. Essentially, the more threats an organization faces, the more of each type of countermeasure is implemented. As for the non-recursive aspect of this relationship, the implementation of countermeasures tends to have less of an impact on threats. Two of the four countermeasures were found to be significantly related to threats: remedy and prevention. So, countermeasures do influence threats faced and a non-recursive relationship does exist between some countermeasures and threats. These results suggest that an organization should focus their attention on remedies and prevention efforts in order have an impact on the threats that they face but they should also focus on deterrent efforts to maximize ISSE. Though detection efforts are intuitively appealing, the current research suggests they may serve to drain resources without contributing to a corresponding change in threats or an increase in ISSE. This is consistent with (Schneier, 2004) who suggests that actions such as penetration testing are a waste of an organizationís resources. One possible explanation could be the inability of a firm to confirm that it has not been breached. We simply do not know what we do not know. As a result, we simply do not know how effective detection efforts are as we only have successful detections with which to compare our efforts against.
Organizational size was not found to be positively related to ISSE as was industry affiliation. This suggests that the size of an organization does not play a role in how effective an organization protects itís information system. When considered within the context of Hypothesis 1, smaller organizations seem to get less bang for their buck relative to their larger counterparts. They tend to use more countermeasure techniques yet end up with similar results in terms of effectively protecting themselves. This combined with the finding that smaller businesses face fewer threats suggests that smaller business do indeed face fewer threats but face greater risks relative to their larger counterparts, despite their relative use of additional countermeasure techniques.
The results also indicate that certain industries are more effective at securing their information systems than others. This is consistent with Hoffer and Straub (1989) who found that some industries are more susceptible to computer abuse that others. So again, even though industries face similar threats, each industryís unique application of countermeasures leads to unique degrees of ISSE.
As with all studies, this study is subject to limitations, which can potentially influence conclusions drawn from the dataset. First, because the data is cross-sectional in nature, causal inferences should not be made regarding the effects of measured variables. For example, rather than concluding that larger businesses have more effective information system security, it is more appropriate to conclude larger businesses tend to be positively related with more effective information systems security. Thus, only correlational inferences can be drawn.
CMB is another possible limitation of the study. CMB refers to the fact that potential respondent biases might constitute a systematic error. This is common when using survey responses from the same source because a single respondent for each survey can only yield one perspective. Others within the same organization may perceive conditions to be significantly different. Thus, there might be spurious correlations (Bagozzi, 1980). Following Podsakoff et al. (2003), several precautions were taken to minimize the effects of common-method bias. The dependent variables and independent variables were separated into different sections of the survey instrument. Different question formats were used for each set of variables. Using a Harmon one-factor test (Podsakoff and Organ, 1986) to test for CMB two factors were found indicating that CMB was not present in the dataset.
Another possible limitation is the way threats are treated using the current research design. For ease of analysis, threats were treated holistically meaning that all threats were lumped together and treated equally. Realistically, this is not likely to be the case. More likely, some threats are more serious than others in terms of potential damage, costs, and so on. As a result, caution should be used when drawing conclusions from the results of this paper.
The model put forth in this research contributes in several ways to the research community. First, it frames the use of countermeasures in the theoretical lens of GDT. Such a framing should allow for more accurate classifications of existing and future countermeasures. By accurately classifying countermeasures, their strengths and weaknesses, gaps should be able to be identified more clearly in terms of which countermeasures have been researched and those which have not.
Another research contribution is that the current study extends the ISS effectiveness construct put forth by Kankanhalli et al. (2003). By incorporating assessments of a firmís remedy and detection efforts, a more thorough understanding of how each contributes to a firmís ISS effectiveness is understood.
Lastly, the methodology used to assess the non-recursive model put forth in the current study is unique to the IS field. Such an approach can be used to assess other circular relationships where longitudinal data collection may not be feasible. While care should be taken with regard to causality as discussed above when using such an approach, the ability to support or fail to support such relationships can shed light on whether or not to further pursue a particular direction of research.
The results of the current study are also relevant to practitioners. First, the model can be used as an assessment tool for firms by enabling them to compare themselves to similar firms in terms of their size and industry. Such an approach would allow a firm to compare specific types of countermeasures in use by their organization and compare that to those of their competitors enabling them to gain insight into how effectively they are managing their risk.
The model could also be used by firms prescriptively to gauge their current ISS effectiveness and their current use of various countermeasures. Based on their analysis, they could then target specific types of countermeasures to obtain the prescribed degree of ISS effectiveness. Such an approach would allow the firm to more judiciously allocate funding to those countermeasures specifically in need of funding while not continuing to ďthrow moneyĒ at other countermeasures already currently in place and being effectively used.
In order to truly understand and be able to model the relationship between threats and countermeasures, we must be able to examine each from different perspectives. Siponen et al. (2006) discusses developing secure information systems and suggest the idea of different levels of abstraction based on Iivari (1989). These levels of abstraction include organizational, conceptual, and technical. The model put forth in this paper could be expanded in order to accommodate each level of abstraction where threats, countermeasures, and ISS effectiveness are all evaluated by examining each from an organizational, conceptual, and technical level. Such an approach could help further refine our understanding of the dimensionality of threats, countermeasures, and ISS effectiveness. For practitioners, it can provide a more thorough understanding of threats, countermeasures, and ISS effectiveness and provide terminology that can be used to more effectively communicate with different stakeholders within and across organizational boundaries.
Another potential avenue for extending research along the lines of that conducted in this dissertation include using the framework developed by Loch et al. (1992). This framework included classifying threats as internal or external, as human or non-human, and as intentional or un-intentional. This framework could be used to further explore the relationship between threats and organizational characteristics. While industry affiliation was not related to threats in the current study, other studies have found such a relationship in very broad terms (Hoffer and Straub, 1988). By identifying specific classes of threats, and key organizational characteristics, organizations could more effectively concentrate on specific classes of threats unique to their industry or size. Characteristics such as service/manufacturing orientation which impacts the information content of an organization (Premkumar and King, 1994) could influence an organizationís portfolio of IS assets and perceived threats. Combined with the knowledge regarding the various classes of countermeasures (deterrent, prevention, detection, and remedy) discussed in this dissertation, pin-point strategies could be developed by security professionals striving to effectively and efficiently combat threats specific to their type of organization.
Still another line of research that could be extended for this current research is the idea that firms adjust their security posture over time and essentially move through stages as they do so. Essentially, extending the idea put forth by Nolan (1973). Though an attempt to establish a security stage model has been attempted (Young, 2008), the hypothesized stages failed to be empirically verifiable. Interviews with security professionals could shed light on key metrics which could possibly be used to identify the number of stages present as well as key characteristics that signify when a firm is in a particular stage and the conditions necessary for moving from one stage to the next.
The goal of this research was to extend the ISSE construct developed by Kankanhalli et al. (2003), to explore a unique methodology to the IS discipline, apply the theoretically developed General Deterrence Theory to the use of countermeasures in IS, and to empirically assess the relationships between threats and countermeasures. The results of the analysis suggest that each goal was met with resounding success. Organizations can use these results not only to compare their current operations, but also as a way to prescriptively achieve a desired level of ISSE by manipulating their use of various countermeasures relative to counterparts within their industry to organizations of similar size.
Non-recursive models are seldom if ever seen in IS research. The method used in this research can be used to explore the numerous complex phenomena that exist in the world of IS. While LISREL is capable of handling non-recursive relationships, the difficulty associated with finding enough respondents can often force a researcher to resort to the use of PLS because of its ability to handle smaller sample sizes, indicative of many security related surveys. While PLS does not handle non-recursive relationship natively, the solution implemented in this research can serve as an example of how non-recursive models can still be analyzed using PLS. This combined with the empirical evidence gathered in this research, help to refine our understanding of the relationship between threats and countermeasures.
Finally, the use of General Deterrence Theory to frame an organizationís use of countermeasures was developed and empirically tested and shown to be effective at predicting an organizationís ISSE. Further research into the relationships between threats and countermeasures and how organizational context affects ISSE can provide practitioners with valuable tools with which to combat computer abuses.