There is, I think, something ethereal about i —the square root of minus one. I remember first hearing about it at school. It seemed an odd beast at that time—an intruder hovering on the edge of reality.

Usually familiarity dulls this sense of the bizarre, but in the case of i it was the reverse: over the years the sense of its surreal nature intensified. It seemed that it was impossible to write mathematics that described the real world in …

I and i

Trust: The Social Virtues and the Creation of Prosperity

What makes organizations so similar? We contend that the engine of rationalization and bureaucratization has moved from the competitive marketplace to the state and the professions. Once a set of organizations emerges as a field, a paradox arises: rational actors make their organizations increasingly similar as they try to change them. We describe three isomorphic processes-coercive, mimetic, and normative—leading to this outcome. We then specify hypotheses about the impact of resource centralization and dependency, goal ambiguity and technical uncertainty, and professionalization and structuration on isomorphic change. Finally, we suggest implications for theories of organizations and social change.

The iron cage revisited: Institutional isomorphism and collective rationality in organizational fields (Chinese Translation)

Wold’s (1974; 1982) partial least squares structural equation modeling (PLS-SEM) ap-proach and the advanced PLS-SEM algorithms by Lohmoller (Lohmoller 1989) have enjoyed steady popularity as a key multivariate analysis methods in management infor-mation systems (MIS) research (Gefen et al. 2011). Chin’s (1998b) scholarly work and technology acceptance model (TAM) applications (e.g., Gefen and Straub 1997) are milestones that helped to reify PLS-SEM in MIS research. In light of the proliferation of SEM techniques, Gefen et al. (2011), updating Gefen et al. (2000), presented a compre-hensive, organized, and contemporary summary of the minimum reporting requirements for SEM applications. Such guidelines are of crucial importance for advancing research for several reasons. First, researchers wishing to apply findings from prior studies or wanting to contribute to original research must comprehend other researchers’ decisions in order to under-stand the robustness of their findings. Likewise, when studies arrive at significantly different results, the natural course is to attempt explaining the differences in terms of the theory or concept employed, the empirical data used, and how the research method was applied. A lack of clarity on these issues, including the methodological applications, contradicts the goals of such studies (Jackson et al. 2009). Even worse, the misapplication of a technique may result in misinterpretations of empirical outcomes and, hence, false conclusions. Against this background, rigorous research has a long-standing tradition of critically reviewing prior practices of reporting standards and research method use (e.g., Boudreau et al. 2001). While the use of covariance-based SEM (CB-SEM) techniques has been well documented across disciplines (e.g., Medsker et al. 1994; Shook et al. 2004; Steenkamp and Baumgartner 2000), few reviews to date have investigated usage practices specific to PLS-SEM (see, however, Gefen et al. 2000). Previous reviews of such research practices were restricted to strategic management (Hulland 1999) and, more recently, marketing (Hair et al. 2012; Henseler et al. 2009), and accounting (Lee et al. 2011). The question arises as to how authors publishing in top IS journals such as MIS Quarterly have used PLS-SEM thus far, given the SEM recommendations of Gefen et al. (2011). By relating Gefen et al.’s (2011) reporting guidelines to actual practice, we attempt to identify potential problematic areas in PLS-SEM use, problems which may explain some of the criticism of how it has been applied (e.g., Marcoulides et al. 2009; Marcoulides and Saunders 2006). By reviewing previous PLS-SEM research in MIS Quarterly, we can hopefully increase awareness of established reporting standards. The results allow researchers to further improve the already good reporting practices that have been established in MIS Quarterly and other top journals and thus could become blueprints for conducting PLS-SEM analysis in other disciplines such as strategic management and marketing.

https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID2224526_code1463265.pdf?abstractid=2176426&type=2

A critical look at the use of PLS-SEM in MIS Quarterly

Many organizations recognize that their employees, who are often considered the weakest link in information security, can also be great assets in the effort to reduce risk related to information security. Since employees who comply with the information security rules and regulations of the organization are the key to strengthening information security, understanding compliance behavior is crucial for organizations that want to leverage their human capital.

This research identifies the antecedents of employee compliance with the information security policy (ISP) of an organization. Specifically, we investigate the rationality-based factors that drive an employee to comply with requirements of the ISP with regard to protecting the organization's information and technology resources. Drawing on the theory of planned behavior, we posit that, along with normative belief and self-efficacy, an employee's attitude toward compliance determines intention to comply with the ISP. As a key contribution, we posit that an employee's attitude is influenced by benefit of compliance, cost of compliance, and cost of noncompliance, which are beliefs about the overall assessment of consequences of compliance or noncompliance. We then postulate that these beliefs are shaped by the employee's outcome beliefs concerning the events that follow compliance or noncompliance: benefit of compliance is shaped by intrinsic benefit, safety of resources, and rewards, while cost of compliance is shaped by work impediment; and cost of noncompliance is shaped by intrinsic cost, vulnerability of resources, and sanctions. We also investigate the impact of information security awareness (ISA) on outcome beliefs and an employee's attitude toward compliance with the ISP.

Our results show that an employee's intention to comply with the ISP is significantly influenced by attitude, normative beliefs, and self-efficacy to comply. Outcome beliefs significantly affect beliefs about overall assessment of consequences, and they, in turn, significantly affect an employee's attitude. Furthermore, ISA positively affects both attitude and outcome beliefs. As the importance of employees' following their organizations' information security rules and regulations increases, our study sheds light on the role of ISA and compliance-related beliefs in an organization's efforts to encourage compliance.

Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness

Patch management is a crucial component of information security management. An important problem within this context from a vendor's perspective is to determine how to release patches to fix vulnerabilities in its software. From a firm's perspective, the issue is how to update vulnerable systems with available patches. In this paper, we develop a game-theoretic model to study the strategic interaction between a vendor and a firm in balancing the costs and benefits of patch management. Our objective is to examine the consequences of time-driven release and update policies. We first study a centralized system in a benchmark scenario to find the socially optimal time-driven patch management. We show that the social loss is minimized when patch-release and update cycles are synchronized. Next, we consider a decentralized system in which the vendor determines its patch-release policy and the firm selects its patch-update policy in a Stackelberg framework, assuming that release and update policies are either time driven or event driven. We develop a sufficient condition that guarantees that a time-driven release by the vendor and a time-driven update by the firm is the equilibrium outcome for patch management. However, in this equilibrium, the patch-update cycle of the firm may not be synchronized with the patch-release cycle of the vendor, making it impossible to achieve the socially optimal patch management in the decentralized system. Therefore, we next examine cost sharing and liability as possible coordination mechanisms. Our analysis shows that cost sharing itself may achieve synchronization and social optimality. However, liability by itself cannot achieve social optimality unless patch-release and update cycles are already synchronized without introducing any liability. Our results also demonstrate that cost sharing and liability neither complement nor substitute each other. Finally, we show that an incentive-compatible contract on cost sharing can be designed to achieve coordination in case of information asymmetry.

/pdf/security-patch-management-share-the-burden-or-share-the-3zsfqg6362.pdf

Security Patch Management: Share the Burden or Share the Damage?

Institutional pressures in security management

Proper configuration of security technologies is critical to balance the needs for access and protection of information. The common practice of using a layered security architecture that has multiple technologies amplifies the need for proper configuration because the configuration decision about one security technology has ramifications for the configuration decisions about others. Furthermore, security technologies rely on each other for their operations, thereby affecting each other's contribution. In this paper we study configuration of and interaction between a firewall and intrusion detection systems (IDS). We show that deploying a technology, whether it is the firewall or the IDS, could hurt the firm if the configuration is not optimized for the firm's environment. A more serious consequence of deploying the two technologies with suboptimal configurations is that even if the firm could benefit when each is deployed alone, the firm could be hurt by deploying both. Configuring the IDS and the firewall optimally eliminates the conflict between them, ensuring that if the firm benefits from deploying each of these technologies when deployed alone, it will always benefit from deploying both. When optimally configured, we find that these technologies complement or substitute each other. Furthermore, we find that while the optimal configuration of an IDS does not change whether it is deployed alone or together with a firewall, the optimal configuration of a firewall has a lower detection rate (i.e., allowing more access) when it is deployed with an IDS than when deployed alone. Our results highlight the complex interactions between firewall and IDS technologies when they are used together in a security architecture, and, hence, the need for proper configuration to benefit from these technologies.

Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems

The importance of effective management of IT security from an economic perspective increased in recent years because of the increasing frequency and cost of security breaches. Each security breach incurs monetary damage, corporate liability, and loss of credibility. This article presents four important elements that every IT security manager should consider while managing the security function from an economic perspective. The four elements are: estimation of security breach cost, a risk management approach, cost effective technology configuration, and value from deployment of multiple technologies.

/pdf/economics-of-itsecurity-management-four-improvements-to-i37esw1tx3.pdf

Hasan Cavusoglu

Papers

Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness

Security Patch Management: Share the Burden or Share the Damage?

Institutional pressures in security management

Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems

Economics of ITSecurity Management: Four Improvements to Current Security Practices