Coping with systems risk: Security planning models for management decision making
成果类型:
Article
署名作者:
Straub, DW; Welke, RJ
署名单位:
University System of Georgia; Georgia State University
刊物名称:
MIS QUARTERLY
ISSN/ISSBN:
0276-7783
DOI:
10.2307/249551
发表日期:
1998
页码:
441-469
关键词:
computer abuse
key issues
INFORMATION
摘要:
The likelihood that the firm's information systems are insufficiently protected against certain kinds of damage or loss is known as systems risk. Risk can be managed or reduced when managers are aware of the full range of controls available and implement the most effective controls. Unfortunately, they often lack this knowledge, and their subsequent actions to cope with systems risk are less effective than they might otherwise be. This is one viable explanation for why losses from computer abuse and computer disasters today are uncomfortably large and still so potentially devastating after many years of attempting to deal with the problem. Results of comparative qualitative studies in two information services Fortune 500 firms identify an approach that can effectively deal with the problem. This theory-based security program includes (I) use of a security risk planning model, (2) education/training in security awareness, and (3) Countermeasure Matrix analysis.