← Search

Coping With Systems Risk: Security Planning Models for Management Decision Making1

Detmar W. Straub; Richard J. Welke

Department of Computer Information Systems, College of Business Administration, Georgia State University, Atlanta, GA 30302-4015, U.S.A.

MIS Quarterly 1998

The likelihood that the firm’s information systems are insufficiently protected against certain kinds of damage or loss is known as “systems risk.” Risk can be managed or reduced when managers are aware of the full range of controls available and implement the most effective controls. Unfortunately, they often lack this knowledge, and their subsequent actions to cope with systems risk are less effective than they might otherwise be. This is one viable explanation for why losses from computer abuse and computer disasters today are uncomfortably large and still so potentially devastating after many years of attempting to deal with the problem. Results of comparative qualitative studies in two information services Fortune 500 firms identify an approach that can effectively deal with the problem. This theory-based security program includes (1) use of a security risk planning model, (2) education/training in security awareness, and (3) Countermeasure Matrix analysis.

DOI
10.2307/249551
Volume
22 (4)
Pages
441-469
Language
en
Export
BibTeX
Sources
crossref