Coping with Systems Risk: Security Planning Models for Management Decision Making

• Published in: MIS quarterly Vol. 22; no. 4; pp. 441 - 469
• Main Authors: Straub, Detmar W., Welke, Richard J.
• Format: Journal Article
• Language: English
• Published: Minneapolis The Society for Information Management and The Management Information Systems Research Center of the University of Minnesota, and The Association for Information Systems 01.12.1998; University of Minnesota, MIS Research Center
• Subjects: Application; Business risks; Business structures; Comparative analysis; Computer systems; Currency transactions; Cybersecurity; Data security; Decision making; Disaster recovery; Disasters; Employees; Information services; Information storage and retrieval systems; Information systems; Management decisions; Management information systems; Modeling; Network security; Planning; Qualitative research; Risk; Risk analysis; Security management; Security programs; Security systems; Studies; United States > US
• ISSN: 0276-7783; 2162-9730
• DOI: 10.2307/249551

The likelihood that the firm's information systems are insufficiently protected against certain kinds of damage or loss is known as "systems risk." Risk can be managed or reduced when managers are aware of the full range of controls available and implement the most effective controls. Unfortunately, they often lack this knowledge, and their subsequent actions to cope with systems risk are less effective than they might otherwise be. This is one viable explanation for why losses from computer abuse and computer disasters today are uncomfortably large and still so potentially devastating after many years of attempting to deal with the problem. Results of comparative qualitative studies in two information services Fortune 500 firms identify an approach that can effectively deal with the problem. This theory-based security program includes (1) use of a security risk planning model, (2) education/training in security awareness, and (3) Countermeasure Matrix analysis.