Six Work System Lenses for Describing, Analyzing, or Evaluating Important Aspects of IS Security

Six Work System Lenses for Describing, Analyzing, or Evaluating Important Aspects of IS Security

Steven Alter (School of Management, University of San Francisco, San Francisco, CA, USA)
Copyright: © 2017 |Pages: 14
DOI: 10.4018/IJSS.2017070106


This article presents six ways to use work system concepts for describing, analyzing, or evaluating IS security at the system rather than enterprise level. As a whole, this theory-based view delves into topics that typical technology or process-focused cybersecurity approaches may overlook. This article introduces work system theory and then summarizes six lenses that each imply broadly applicable questions and issues for describing, analyzing, or evaluating IS security situations, tools, or systems.
Article Preview

The Scope Of Information System Security

The IS security literature covers topics and issues related to IS security problems and tools and methods for reducing or minimizing vulnerability to such problems. Table 1 highlights the breadth of situations that are associated with IS security. It illustrates that these situations involve more than traditional cybersecurity topics such as virus protection, firewalls, “social engineering” schemes, digital rights management, business continuity, or management attention. Two examples related to Wells Fargo, a major US bank, show how IS security concerns applied to sociotechnical systems that seem far removed from virus protection and firewalls:

A lawyer for a former Wells Fargo employee suing the bank for defamation requested emails and documents related to the lawsuit. He was surprised when he received 1.4 gigabytes of files containing information about tens of thousands of the banks wealthiest customers, including information such as social security numbers, details of their portfolios, and fees that the bank charged them. The information had been sent by accident. (Kovaleski and Cowley, 2017)

A review related to a long simmering scandal at Wells Fargo involving unauthorized enrollments of customers in accounts found 1.4 million more unauthorized accounts that had been set up to meet employee quotas and obtain performance bonuses for their managers. Other patterns of wrongdoing such as inappropriate charges and withholding of refunds had been found in the investigations. (Cowley, 2017).

Table 1.
Important types of situations related to IS security
Internal source• Accidents (e.g., accidentally releasing confidential information)
• Design or programming bugs (autopilots that respond incorrectly to human pilots in unanticipated situations)
• Inadequate training or awareness (Many examples of email users clicking on links that allowed downloads of malware).
• Malfeasance (e.g., auditing system that produces flawed audit results)
• Theft (e.g, theft of government documents by government employees or contractors)
• Sabotage (e.g., creation of electronic time bombs by employees about to be fired)
External sources• Natural disasters (e.g., floods or fires destroy IT facilities)
• Simultaneous need for the same required resources (e.g., use of cloud capabilities by one organization may affect others)
• Infrastructure failures (e.g., internet failures disrupt web sites and company operations)
• Theft (e.g., theft of personal data or intellectual property by breaking into corporate information systems
• Sabotage (e.g., attack that erases or corrupts data)
• Extortion (e.g., ransomware – malware that prevents access to computing resources)

Both situations involve misuse of information systems, in one case carelessly exposing important private information and in the other using client information in a corporate information system to perform unauthorized transactions. Neither involves an external attack or a virus, but both situations reveal important IS security shortcomings. Those problems should not have occurred in a properly controlled system. Some of the many articles in the IS security literature that address related topics include Dhillon & Backhouse (2001), Hu et al. (2007), Warkentin & Willison (2009), Crossler et al. (2013), and Cisco (2014).

Complete Article List

Search this Journal:
Open Access Articles: Forthcoming
Volume 7: 2 Issues (2020): Forthcoming, Available for Pre-Order
Volume 6: 2 Issues (2019): 1 Released, 1 Forthcoming
Volume 5: 2 Issues (2018)
Volume 4: 2 Issues (2017)
Volume 3: 2 Issues (2016)
Volume 2: 2 Issues (2015)
Volume 1: 2 Issues (2014)
View Complete Journal Contents Listing