A Qualitative Multi-Method Study of U.S. Banks’ Financial Reporting Addressing Security Risk Management (SRM) Operational Effectiveness and SRM Maturity
DOI:
https://doi.org/10.33423/jmpp.v25i2.7186Keywords:
management policy, security risk management (SRM), directed content analysis, textual analysis, Q-sorting, provisional codingAbstract
Security risk management (SRM) presents continued challenges for IT executives. Because of growing data breaches, significant funding needs, and non-stop malicious cyber threats, SRM operational effectiveness and SRM maturity present ever-changing complexities. In organizations, cyber-related events, including advancing information technologies, contribute to the increasing complexity and guarded nature of SRM. This qualitative study was designed to examine SRM operational effectiveness and SRM maturity in financial reporting. Using a set of qualitative techniques, a sample of 107 SRM financial reported statements were rendered from 1,113 U.S. banks’ financial reporting artifacts. Validation of results involved interviews and Q-sorting among three Chief Information Security Officers (CISOs) as subject matter experts. This study presented evidence of varying perceptions of SRM operational effectiveness and SRM maturity were conveyed that may or may not properly reflect how well organizations may perform against cyber-related events. To researchers, practitioners, and policymakers, this study offers an alternative approach and theoretical considerations for future SRM research, especially when reporting cyber-related events.
References
Bagchi, K., & Udo, G. (2003). An analysis of the growth of computer and internet security breaches. Communications of the Association for Information Systems, 12(1), 684–700.
Bansal, P., & Corley, K. (2012). Publishing in AMJ—Part 7: What’s different about qualitative research? Academy of Management Journal, 55(3), 509–513.
Barney, J. (1991). Firm resources and sustained competitive advantage. Journal of Management, 17(1), 99–120.
Bharadwaj, A.S. (2000). A resource-based perspective on information technology capability and firm performance: An empirical investigation. MIS Quarterly, 24(1), 169–196.
Boritz, J.E., Hayes, L., & Lim, J.-H. (2013). A content analysis of auditors’ reports on IT internal control weaknesses: The comparative advantages of an automated approach to control weakness identification. Internal Journal of Accounting Information Systems, 14(2), 138–169.
Brown, S.R. (1993). A primer on Q methodology. Operant Subjectivity, 16(3/4), 91–138.
Cassell, C., & Symon, G. (2004). Essential guide to qualitative methods in organizational research. (C. Cassell, & G. Symon, Eds.) SAGE.
Chan, Y.E., & Reich, B.H. (2007). IT alignment: What have we learned? Journal of Information Technology, 22(4), 297–315.
Chen, J.-L. (2012). The synergistic effects of IT-enabled resources on organizational capabilities and firm performance. Information & Management, 49(3–4), 142–150.
Chen, P.-Y., Kataria, G., & Krishnan, R. (2011). Correlated failures, diversification, and information security risk management. MIS Quarterly, 35(2), 397–422.
Cohn, M.A., Mehl, M.R., & Pennebaker, J.W. (2004). Linguistic markers of psychological change surrounding September 11, 2001. Psychological Science, 15(10), 687–693.
Cybersecurity & Infrastructure Security Agency. (2020, April 8). CISA.gov National Cyber Awareness System Alert (AA20-099A): COVID-19 exploited by malicious cyber actors. Retrieved from https://us-cert.cisa.gov/ncas/alerts/aa20-099a
Debreceny, R.S., & Gray, G.L. (2013). IT governance and process maturity: A multinational field study. Journal of Information Systems, 27(1), 157–188.
Dhillon, G., & Backhouse, J. (2001). Current directions in IS security research: Towards socio-organizational perspectives. Information Systems Journal, 11(2), 127–153.
Dick, P. (2004). Discourse analysis. In C. Cassell, & G. Symon (Eds.), Essential guide to qualitative methods in organizational research (pp. 203–213). SAGE.
Division of Corporation Finance. (2011, October 13). CF disclosure guidance: Topic no. 2. Retrieved from https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
Goel, S., & Chengalur-Smith, I.N. (2010). Metrics for characterizing the form of security policies. The Journal of Strategic Information Systems, 19(4), 281–295.
Gu, J.-W., & Jung, H.-W. (2013). The effects of IS resources, capabilities, and qualities on organizational performance: An integrated approach. Information & Management, 50(2–3), 87–97.
Hendersen, J.C., & Venkatraman, H. (1999). Strategic alignment: Leveraging information technology for transforming organizations. IBM Systems Journal, 38(2–3), 472–484.
Hsieh, H.-F., & Shannon, S.E. (2005). Three approaches to qualitative content analysis. Qualitative Health Research, 15(9), 1277–1288.
IBM Security. (2023). Cost of a data breach report 2023. Armonk, NY: IBM Corporation. Retrieved from https://www.ibm.com/reports/data-breach
Johnson, V., Maurer, C., Torres, R., Guerra, K., & Mohit, H. (2024). The 2023 SIM IT issues and trends study. MIS Quarterly Executive, 23(1), Article 7.
Kacewicz, E., Pennebaker, J.W., Davis, M., Jeon, M., & Graesser, A.C. (2014). Pronoun use reflects standings in social hierarchies. Journal of Language and Social Psychology, 33(2), 125–143.
Karimi, J., Somers, T.M., & Bhattacherjee, A. (2007). The role of information systems resources in ERP capability building and business process outcomes. Journal of Management Information Systems, 24(2), 221–260.
Kwon, J., & Johnson, M.E. (2013). Health-care security strategies for data protection and regulatory compliance. Journal of Management Information Systems, 30(2), 41–65.
Langley, A. (1999). Strategies for theorizing from process data. Academy of Management Review, 24(4), 691–710.
Mitra, S., & Ransbotham, S. (2015). Information disclosure and the diffusion of information security attacks. Information Systems Research, 26(3), 565–584.
Mohr, L.B. (1982). Explaining organization behavior. San Francisco: Jossey-Bass.
Myers, M.D. (1997). Qualitative research in information systems. MIS Quarterly, 21(2), 241–242.
Myers, M.D., & Newman, M. (2007). The qualitative interview in IS research: Examining the craft. Information and Organization, 17(1), 2–26.
Nadkarni, S., & Chen, J. (2014). Bridging yesterday, today, and tomorrow: CEO temporal focus, environmental dynamism, and rate of new product introduction. Academy of Management Journal, 57(6), 1810–1833.
Nevo, S., & Wade, M. (2011). Firm-level benefits of IT-enabled resources: A conceptual extension and an empirical assessment. The Journal of Strategic Information Systems, 20(4), 403–418.
Nevo, S., & Wade, M.R. (2010). The formation and value of IT-enabled resources: Antecedents and consequences of synergistic relationships. MIS Quarterly, 34(1), 163–183.
Pan, G., Pan, S.-L., & Lim, C.-Y. (2015). Examining how firms leverage IT to achieve firm productivity: RBV and dynamic capabilities perspectives. Information & Management, 52(4), 401–412.
Pennebaker, J.W., Chung, C.K., Frazee, J., Lavergne, G.M., & Beaver, D.I. (2014). When small words foretell academic success: The case of college admissions essays. PloS One, 9(12), e115844.
Pfarrer, M.D., Pollock, T.G., & Rindova, V.P. (2010). A tale of two assets: The effects of firm reputation and celebrity on earnings surprises and investors’ reactions. Academy of Management Journal, 53(5), 1131–1152.
Ply, J.K., Moore, J.E., Williams, C.K., & Thatcher, J.B. (2012). IS employee attitudes and perceptions at varying levels of software process maturity. MIS Quarterly, 36(2), 601–624.
Ponemon Institute, LLC. (2022). Cost of a data breach report. IBM Security.
Pöppelbuß, J., Niehaves, B., Simons, A., & Becker, J. (2011). Maturity models in information systems research: Literature search and analysis. Communications of the Association for Information Systems, 29(27), 505–532.
Rahimian, F., Bajaj, A., & Bradley, W. (2016). Estimation of deficiency risk and prioritization of information security controls: A data-centric approach. International Journal of Accounting Information Systems, 20, 38–64.
Ransbotham, S., Mitra, S., & Ramsey, J. (2012). Are markets for vulnerabilities effective? MIS Quarterly, 36(1), 43–64.
Ravichandran, T., Lertwongsatien, C., & Lertwongsatien, C. (2005). Effect of information systems resources and capabilities on firm performance: A resource-based perspective. Journal of Management Information Systems, 21(4), 237–276.
Reich, B.H., & Benbasat, I. (1996). Measuring the linkage between business and information technology objectives. MIS Quarterly, 20(1), 55–81.
Rhee, E.Y., & Fiss, P.C. (2014). Framing controversial actions: Regulatory focus, source credibility, and stock market reaction to poison pill adoption. Academy of Management Journal, 57(6), 1743–1758.
Sabherwal, R., & Robey, D. (1995). Reconciling variance and process strategies for studying information systems development. Information Systems Research, 6(4), 303–327.
Santhanam, R., & Hartono, E. (2003). Issues in linking information technology capability to firm performance. MIS Quarterly, 27(1), 125–153.
Schultze, U., & Avital, M. (2011). Designing interviews to generate rich data for information systems research. Information and Organization, 21(1), 1–16.
Segars, A.H., & Grover, V. (1998). Strategic information systems planning success: An investigation of the construct and its measurement. MIS Quarterly, 22(2), 139–163.
Siponen, M., & Willison, R. (2009). Information security management standards: Problems and solutions. Information & Management, 46(5), 267–270.
Siponen, M.T. (2005). An analysis of the traditional IS security approaches: Implications for research and practice. European Journal of Information Systems, 14(3), 303–315.
Spears, J.L., & Barki, H. (2010). User participation in information systems security risk management. MIS Quarterly, 34(3), 503–522.
Spears, J.L., Barki, H., & Barton, R.R. (2013). Theorizing the concept and role of assurance in information systems security. Information & Management, 50(7), 598–605.
Stebbins, R.A. (2001). Exploratory research in the social sciences (Vol. 48). Thousand Oaks, CA, USA: Sage.
Stoel, M.D., & Muhanna, W.A. (2009). IT capabilities and firm performance: A contingency analysis of the role of industry and IT capability type. Information & Management, 46(3), 181–189.
Tallon, P.P. (2010). A service science perspective on strategic choice, IT, and performance in U.S. banking. Journal of Management Information Systems, 26(4), 219–252.
Tausczik, Y.R., & Pennebaker, J.W. (2010). The psychological meaning of words: LIWC and computerized text analysis methods. Journal of Language and Social Psychology, 29(1), 24–54.
Team, C.P. (2010). CMMI for Service, Version 1.3, CMMI-SVC v1.3. CMU/SEI-2010-TR-034 Technical Report. Software Engineering Institute.
Teo, T.S., & Ranganathan, C. (2003). Leveraging IT resources and capabilities at the housing and development board. The Journal of Strategic Information Systems, 12(3), 229–249.
Thomas, D.M., & Watson, R.T. (2002). Q-sorting and MIS research: A primer. Communications of the Association for Information Systems, 8(1), 141–156.
U.S. Security and Exchange Commission. (2023). Cybersecurity risk management, strategy, governance, and incident disclosure, 17 C.F.R. Retrieved from https://www.sec.gov/rules/final/2023/33-11216.pdf
Wade, M., & Hulland, J. (2004). The resource-based view and information systems research: Review, extension, and suggestions for future research. MIS Quarterly, 28(1), 107–142.
Wang, J., Gupta, M., & Rao, H.R. (2015). Insider threats in a financial institution: Analysis of attack-proneness of information systems applications. MIS Quarterly, 39(1), 91–112.
Wang, J., Xiao, N., & Rao, H.R. (2015). Research note – An exploration of risk characteristics of information security threats and related public information search behavior. Information Systems Research, 26(3), 619–633.
Wang, N., Liang, H., Zhong, W., Xue, Y., & Xiao, J. (2012). Resource structuring or capability building? An empirical study of the business value of information technology. Journal of Management Information Systems, 29(2), 325–367.
Watts, S., & Stenner, P. (2005). Doing Q methodology: Theory, method and interpretation. Qualitative Research in Psychology, 2, 67–91.
Wernerfelt, B. (1984). A resource-based view of the firm. Strategic Management Journal, 5(2), 171–180.
Zafar, H. (2011). Security risk management at a fortune 500 firm: A case study. Journal of Information Privacy & Security, 7(4), 23–53.
Zafar, H., & Clark, J.G. (2009). Current state of information security research in IS. Communications of the Association for Information Systems, 24(34), 557–596.
Zafar, H., Ko, M.S., & Clark, J.G. (2014). Security risk management in healthcare: A case study. Communications of the Association for Information Systems, 34(37), 737–750.
Downloads
Published
How to Cite
Issue
Section
License
Please review our Copyright Notice.