IDEAS home Printed from https://ideas.repec.org/a/eee/ijoais/v20y2016icp38-64.html
   My bibliography  Save this article

Estimation of deficiency risk and prioritization of information security controls: A data-centric approach

Author

Listed:
  • Rahimian, Firoozeh
  • Bajaj, Akhilesh
  • Bradley, Wray

Abstract

Risk of unauthorized disclosure or modification of corporate data can impact in different ways, including affecting operations, the public image and/or the firm's legal/compliance exposure. While management views risk along these dimensions, the information technology function (ITF) typically views risk from an IT infrastructure compromise viewpoint, and this drives the establishment of IT security controls. It is oftentimes difficult for the internal audit function (IAF) to assess control deficiency risk (CDR) in the area of information security, as well as estimate the importance of each in-place security control. Using a design science approach, we propose the Operational, Public image, Legal (OPL) model and method to classify the security criticality of the organization's data along three dimensions. Through an empirical study, we demonstrate how the OPL method allows for a quantitative estimation of the importance of in-place security controls as well as the CDR of missing controls. This information provides guidance on strategies for testing in-place controls during audit, as well as for determining which controls may need to be incrementally added.

Suggested Citation

  • Rahimian, Firoozeh & Bajaj, Akhilesh & Bradley, Wray, 2016. "Estimation of deficiency risk and prioritization of information security controls: A data-centric approach," International Journal of Accounting Information Systems, Elsevier, vol. 20(C), pages 38-64.
    • Handle: RePEc:eee:ijoais:v:20:y:2016:i:c:p:38-64
    DOI: 10.1016/j.accinf.2016.01.004
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S1467089515300130
    Download Restriction: Full text for ScienceDirect subscribers only
    File URL: https://libkey.io/10.1016/j.accinf.2016.01.004?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Sarasvathy, D. K. & Simon, Herbert A. & Lave, Lester, 1998. "Perceiving and managing business risks: differences between entrepreneurs and bankers," Journal of Economic Behavior & Organization, Elsevier, vol. 33(2), pages 207-225, January.
    2. Akhilesh Chandra & Thomas G. Calderon, 2009. "Information intensity, control deficiency risk, and materiality," Managerial Auditing Journal, Emerald Group Publishing, vol. 24(3), pages 220-232, March.
    3. Schultz Jr., Joseph J. & Bierstaker, James Lloyd & O'Donnell, Ed, 2010. "Integrating business risk into auditor judgment about the risk of material misstatement: The influence of a strategic-systems-audit approach," Accounting, Organizations and Society, Elsevier, vol. 35(2), pages 238-251, February.
    4. Jan Bebbington & Carlos Larrinaga & Jose M. Moneva, 2008. "Corporate social reporting and reputation risk management," Accounting, Auditing & Accountability Journal, Emerald Group Publishing Limited, vol. 21(3), pages 337-361, March.
    5. Cravens, Karen & Goad Oliver, Elizabeth & Ramamoorti, Sridhar, 2003. "The Reputation Index:: Measuring and Managing Corporate Reputation," European Management Journal, Elsevier, vol. 21(2), pages 201-212, April.
    6. Steinbart, Paul John & Raschke, Robyn L. & Gal, Graham & Dilla, William N., 2012. "The relationship between internal audit and information security: An exploratory investigation," International Journal of Accounting Information Systems, Elsevier, vol. 13(3), pages 228-243.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Caraiman Adrian-Cosmin, 2020. "CoCo PATTERN IN CORPORATE GOVERNANCE," Annals - Economy Series, Constantin Brancusi University, Faculty of Economics, vol. 6, pages 131-137, December.
    2. Didier Fass & Stéphanie Thiéry, 2020. "Cybersecurity risks and situation awareness: Audit committees' appraisal," Post-Print hal-03198562, HAL.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Soumya Sarkar & Titas Bhattacharjee, 2017. "Impact of Voluntary Disclosures on Corporate Brand Equity," Corporate Reputation Review, Palgrave Macmillan, vol. 20(2), pages 125-136, May.
    2. Castilla-Polo, Francisca & Sánchez-Hernández, María Isabel & Gallardo-Vázquez, Dolores & Ruiz Rodríguez, María del Consuelo, 2016. "Diseño de un modelo de reputación para cooperativas oleícolas," Revista de Contabilidad - Spanish Accounting Review, Elsevier, vol. 19(1), pages 154-167.
    3. Maw–Der Foo & Marilyn A. Uy & Charles Murnieks, 2015. "Beyond Affective Valence: Untangling Valence and Activation Influences on Opportunity Identification," Entrepreneurship Theory and Practice, , vol. 39(2), pages 407-431, March.
    4. Francisco Javier Forcadell & Fernando Úbeda, 2022. "Individual entrepreneurial orientation and performance: the mediating role of international entrepreneurship," International Entrepreneurship and Management Journal, Springer, vol. 18(2), pages 875-900, June.
    5. Jaime-Andres Correa-Garcia & Maria-Antonia Garcia-Benau & Emma Garcia-Meca, 2018. "CSR Communication Strategies of Colombian Business Groups: An Analysis of Corporate Reports," Sustainability, MDPI, vol. 10(5), pages 1-19, May.
    6. Lu Zhang & Yuan George Shan & Millicent Chang, 2021. "Can CSR Disclosure Protect Firm Reputation During Financial Restatements?," Journal of Business Ethics, Springer, vol. 173(1), pages 157-184, September.
    7. Baum, Christopher F & Dastory, Linda & Lööf, Hans & Stephan, Andreas, 2018. "Migrant STEM Entrepreneurs," Working Paper Series in Economics and Institutions of Innovation 474, Royal Institute of Technology, CESIS - Centre of Excellence for Science and Innovation Studies.
    8. Jonathan T. Eckhardt & Scott Shane & Frédéric Delmar, 2006. "Multistage Selection and the Financing of New Ventures," Management Science, INFORMS, vol. 52(2), pages 220-232, February.
    9. Block, Joern & Wagner, Marcus, 2014. "Ownership versus management effects on corporate social responsibility concerns in large family and founder firms," Journal of Family Business Strategy, Elsevier, vol. 5(4), pages 339-346.
    10. Natalia Semenova, 2021. "Management control systems in response to social and environmental risk in large Nordic companies," International Journal of Corporate Social Responsibility, Springer, vol. 6(1), pages 1-11, December.
    11. Pamela Kent & Robyn McCormack & Tamara Zunker, 2021. "Employee disclosures in the grocery industry before the COVID‐19 pandemic," Accounting and Finance, Accounting and Finance Association of Australia and New Zealand, vol. 61(3), pages 4833-4858, September.
    12. Nina Evans & Janet Sawyer, 2010. "CSR and stakeholders of small businesses in regional South Australia," Social Responsibility Journal, Emerald Group Publishing Limited, vol. 6(3), pages 433-451, August.
    13. Andrew Crane & Sarah Glozer, 2016. "Researching Corporate Social Responsibility Communication: Themes, Opportunities and Challenges," Journal of Management Studies, Wiley Blackwell, vol. 53(7), pages 1223-1252, November.
    14. Ozge Mehtap & Ozgur Kokalan, 2013. "The relationship between corporate reputation and organizational citizenship behavior: a comparative study on TV companies and banks," Quality & Quantity: International Journal of Methodology, Springer, vol. 47(6), pages 3609-3619, October.
    15. Higgins, Colin & Walker, Robyn, 2012. "Ethos, logos, pathos: Strategies of persuasion in social/environmental reports," Accounting forum, Elsevier, vol. 36(3), pages 194-208.
    16. Rojas-de-Gracia, María-Mercedes & Casado-Molina, Ana-María & Alarcón-Urbistondo, Pilar, 2021. "Relationship between reputational aspects of companies and their share price in the online environment," Technology in Society, Elsevier, vol. 64(C).
    17. Mattias Brachert & Walter Hyll, 2014. "On the Stability of Preferences: Repercussions of Entrepreneurship on Risk Attitudes," SOEPpapers on Multidisciplinary Panel Data Research 667, DIW Berlin, The German Socio-Economic Panel (SOEP).
    18. Nicolas Garcia‐Torea & Belen Fernandez‐Feijoo & Marta De La Cuesta, 2020. "CSR reporting communication: Defective reporting models or misapplication?," Corporate Social Responsibility and Environmental Management, John Wiley & Sons, vol. 27(2), pages 952-968, March.
    19. Theresa Lant & Zur Shapira, 2009. "Managerial Reasoning about Aspirations and Expectations," Discussion Paper Series dp498, The Federmann Center for the Study of Rationality, the Hebrew University, Jerusalem.
    20. Andrew, Jane & Kaidonis, Mary A. & Andrew, Brian, 2010. "Carbon tax: Challenging neoliberal solutions to climate change," CRITICAL PERSPECTIVES ON ACCOUNTING, Elsevier, vol. 21(7), pages 611-618.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:ijoais:v:20:y:2016:i:c:p:38-64. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: https://www.journals.elsevier.com/international-journal-of-accounting-information-systems/ .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.