IDEAS home Printed from https://ideas.repec.org/a/eee/ijoais/v20y2016icp38-64.html
   My bibliography  Save this article

Estimation of deficiency risk and prioritization of information security controls: A data-centric approach

Author

Listed:
  • Rahimian, Firoozeh
  • Bajaj, Akhilesh
  • Bradley, Wray

Abstract

Risk of unauthorized disclosure or modification of corporate data can impact in different ways, including affecting operations, the public image and/or the firm's legal/compliance exposure. While management views risk along these dimensions, the information technology function (ITF) typically views risk from an IT infrastructure compromise viewpoint, and this drives the establishment of IT security controls. It is oftentimes difficult for the internal audit function (IAF) to assess control deficiency risk (CDR) in the area of information security, as well as estimate the importance of each in-place security control. Using a design science approach, we propose the Operational, Public image, Legal (OPL) model and method to classify the security criticality of the organization's data along three dimensions. Through an empirical study, we demonstrate how the OPL method allows for a quantitative estimation of the importance of in-place security controls as well as the CDR of missing controls. This information provides guidance on strategies for testing in-place controls during audit, as well as for determining which controls may need to be incrementally added.

Suggested Citation

  • Rahimian, Firoozeh & Bajaj, Akhilesh & Bradley, Wray, 2016. "Estimation of deficiency risk and prioritization of information security controls: A data-centric approach," International Journal of Accounting Information Systems, Elsevier, vol. 20(C), pages 38-64.
    • Handle: RePEc:eee:ijoais:v:20:y:2016:i:c:p:38-64
    DOI: 10.1016/j.accinf.2016.01.004
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S1467089515300130
    Download Restriction: Full text for ScienceDirect subscribers only
    File URL: https://libkey.io/10.1016/j.accinf.2016.01.004?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Sarasvathy, D. K. & Simon, Herbert A. & Lave, Lester, 1998. "Perceiving and managing business risks: differences between entrepreneurs and bankers," Journal of Economic Behavior & Organization, Elsevier, vol. 33(2), pages 207-225, January.
    2. Akhilesh Chandra & Thomas G. Calderon, 2009. "Information intensity, control deficiency risk, and materiality," Managerial Auditing Journal, Emerald Group Publishing, vol. 24(3), pages 220-232, March.
    3. Schultz Jr., Joseph J. & Bierstaker, James Lloyd & O'Donnell, Ed, 2010. "Integrating business risk into auditor judgment about the risk of material misstatement: The influence of a strategic-systems-audit approach," Accounting, Organizations and Society, Elsevier, vol. 35(2), pages 238-251, February.
    4. Jan Bebbington & Carlos Larrinaga & Jose M. Moneva, 2008. "Corporate social reporting and reputation risk management," Accounting, Auditing & Accountability Journal, Emerald Group Publishing Limited, vol. 21(3), pages 337-361, March.
    5. Cravens, Karen & Goad Oliver, Elizabeth & Ramamoorti, Sridhar, 2003. "The Reputation Index:: Measuring and Managing Corporate Reputation," European Management Journal, Elsevier, vol. 21(2), pages 201-212, April.
    6. Steinbart, Paul John & Raschke, Robyn L. & Gal, Graham & Dilla, William N., 2012. "The relationship between internal audit and information security: An exploratory investigation," International Journal of Accounting Information Systems, Elsevier, vol. 13(3), pages 228-243.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Caraiman Adrian-Cosmin, 2020. "CoCo PATTERN IN CORPORATE GOVERNANCE," Annals - Economy Series, Constantin Brancusi University, Faculty of Economics, vol. 6, pages 131-137, December.
    2. Didier Fass & Stéphanie Thiéry, 2020. "Cybersecurity risks and situation awareness: Audit committees' appraisal," Post-Print hal-03198562, HAL.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Castilla-Polo, Francisca & Sánchez-Hernández, María Isabel & Gallardo-Vázquez, Dolores & Ruiz Rodríguez, María del Consuelo, 2016. "Diseño de un modelo de reputación para cooperativas oleícolas," Revista de Contabilidad - Spanish Accounting Review, Elsevier, vol. 19(1), pages 154-167.
    2. Soumya Sarkar & Titas Bhattacharjee, 2017. "Impact of Voluntary Disclosures on Corporate Brand Equity," Corporate Reputation Review, Palgrave Macmillan, vol. 20(2), pages 125-136, May.
    3. Maw–Der Foo & Marilyn A. Uy & Charles Murnieks, 2015. "Beyond Affective Valence: Untangling Valence and Activation Influences on Opportunity Identification," Entrepreneurship Theory and Practice, , vol. 39(2), pages 407-431, March.
    4. Bianca Alves Almeida Machado & Lívia Cristina Pinto Dias & Alberto Fonseca, 2021. "Transparency of materiality analysis in GRI‐based sustainability reports," Corporate Social Responsibility and Environmental Management, John Wiley & Sons, vol. 28(2), pages 570-580, March.
    5. Francisco Javier Forcadell & Fernando Úbeda, 2022. "Individual entrepreneurial orientation and performance: the mediating role of international entrepreneurship," International Entrepreneurship and Management Journal, Springer, vol. 18(2), pages 875-900, June.
    6. Grichnik, Dietmar & Smeja, Alexander & Welpe, Isabell, 2010. "The importance of being emotional: How do emotions affect entrepreneurial opportunity evaluation and exploitation?," Journal of Economic Behavior & Organization, Elsevier, vol. 76(1), pages 15-29, October.
    7. Jaime-Andres Correa-Garcia & Maria-Antonia Garcia-Benau & Emma Garcia-Meca, 2018. "CSR Communication Strategies of Colombian Business Groups: An Analysis of Corporate Reports," Sustainability, MDPI, vol. 10(5), pages 1-19, May.
    8. Lu Zhang & Yuan George Shan & Millicent Chang, 2021. "Can CSR Disclosure Protect Firm Reputation During Financial Restatements?," Journal of Business Ethics, Springer, vol. 173(1), pages 157-184, September.
    9. Riccardo Torelli & Federica Balluchi & Katia Furlotti, 2020. "The materiality assessment and stakeholder engagement: A content analysis of sustainability reports," Corporate Social Responsibility and Environmental Management, John Wiley & Sons, vol. 27(2), pages 470-484, March.
    10. Abdo, Hafez & Mangena, Musa & Needham, Graham & Hunt, David, 2018. "Disclosure of provisions for decommissioning costs in annual reports of oil and gas companies: A content analysis and stakeholder views," Accounting forum, Elsevier, vol. 42(4), pages 341-358.
    11. Baum, Christopher F & Dastory, Linda & Lööf, Hans & Stephan, Andreas, 2018. "Migrant STEM Entrepreneurs," Working Paper Series in Economics and Institutions of Innovation 474, Royal Institute of Technology, CESIS - Centre of Excellence for Science and Innovation Studies.
    12. Andranik Tumasjan & Isabell Welpe & Matthias Spörrle, 2013. "Easy Now, Desirable Later: The Moderating Role of Temporal Distance in Opportunity Evaluation and Exploitation," Entrepreneurship Theory and Practice, , vol. 37(4), pages 859-888, July.
    13. Jonathan T. Eckhardt & Scott Shane & Frédéric Delmar, 2006. "Multistage Selection and the Financing of New Ventures," Management Science, INFORMS, vol. 52(2), pages 220-232, February.
    14. Block, Joern & Wagner, Marcus, 2014. "Ownership versus management effects on corporate social responsibility concerns in large family and founder firms," Journal of Family Business Strategy, Elsevier, vol. 5(4), pages 339-346.
    15. Natalia Semenova, 2021. "Management control systems in response to social and environmental risk in large Nordic companies," International Journal of Corporate Social Responsibility, Springer, vol. 6(1), pages 1-11, December.
    16. Camelia Mihaela Oane (Marinescu) & Klaudia Smol¹g & Emanuel Stefan Marinescu & Romuald Szopa, 2015. "Value-Based Management As The Innovating Paradigm Of Contemporary Governance – A Theoretical Approach," Polish Journal of Management Studies, Czestochowa Technical University, Department of Management, vol. 12(1), pages 106-120, DEcember.
    17. Pamela Kent & Robyn McCormack & Tamara Zunker, 2021. "Employee disclosures in the grocery industry before the COVID‐19 pandemic," Accounting and Finance, Accounting and Finance Association of Australia and New Zealand, vol. 61(3), pages 4833-4858, September.
    18. Faezeh Hanifzadeh, 2022. "A comprehensive model for determining the role of entrepreneurial decision-making in recognition and evaluation of opportunities: a meta-synthesis review," Journal of Global Entrepreneurship Research, Springer;UNESCO Chair in Entrepreneurship, vol. 12(1), pages 395-422, December.
    19. Olivier Boiral, 2016. "Accounting for the Unaccountable: Biodiversity Reporting and Impression Management," Journal of Business Ethics, Springer, vol. 135(4), pages 751-768, June.
    20. Seda KIZIL & Atılhan NAKTİYOK, 2019. "Bu araştırmanın temel amacı, yöneticilerin göstermiş olduğu stratejik liderlik davranışlarının çalışanlarda oluşan kurumsal itibar algısı üzerindeki etkisinde kurumsal sosyal sorumluluğun (KSS) rolünü," Istanbul Business Research, Istanbul University Business School, vol. 48(1), pages 64-83, May.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:ijoais:v:20:y:2016:i:c:p:38-64. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: https://www.journals.elsevier.com/international-journal-of-accounting-information-systems/ .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.