{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,3]],"date-time":"2026-04-03T19:06:15Z","timestamp":1775243175931,"version":"3.50.1"},"reference-count":95,"publisher":"Emerald","issue":"3","license":[{"start":{"date-parts":[[2017,7,10]],"date-time":"2017-07-10T00:00:00Z","timestamp":1499644800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2017,7,10]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>The aim of this study is to advance research on the position of the CISO by investigating the role that CISOs play before and after an IT security breach. There is a dearth of academic research literature on the role of a chief information security officer (CISO) in the management of Information Technology (IT) security. The limited research literature exists despite the increasing number and complexity of IT security breaches that lead to significant erosions in business value.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>The study makes use of content analysis and agency theory to explore a sample of US firms that experienced IT security breaches between 2009 and 2015 and how these firms reacted to the IT security breaches.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>The results indicate that following the IT security breaches, a number of the impacted firms adopted a reactive plan that entailed a re-organization of the existing IT security strategy and the hiring of a CISO. Also, there is no consensus on the CISO reporting structure since most of the firms that hired a CISO for the first time had the CISO report either to the Chief Executive Officer or Chief Information Officer.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Research limitations\/implications<\/jats:title>\n<jats:p>The findings will inform researchers, IT educators and industry practitioners on the roles of CISOs as well as advance research on how to mitigate IT security vulnerabilities.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>The need for research that advances an understanding of how to effectively manage the security of IT resources is timely and is driven by the growing frequency and sophistication of the IT security breaches as well as the significant direct and indirect costs incurred by both the affected firms and their stakeholders.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-02-2016-0013","type":"journal-article","created":{"date-parts":[[2017,5,24]],"date-time":"2017-05-24T07:32:02Z","timestamp":1495611122000},"page":"300-329","source":"Crossref","is-referenced-by-count":28,"title":["The role of the chief information security officer in the management of IT security"],"prefix":"10.1108","volume":"25","author":[{"given":"Erastus","family":"Karanja","sequence":"first","affiliation":[]}],"member":"140","reference":[{"key":"key2020120620011859600_ref001","unstructured":"Anthem (2015), \u201cStatement regarding cyber-attack against Anthem\u201d, available at: www.anthem.com\/health-insurance\/about-us\/pressreleasedetails\/WI\/2015\/1813\/statement-regarding-cyber-attack-against-anthem (accessed 11 January 2016)."},{"issue":"4","key":"key2020120620011859600_ref002","doi-asserted-by":"crossref","first-page":"195","DOI":"10.1016\/j.istr.2008.10.006","article-title":"Information security management: a human challenge?","volume":"13","year":"2008","journal-title":"Information Security Technical Report"},{"key":"key2020120620011859600_ref003","doi-asserted-by":"crossref","first-page":"396","DOI":"10.1016\/j.cose.2013.09.004","article-title":"CISOs and organizational culture: their own worst enemy?","volume":"39","year":"2013","journal-title":"Computers & Security"},{"issue":"3","key":"key2020120620011859600_ref004","doi-asserted-by":"crossref","first-page":"211","DOI":"10.1080\/0268396032000130214","article-title":"The information technology outsourcing risk: a transaction cost and agency theory-based perspective","volume":"18","year":"2003","journal-title":"Journal of Information Technology"},{"issue":"2","key":"key2020120620011859600_ref005","doi-asserted-by":"crossref","first-page":"487","DOI":"10.2307\/23044053","article-title":"CIO reporting structure, strategic positioning, and firm performance","volume":"35","year":"2011","journal-title":"MIS Quarterly"},{"key":"key2020120620011859600_ref006","doi-asserted-by":"crossref","first-page":"9","DOI":"10.1016\/j.cose.2016.02.007","article-title":"Information system security commitment: a study of external influences on senior management","volume":"59","year":"2016","journal-title":"Computers & Security"},{"key":"key2020120620011859600_ref007","article-title":"Information systems security strategy: a process view","volume-title":"Information Security: Policy, Processes, and Practices","year":"2008"},{"issue":"6","key":"key2020120620011859600_ref008","first-page":"54","article-title":"The decision-driven organization","volume":"88","year":"2010","journal-title":"Harvard Business Review"},{"key":"key2020120620011859600_ref009","doi-asserted-by":"crossref","first-page":"375","DOI":"10.1016\/j.chb.2015.03.084","article-title":"How to stimulate the continued use of ICT in higher education: integrating information systems continuance theory and agency theory","volume":"50","year":"2015","journal-title":"Computers in Human Behavior"},{"key":"key2020120620011859600_ref010","unstructured":"Bosshart, A. (2014), \u201cData breach notification, a note from Andi Bosshart, SVP, corporate compliance and privacy officer\u201d, available at: www.chs.net\/media-notice\/ (accessed 11 January 2016)."},{"key":"key2020120620011859600_ref011","volume-title":"Effective IT Governance by Design","year":"2003"},{"issue":"4","key":"key2020120620011859600_ref012","doi-asserted-by":"crossref","first-page":"265","DOI":"10.1016\/j.lrp.2014.07.005","article-title":"Enterprise risk management: Review, critique, and research directions","volume":"48","year":"2015","journal-title":"Long Range Planning"},{"issue":"2","key":"key2020120620011859600_ref013","doi-asserted-by":"crossref","first-page":"239","DOI":"10.1007\/s10551-011-1088-2","article-title":"Leadership and change: the case for greater ethical clarity","volume":"108","year":"2012","journal-title":"Journal of Business Ethics"},{"key":"key2020120620011859600_ref014","unstructured":"COSO (2004), \u201cEnterprise risk management: committee of the sponsoring organizations of the treadway commission\u201d, available at: www.coso.org\/documents\/coso_erm_executivesummary.pdf (accessed 28 February 2016)."},{"issue":"4","key":"key2020120620011859600_ref015","doi-asserted-by":"crossref","first-page":"651","DOI":"10.1016\/j.dss.2010.08.017","article-title":"Firms\u2019 information security investment decisions: stock market evidence of investors\u2019 behavior","volume":"50","year":"2011","journal-title":"Decision Support Systems"},{"issue":"2","key":"key2020120620011859600_ref016","doi-asserted-by":"crossref","first-page":"279","DOI":"10.2307\/25148680","article-title":"Assessing value in organizational knowledge creation: considerations for knowledge workers","volume":"29","year":"2005","journal-title":"MIS Quarterly"},{"key":"key2020120620011859600_ref017","unstructured":"Citi Press Room (2011), \u201cUpdated information on recent compromise to citi account online for our customers\u201d, available at: www.citi.com\/citi\/press\/2011\/110610c.htm (accessed 11 January 2016)."},{"key":"key2020120620011859600_ref018","doi-asserted-by":"crossref","first-page":"191","DOI":"10.1016\/S1058-3300(01)00037-4","article-title":"Twenty-five years of corporate governance research and counting","volume":"10","year":"2001","journal-title":"Review of Financial Economics"},{"issue":"1","key":"key2020120620011859600_ref019","doi-asserted-by":"crossref","first-page":"57","DOI":"10.5465\/amr.1989.4279003","article-title":"Agency theory: an assessment and review","volume":"14","year":"1989","journal-title":"Academy of Management Review"},{"key":"key2020120620011859600_ref020","volume-title":"Business Continuity Management 2e: A Crisis Management Approach","year":"2010"},{"issue":"2","key":"key2020120620011859600_ref021","doi-asserted-by":"crossref","first-page":"227","DOI":"10.2307\/249396","article-title":"Information technology and worker composition: Determinants of productivity in the life insurance industry","volume":"22","year":"1998","journal-title":"MIS Quarterly"},{"key":"key2020120620011859600_ref022","unstructured":"GAO (2015), \u201cHigh risk series-ensuring the security of federal information systems and cyber critical infrastructure and protecting the privacy of personally identifiable information\u201d, available at: www.gao.gov\/highrisk\/protecting_the_federal_government_information_systems\/why_did_study#t=1 (accessed 10 September 2015)."},{"issue":"1","key":"key2020120620011859600_ref023","doi-asserted-by":"crossref","first-page":"107","DOI":"10.1108\/JEIM-08-2013-0065","article-title":"Understanding determinants of cloud computing adoption using an integrated TAM-TOE model","volume":"28","year":"2015","journal-title":"Journal of Enterprise Information Management"},{"key":"key2020120620011859600_ref024","volume-title":"Survey Analysis: Information Security Governance","author":"Gartner","year":"2012"},{"key":"key2020120620011859600_ref025","unstructured":"Glazier, E. (2014), \u201cJ.P. Morgan\u2019s cyber attack: how the bank responded\u201d, available at: http:\/\/blogs.wsj.com\/moneybeat\/2014\/10\/03\/j-p-morgans-cyber-attack-how-the-bank-responded\/ (accessed 11 January 2016)."},{"key":"key2020120620011859600_ref026","unstructured":"Gramm\u2013Leach\u2013Bliley Act (1999), \u201cThe Gramm-Leach-Bliley Act (GLB) Act of 1999\u201d, available at: www.gpo.gov\/fdsys\/pkg\/PLAW-106publ102\/html\/PLAW-106publ102.htm (accessed 15 January 2016)."},{"issue":"2","key":"key2020120620011859600_B27a","doi-asserted-by":"crossref","first-page":"105","DOI":"10.1016\/j.nedt.2003.10.001","article-title":"Qualitative content analysis in nursing research: concepts, procedures and measures to achieve trustworthiness","volume":"24","year":"2004","journal-title":"Nurse Education Today"},{"issue":"1","key":"key2020120620011859600_ref027","doi-asserted-by":"crossref","first-page":"315","DOI":"10.25300\/MISQ\/2013\/37.1.14","article-title":"Information technology outsourcing and non-IT operating costs: an empirical investigation","volume":"37","year":"2013","journal-title":"MIS Quarterly"},{"issue":"S1","key":"key2020120620011859600_ref028","first-page":"S3","article-title":"Understanding power: bringing about strategic change","volume":"7","year":"1996","journal-title":"British Journal of Management"},{"issue":"2","key":"key2020120620011859600_ref030","doi-asserted-by":"crossref","first-page":"154","DOI":"10.1016\/j.dss.2009.02.005","article-title":"Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness","volume":"47","year":"2009","journal-title":"Decision Support Systems"},{"key":"key2020120620011859600_ref031","doi-asserted-by":"crossref","first-page":"54","DOI":"10.1016\/j.dss.2013.07.010","article-title":"IT security auditing: a performance evaluation decision model","volume":"57","year":"2014","journal-title":"Decision Support Systems"},{"key":"key2020120620011859600_ref029","first-page":"104","volume-title":"Health Insurance Portability and Accountability Act (HIPAA)","author":"HIPAA","year":"1996"},{"key":"key2020120620011859600_ref032","volume-title":"The Health Information Technology for Economic and Clinical Health Act","author":"HITECH","year":"2009"},{"key":"key2020120620011859600_ref033","unstructured":"HHS Press Office (2013), \u201cWellPoint pays HHS $1.7 million for leaving information accessible over Internet\u201d, available at: www.hhs.gov\/about\/news\/2013\/07\/11\/wellpoint-pays-hhs-17-million-leaving-information-accessible-over-internet.html (accessed 11 January 2016)."},{"issue":"1","key":"key2020120620011859600_ref034","doi-asserted-by":"crossref","first-page":"66","DOI":"10.1287\/isre.14.1.66.14764","article-title":"When subordinates become IT contractors: persistent managerial expectations in IT outsourcing","volume":"14","year":"2003","journal-title":"Information Systems Research"},{"issue":"2","key":"key2020120620011859600_ref035","doi-asserted-by":"crossref","first-page":"153","DOI":"10.1016\/j.jsis.2007.05.004","article-title":"The role of external and internal influences on information systems security: a neo-institutional perspective","volume":"16","year":"2007","journal-title":"The Journal of Strategic Information Systems"},{"key":"key2020120620011859600_ref036","volume-title":"ISO 31000:2009, Risk Management \u2013 Principles and Guidelines","author":"ISO","year":"2009"},{"key":"key2020120620011859600_ref037","volume-title":"ISO\/IEC 27014:2013 Information Technology \u2013 Security Techniques \u2013 Governance of Information Security","author":"ISO","year":"2013"},{"key":"key2020120620011859600_ref038","first-page":"1","volume-title":"Information Security Governance: Guidance for Boards of Directors and Executive Management","author":"ITGI","year":"2006","edition":"2nd ed."},{"key":"key2020120620011859600_ref039","unstructured":"ISACA (2011), \u201cGlobal status report on the Governance of Enterprise IT (GEIT)-2011\u201d, available at: www.isaca.org\/Knowledge-Center\/Research\/Documents\/Global-Status-Report-GEIT-10Jan2011-Research.pdf"},{"issue":"4","key":"key2020120620011859600_ref040","doi-asserted-by":"crossref","first-page":"305","DOI":"10.1016\/0304-405X(76)90026-X","article-title":"Theory of the firm: managerial behavior, agency costs and ownership structure","volume":"3","year":"1976","journal-title":"Journal of Financial Economics"},{"issue":"4","key":"key2020120620011859600_ref041","doi-asserted-by":"crossref","first-page":"27","DOI":"10.1108\/09576059210021355","article-title":"Chief information officers: organizational control and company characteristics","volume":"5","year":"1992","journal-title":"Logistics Information Management"},{"key":"key2020120620011859600_ref044","article-title":"The role of IT investments in fostering firm innovations: an empirical study","volume":"25","year":"2014","journal-title":"Journal of Business Management"},{"issue":"2","key":"key2020120620011859600_ref042","article-title":"IT leaders: who are they and where do they come from?","volume":"23","year":"2012","journal-title":"Journal of Information Systems Education"},{"issue":"2","key":"key2020120620011859600_ref043","doi-asserted-by":"crossref","first-page":"134","DOI":"10.1108\/IJAIM-02-2013-0017","article-title":"Ramifications of the sarbanes oxley (SOX) act on IT governance","volume":"22","year":"2014","journal-title":"International Journal of Accounting and Information Management"},{"key":"key2020120620011859600_ref045","unstructured":"Katz, K. (2014), \u201cNeiman Marcus\/Group, to our loyal Neiman Marcus Group customers\u201d, available at: www.neimanmarcus.com\/NM\/Security-Info\/cat49570732\/c.cat?navid=redirect:security&eVar6=data+breach (accessed 15 October 2015)."},{"issue":"3","key":"key2020120620011859600_ref046","first-page":"163","article-title":"Effective information security requires a balance of social and technology factors","volume":"9","year":"2010","journal-title":"MIS Quarterly Executive"},{"issue":"2","key":"key2020120620011859600_ref047","doi-asserted-by":"crossref","first-page":"65","DOI":"10.1145\/1007965.1007971","article-title":"Why didn\u2019t somebody tell me? climate, information asymmetry, and bad news about troubled projects","volume":"35","year":"2004","journal-title":"Database for Advances in Information Systems"},{"key":"key2020120620011859600_ref048","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1016\/j.cose.2012.07.001","article-title":"Organizational power and information security rule compliance","volume":"33","year":"2013","journal-title":"Computers & Security"},{"issue":"5","key":"key2020120620011859600_ref049","doi-asserted-by":"crossref","first-page":"597","DOI":"10.1016\/j.im.2003.08.001","article-title":"Why there aren\u2019t more information security research studies","volume":"41","year":"2004","journal-title":"Information & Management"},{"key":"key2020120620011859600_ref050","unstructured":"KrebsonSecurity (2014), \u201cP.F. Chang\u2019s confirms credit card breach\u201d, available at: http:\/\/krebsonsecurity.com\/2014\/06\/p-f-changs-confirms-credit-card-breach\/ (accessed 11 January 2016)."},{"key":"key2020120620011859600_ref051","volume-title":"IT and Security: Converging Roles","year":"2004"},{"key":"key2020120620011859600_ref052","volume-title":"Naturalistic Inquiry","year":"1985"},{"issue":"6","key":"key2020120620011859600_ref053","doi-asserted-by":"crossref","first-page":"1249","DOI":"10.1086\/381913","article-title":"Resistance as a social drama: a study of change\u2010oriented encounters","volume":"109","year":"2004","journal-title":"American Journal of Sociology"},{"issue":"8","key":"key2020120620011859600_ref054","doi-asserted-by":"crossref","first-page":"1021","DOI":"10.1016\/j.im.2003.11.001","article-title":"IS planning autonomy in US subsidiaries of multinational firms","volume":"41","year":"2004","journal-title":"Information and Management"},{"key":"key2020120620011859600_ref055","doi-asserted-by":"crossref","first-page":"122","DOI":"10.1108\/ICS-02-2014-0016","article-title":"Organizational objectives for information security governance: a value focused assessment","volume":"23","year":"2015","journal-title":"Information & Computer Security"},{"issue":"1","key":"key2020120620011859600_ref056","doi-asserted-by":"crossref","first-page":"223","DOI":"10.25300\/MISQ\/2016\/40.1.10","article-title":"How information technology strategy and investments influence firm performance: conjecture and empirical evidence","volume":"40","year":"2016","journal-title":"MIS Quarterly"},{"key":"key2020120620011859600_ref057","doi-asserted-by":"crossref","first-page":"420","DOI":"10.1016\/j.pec.2011.01.005","article-title":"A standardized approach to qualitative content analysis of focus group discussions from different countries","volume":"82","year":"2011","journal-title":"Patient Education & Counseling"},{"key":"key2020120620011859600_ref058","article-title":"Study notes: qualitative research: sampling & sample size considerations","year":"1998"},{"key":"key2020120620011859600_ref059","unstructured":"Northrup, L. (2011), \u201cMichaels warns customers of possible data breach\u201d, available at: http:\/\/consumerist.com\/2011\/05\/05\/michaels-warns-customers-of-possible-data-breach\/ (accessed 11 January 2016)."},{"key":"key2020120620011859600_ref060","unstructured":"Partenheimer, D. (2014), \u201cPostal service statement on cyber intrusion incident\u201d, available at: https:\/\/about.usps.com\/news\/fact-sheets\/scenario\/media-statement-final.pdf (accessed 11 January 2016)"},{"key":"key2020120620011859600_ref061","volume-title":"Qualitative Evaluation and Research Methods","year":"2001","edition":"3rd ed."},{"key":"key2020120620011859600_ref062","unstructured":"PCI DSS (2008), \u201cAbout the PCI Data Security Standard, PCI Security Standards Council\u201d available at: www.pcisecuritystandards.org\/organization_info\/index.php (accessed 6 November 2015)."},{"key":"key2020120620011859600_ref063","volume-title":"Nursing Research: Principles and Methods","year":"2012"},{"issue":"2","key":"key2020120620011859600_ref064","first-page":"57","article-title":"CIO leadership profiles: implications of matching CIO authority and leadership capability on IT impact","volume":"7","year":"2008","journal-title":"MIS Quarterly Executive"},{"key":"key2020120620011859600_ref065","unstructured":"PwC (2014), \u201cUS cybercrime: rising risks, reduced readiness key findings from the 2014 US state of cybercrime survey\u201d, available at: www.pwc.com\/cybersecurity (accessed 2 February 2015)."},{"key":"key2020120620011859600_ref066","unstructured":"Roman, J. (2014), \u201cNeiman Marcus hires first CISO\u201d, available at: www.bankinfosecurity.com\/neiman-marcus-hires-first-ciso-a-7554extrated (accessed 23 January 2015)."},{"key":"key2020120620011859600_ref067","unstructured":"Rubin, C. (2014), \u201cA letter from our CEO\u201d, available at: www.michaels.com\/payment-card-notice-ceo-letter\/payment-card-notice-CEO.html (accessed 10 October 2015)."},{"key":"key2020120620011859600_ref068","article-title":"The role of the CEO in the management of change","volume-title":"Transforming Organizations","year":"1992"},{"key":"key2020120620011859600_ref069","unstructured":"Schneberger, S., Wade, M., Allen, G., Vance, A. and Eargle, D. (Eds) (2013), \u201cTheories used in IS research wiki\u201d, available at: http:\/\/istheory.byu.edu (accessed 27 December 2014)."},{"issue":"5","key":"key2020120620011859600_ref070","first-page":"1","article-title":"Agency problems in information security: theory and application to korean business","volume":"15","year":"2015","journal-title":"Korea"},{"issue":"1","key":"key2020120620011859600_ref071","doi-asserted-by":"crossref","first-page":"73","DOI":"10.1108\/ICS-03-2014-0020","article-title":"The impact of repeated data breach events on organisations\u2019 market value","volume":"24","year":"2016","journal-title":"Information & Computer Security"},{"issue":"2","key":"key2020120620011859600_ref072","doi-asserted-by":"crossref","first-page":"139","DOI":"10.1057\/ejis.2012.45","article-title":"Revisiting IS business value research: what we already know, what we still need to know, and how we can get there","volume":"22","year":"2013","journal-title":"European Journal of Information Systems"},{"key":"key2020120620011859600_ref073","unstructured":"Security (2015), \u201c2015 security 500 sector reports\u201d, available at: www.securitymagazine.com\/articles\/86726-security-500-sector-reports (accessed 13 January 2016)."},{"issue":"5","key":"key2020120620011859600_ref074","doi-asserted-by":"crossref","first-page":"197","DOI":"10.1108\/09685220010353178","article-title":"Critical analysis of different approaches to minimizing user-related faults in information systems security: implications for research and practice","volume":"8","year":"2000","journal-title":"Information Management & Computer Security"},{"key":"key2020120620011859600_ref075","article-title":"Sarbanes-oxley act of 2002","volume-title":"The Public Company Accounting Reform and Investor Protection Act","year":"2002"},{"key":"key2020120620011859600_ref076","first-page":"503","article-title":"User participation in information systems security risk management","year":"2010","journal-title":"MIS Quarterly"},{"key":"key2020120620011859600_ref077","unstructured":"Steinhafel, G. (2013), \u201cA message from CEO Gregg Steinhafel about Target\u2019s payment card issues\u201d, available at: https:\/\/corporate.target.com\/article\/2013\/12\/important-notice-unauthorized-access-to-payment-ca (accessed 11 January 2016)."},{"key":"key2020120620011859600_ref078","unstructured":"Target (2015), \u201cTarget Names Brad Maiorino Senior Vice President, Chief Information Security Officer\u201d, available at: http:\/\/pressroom.target.com\/news\/target-names-brad-maiorino-senior-vice-president-chief-information-security-officer (accessed 1 February 2015)."},{"key":"key2020120620011859600_ref079","unstructured":"The Home Depot (2014), \u201cReports findings in payment data breach investigation\u201d, available at: https:\/\/corporate.homedepot.com\/MediaCenter\/Documents\/Press%20Release.pdf (accessed 11 January 2016)."},{"key":"key2020120620011859600_ref080","unstructured":"US Department of HHS (2013), \u201cWellPoint pays HHS $1.7 million for leaving information accessible over Internet\u201d, available at: www.hhs.gov\/hipaa\/for-professionals\/compliance-enforcement\/examples\/wellpoint\/index.html (accessed 5 October 2015)."},{"issue":"4","key":"key2020120620011859600_ref081","doi-asserted-by":"crossref","first-page":"445","DOI":"10.1108\/14637150410548100","article-title":"Business analysis metrics for business process redesign","volume":"10","year":"2004","journal-title":"Business Process Management"},{"key":"key2020120620011859600_ref082","unstructured":"Vijayan, J. (2010), \u201cCourt gives preliminary OK to $4M consumer settlement in Heartland case, Payment processor agrees to reimburse consumers for costs associated with 2009 breach\u201d, available at: www.computerworld.com\/article\/2518212\/security0\/court-gives-preliminary-ok-to\u20134m-consumer-settlement-in-heartland-case.html (accessed 11 January 2016)."},{"issue":"5","key":"key2020120620011859600_ref083","doi-asserted-by":"crossref","first-page":"371","DOI":"10.1016\/j.cose.2004.05.002","article-title":"The 10 deadly sins of information security management","volume":"23","year":"2004","journal-title":"Computers & Security"},{"key":"key2020120620011859600_ref084","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.cose.2014.04.005","article-title":"A situation awareness model for information security risk management","volume":"44","year":"2014","journal-title":"Computers & Security"},{"key":"key2020120620011859600_ref085","volume-title":"IT Governance: How Top Performers Manage IT Decision Rights for Superior Results","year":"2004"},{"issue":"3","key":"key2020120620011859600_ref086","first-page":"15","article-title":"The chief information security officer: an analysis of the skills required for success","volume":"48","year":"2008","journal-title":"Journal of Computer Information Systems"},{"key":"key2020120620011859600_ref087","unstructured":"Williams, M. (2011), \u201cSony apologizes, details playstation network attack\u201d, available at: www.computerworld.com\/article\/2508384\/security0\/sony-apologizes\u2013details-playstation-network-attack.html (accessed 11 January 2016)."},{"key":"key2020120620011859600_ref088","unstructured":"Worthen, B. (2011), \u201cBreach brings scrutiny; incident sparks concern over outsourcing of email marketing\u201d, available at: www.wsj.com\/articles\/SB10001424052748704587004576245131531712342 (accessed 11 January 2016)."},{"issue":"2","key":"key2020120620011859600_ref089","article-title":"An empirical examination of the relationship between information security\/business strategic alignment and information security governance domain areas","volume":"9","year":"2014","journal-title":"Journal of Business Systems, Governance and Ethics"},{"issue":"1","key":"key2020120620011859600_ref090","doi-asserted-by":"crossref","first-page":"60","DOI":"10.1057\/jit.2010.4","article-title":"The impact of information security events on the stock value of firms: the effect of contingency factors","volume":"26","year":"2011","journal-title":"Journal of Information Technology"},{"key":"key2020120620011859600_ref091","first-page":"234","article-title":"Using goals, rules, and methods to support reasoning in business process reengineering","year":"1994"},{"issue":"1","key":"key2020120620011859600_ref092","doi-asserted-by":"crossref","first-page":"167","DOI":"10.1080\/07421222.2004.11045794","article-title":"The complementarity of information technology infrastructure and e-commerce capability: a resource-based assessment of their business value","volume":"21","year":"2004","journal-title":"Journal of Management Information Systems"},{"issue":"2","key":"key2020120620011859600_ref093","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1016\/0090-2616(85)90033-6","article-title":"Automate informate: the two faces of intelligent technology","volume":"14","year":"1985","journal-title":"Organizational Dynamics"},{"key":"key2020120620011859600_ref094","unstructured":"ARRA Components (2009), available at: www.hipaasurvivalguide.com\/hitech-act-text.php (accessed 16 January 2016)."}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-02-2016-0013\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-02-2016-0013\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:40Z","timestamp":1753406560000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/25\/3\/300-329\/106032"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,7,10]]},"references-count":95,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2017,7,10]]}},"alternative-id":["10.1108\/ICS-02-2016-0013"],"URL":"https:\/\/doi.org\/10.1108\/ics-02-2016-0013","relation":{},"ISSN":["2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2017,7,10]]}}}