{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,28]],"date-time":"2026-01-28T08:36:07Z","timestamp":1769589367152,"version":"3.49.0"},"reference-count":48,"publisher":"Emerald","issue":"3","license":[{"start":{"date-parts":[[2017,7,10]],"date-time":"2017-07-10T00:00:00Z","timestamp":1499644800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2017,7,10]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>This paper aims to explore the use of soft systems methodology (SSM) to analyse the socio-technical information security issues in a major bank.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>Case study research was conducted on a major bank. Semi-structured interviews with a purposive sample of key stakeholders in the business, comprising senior managers, security professionals and branch employees were conducted.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>SSM was particularly useful for exploring the holistic information security issues, enabling models to be constructed which were valuable analytical tools and easily understood by stakeholders, which increased the receptiveness of the bank, and assisted with member validation. Significant risks were apparent from internal sources with weaknesses in aspects of governance and security culture.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Research limitations\/implications<\/jats:title>\n<jats:p>This research uses a single case study and whilst it cannot be generalised, it identifies potential security issues others may face and solutions they may apply.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Practical implications<\/jats:title>\n<jats:p>Information security is complex and addresses technical, governance, management and cultural risks. Banking attacks are changing, with greater focus on employees and customers. A systemic approach is required for full consideration. SSM is a suitable approach for such analysis within large organisations.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>This study demonstrates how important benefits can be obtained by using SSM alongside traditional risk assessment approaches to identify holistic security issues. A holistic approach is particularly important given the increasing complexity of the security threat surface. Banking was selected as a case study because it is both critical to society and is a prime target for attack. Furthermore, developing economies are under-represented in information security research, this paper adds to the evidence base. As global finance is highly interconnected, it is important that banks in such economies do not comprise a weak link, and hence, results from this case have value for the industry as a whole.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-07-2016-0053","type":"journal-article","created":{"date-parts":[[2017,5,24]],"date-time":"2017-05-24T07:32:02Z","timestamp":1495611122000},"page":"240-258","source":"Crossref","is-referenced-by-count":19,"title":["Analysing information security in a bank using soft systems methodology"],"prefix":"10.1108","volume":"25","author":[{"given":"Temesgen Kitaw","family":"Damenu","sequence":"first","affiliation":[]},{"given":"Chris","family":"Beaumont","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"key":"key2020120621013720800_ref001","unstructured":"Alfawaz, S.M. (2011), \u201cInformation security management: a case study of an information security culture\u201d, Doctoral dissertation, Queensland University of Technology."},{"key":"key2020120621013720800_ref002","unstructured":"Chaula, J.A. (2006), \u201cA socio-technical analysis of information systems security assurance: a case study for effective assurance\u201d, Doctoral dissertation, Stokholm University."},{"issue":"1","key":"key2020120621013720800_ref003","article-title":"Soft systems methodology: a thirty year retrospective","volume":"17","year":"1999","journal-title":"Systems Research and Behavioral Science"},{"key":"key2020120621013720800_ref004","volume-title":"Learning for Action: A Short Definitive Account of Soft Systems Methodology and its Use for Practitioners, Teachers and Students","year":"2006"},{"issue":"4","key":"key2020120621013720800_ref005","doi-asserted-by":"crossref","first-page":"361","DOI":"10.1080\/10580530701586136","article-title":"An information security governance framework","volume":"24","year":"2007","journal-title":"Information Systems Management"},{"issue":"2","key":"key2020120621013720800_ref006","first-page":"196","article-title":"A framework and assessment instrument for information security culture","volume":"20","year":"2010","journal-title":"Computers & Security"},{"key":"key2020120621013720800_ref007","article-title":"Financial fraud action UK annual review: working together to prevent fraud","author":"FFA","year":"2015"},{"issue":"4","key":"key2020120621013720800_ref008","doi-asserted-by":"crossref","first-page":"377","DOI":"10.1108\/09685220810908796","article-title":"Implementation and effectiveness of organizational information security measures","volume":"16","year":"2008","journal-title":"Information Management & Computer Security"},{"key":"key2020120621013720800_ref009","first-page":"1","article-title":"BMIS-an introduction to the system environment","volume":"4","year":"2011","journal-title":"ISACA Journal"},{"issue":"4","key":"key2020120621013720800_ref010","doi-asserted-by":"crossref","first-page":"373","DOI":"10.1016\/j.jsis.2011.06.001","article-title":"Value conflicts for information security management","volume":"20","year":"2011","journal-title":"The Journal of Strategic Information Systems"},{"issue":"5","key":"key2020120621013720800_ref011","doi-asserted-by":"crossref","first-page":"402","DOI":"10.1016\/S0167-4048(02)00504-7","article-title":"Information security policy-what do international information security standards say?","volume":"21","year":"2002","journal-title":"Computers & Security"},{"key":"key2020120621013720800_ref012","unstructured":"ISACA (2010), \u201cBusiness model for information security (BMIS)\u201d, available at: www.isaca.org\/Knowledge-Center\/BMIS\/Pages\/Business-Model-for-Information-Security.aspx (accessed 12 March 2015)."},{"key":"key2020120621013720800_ref013","unstructured":"ISACA (2011), \u201cCreating a culture of security\u201d, available at: www.isaca.org\/Knowledge-Center\/Research\/ResearchDeliverables\/Pages\/Creating-a-Culture-of-Security.aspx (accessed 18 February 2015)."},{"key":"key2020120621013720800_ref015","first-page":"10","article-title":"Managing information systems security: a soft approach","year":"1996"},{"issue":"3","key":"key2020120621013720800_ref016","doi-asserted-by":"crossref","first-page":"246","DOI":"10.1108\/ICS-05-2014-0033","article-title":"Information security culture \u2013 state-of-the art review between 2000 and 2013","volume":"23","year":"2015","journal-title":"Information & Computer Security"},{"key":"key2020120621013720800_ref017","unstructured":"Kaspersky Lab (2015), \u201cThe great bank robbery: Carbanak cybergang steals $1bn from 100 financial institutions worldwide\u201d, available at: www.kaspersky.com\/about\/news\/virus\/2015\/Carbanak-cybergang-steals-1-bn-USD-from-100-financial-institutions-worldwide (accessed 19 March 2015)."},{"key":"key2020120621013720800_ref018","volume-title":"Managing the Human Factor in Information Security","year":"2009"},{"key":"key2020120621013720800_ref019","first-page":"122","article-title":"Methodologies for evaluating information security investments-What Basel II can change in the financial industry","year":"2005"},{"key":"key2020120621013720800_ref020","unstructured":"Mulwa, D.K. (2012), \u201cA survey of insider information security threats management in commercial banks in Kenya\u201d, Doctoral dissertation, University of Nairobi."},{"issue":"7","key":"key2020120621013720800_ref021","article-title":"Information security risk assessment for banking sector-a case study of Pakistani banks","volume":"10","year":"2010","journal-title":"Global Journal of Computer Science and Technology"},{"issue":"6","key":"key2020120621013720800_ref022","first-page":"73","article-title":"Perceptions towards on-line banking security: an empirical investigation of a developing countrys banking sector, how secure is on-line banking","volume":"1","year":"2012","journal-title":"International Journal of Computer Science and Network (IJCSN)"},{"key":"key2020120621013720800_ref023","unstructured":"OECD (2015), \u201cDigital security risk management for economic and social prosperity: OECD recommendation and companion document\u201d, available at: www.oecd.org\/sti\/ieconomy\/digital-security-risk-management.pdf (accessed 19 January 016)."},{"key":"key2020120621013720800_ref024","article-title":"Assessing information security culture: a critical analysis of current approaches","volume-title":"Information Security for South Africa (ISSA)","year":"2012"},{"key":"key2020120621013720800_ref025","article-title":"Assessing information system security: an application for the soft systems methodology","year":"2002"},{"issue":"8","key":"key2020120621013720800_ref026","doi-asserted-by":"crossref","first-page":"638","DOI":"10.1016\/j.cose.2004.10.006","article-title":"A framework for the governance of information security","volume":"23","year":"2004","journal-title":"Computers & Security"},{"key":"key2020120621013720800_ref027","unstructured":"Raytheon\/Websence (2015), \u201cIndustry Drill-down report: financial services\u201d, available at: www.websense.com\/assets\/reports\/report-2015-industry-drill-down-finance-en.pdf (accessed 23 December 2015)."},{"key":"key2020120621013720800_ref028","unstructured":"Salvi, V. (2013), \u201cInformation security management at HDFC bank: contribution of seven enablers\u201d, available at: www.isaca.org\/Knowledge-Center\/Documents\/Information-Security-Management-at-HDFC%20Bank-Contribution-of-Seven-Enablers_1113.pdf (accessed 18 February 2015)."},{"key":"key2020120621013720800_ref029","volume-title":"The Corporate Culture Survival Guide","year":"2009"},{"issue":"7","key":"key2020120621013720800_ref030","first-page":"33","article-title":"Mediating effect of information security culture on the relationship between information security activities and organizational performance in the nigerian banking setting","volume":"9","year":"2014","journal-title":"International Journal of Business and Management"},{"issue":"1","key":"key2020120621013720800_ref031","doi-asserted-by":"crossref","first-page":"31","DOI":"10.1108\/09685220010371394","article-title":"A conceptual foundation for organizational information security awareness","volume":"8","year":"2000","journal-title":"Information Management & Computer Security"},{"issue":"5","key":"key2020120621013720800_ref032","first-page":"23","article-title":"Information security management system standards: a comparative study of the big five","volume":"11","year":"2011","journal-title":"International Journal of Electrical & Computer Sciences IJECS-IJENS"},{"key":"key2020120621013720800_ref033","unstructured":"Symantec (2012), \u201cInternet security threat report trends for 2011\u201d, Vol. 17, available at: www.symantec.com\/about\/news\/resources\/press_kits\/detail.jsp?pkid=threat_report_17 (accessed 18 December 2015)."},{"key":"key2020120621013720800_ref034","unstructured":"Tarimo, C.N. (2006), \u201cICT security readiness checklist for developing countries: a social-technical approach\u201d, Doctoral dissertation, Stockholm University."},{"issue":"4","key":"key2020120621013720800_B36a","doi-asserted-by":"crossref","first-page":"167","DOI":"10.1108\/09685229810227649","article-title":"Information security awareness: educating your users effectively","volume":"6","year":"1998","journal-title":"Information Management & Computer Security"},{"key":"key2020120621013720800_ref035","unstructured":"Travelers (2015), \u201cTravelers business risk index\u201d, available at: www.travelers.com\/iw-documents\/resources\/business-risk-index\/2015-report.pdf (accessed 23 December 2015)."},{"key":"key2020120621013720800_ref036","first-page":"75","article-title":"Information technology security governance approach comparison in E-banking","volume-title":"Security Technology","year":"2011"},{"key":"key2020120621013720800_ref037","first-page":"41","article-title":"An analysis of information security governance structures: the case of Soci\u00e9t\u00e9 G\u00e9n\u00e9rale Bank","year":"2008"},{"key":"key2020120621013720800_ref038","first-page":"1","article-title":"A framework for the governance of information security in banking system","year":"2011","journal-title":"Journal of Information Assurance & Cyber Security"},{"key":"key2020120621013720800_ref039","first-page":"1","article-title":"Information security governance control through comprehensive policy architectures","year":"2011"},{"key":"key2020120621013720800_ref040","unstructured":"Weise, E. (2014), \u201cJP Morgan reveals data breach affected 76 million households\u201d, 3 October, available at: www.usatoday.com\/story\/tech\/2014\/10\/02\/jp-morgan-security-breach\/16590689\/ (accessed 18 February 2015)."},{"key":"key2020120621013720800_ref041","unstructured":"Wilson, H. (2013), \u201cEvery minute of every day, a bank is under cyber attack\u201d, 6 October, available at: www.telegraph.co.uk\/finance\/newsbysector\/banksandfinance\/10359563\/Every-minute-of-every-day-a-bank-is-under-cyber-attack.html (accessed 3 March 16)."},{"key":"key2020120621013720800_ref042","article-title":"Case study research design and methods","volume-title":"Applied Social Research Methods Series","year":"2009","edition":"4th"},{"issue":"3","key":"key2020120621013720800_ref043","doi-asserted-by":"crossref","first-page":"256","DOI":"10.1016\/j.cose.2006.11.003","article-title":"Holistic security management framework applied in electronic commerce","volume":"26","year":"2007","journal-title":"Computers & Security"},{"key":"key2020120621013720800_ref014","article-title":"ISO\/IEC 27001:2013","author":"ISO\/IEC","year":"2013","journal-title":"Information Technology \u2013 Security Techniques \u2013Information Security Management Systems \u2013 Requirements"},{"issue":"1","key":"key2020120621013720800_ref044","doi-asserted-by":"crossref","first-page":"4","DOI":"10.1108\/09685221011035223","article-title":"Understanding and transforming organizational security culture","volume":"18","year":"2010","journal-title":"Information Management & Computer Security"},{"issue":"1","key":"key2020120621013720800_ref045","doi-asserted-by":"crossref","first-page":"32","DOI":"10.1016\/j.istr.2005.12.003","article-title":"Preparing information security for legal and regulatory compliance (sarbanes\u2013oxley and basel II)","volume":"11","year":"2006","journal-title":"Information Security Technical Report"},{"issue":"4","key":"key2020120621013720800_ref046","doi-asserted-by":"crossref","first-page":"476","DOI":"10.1016\/j.cose.2009.10.005","article-title":"Information security culture: a management perspective","volume":"29","year":"2010","journal-title":"Computers & Security"},{"key":"key2020120621013720800_ref047","volume-title":"Applications of Case Study Research","year":"2012"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-07-2016-0053\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-07-2016-0053\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:01Z","timestamp":1753406581000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/25\/3\/240-258\/106021"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,7,10]]},"references-count":48,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2017,7,10]]}},"alternative-id":["10.1108\/ICS-07-2016-0053"],"URL":"https:\/\/doi.org\/10.1108\/ics-07-2016-0053","relation":{},"ISSN":["2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2017,7,10]]}}}