{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,10]],"date-time":"2026-03-10T15:18:13Z","timestamp":1773155893825,"version":"3.50.1"},"reference-count":29,"publisher":"American Accounting Association","issue":"1","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022,3,1]]},"abstract":"<jats:title>ABSTRACT<\/jats:title>\n               <jats:p>This paper explores whether IT and audit professionals have different perceptions of the substantive and symbolic perspectives of information security assurance and the role of security configuration management (SCM) using a mixture of qualitative and quantitative approaches. Importance performance analysis (IPA) is utilized to identify differences in perceived importance and perceived controllability from both substantive and symbolic perspectives between these two professional groups. Our results suggest that SCM plays a vital role in maintaining consistency between the IT and audit professionals by enhancing their confidence in controlling and managing information security control sets. IPA also helps determine an information security program's strengths and weaknesses and supports remedial strategic actions more efficiently. Implications for both research and practice are discussed.<\/jats:p>","DOI":"10.2308\/isys-2020-065","type":"journal-article","created":{"date-parts":[[2021,7,19]],"date-time":"2021-07-19T20:11:21Z","timestamp":1626725481000},"page":"181-199","source":"Crossref","is-referenced-by-count":4,"title":["Information Security Assurance and the Role of Security Configuration Management: Substantive and Symbolic Perspectives"],"prefix":"10.2308","volume":"36","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7859-2865","authenticated-orcid":true,"given":"Chia-Ming","family":"Sun","sequence":"first","affiliation":[{"name":"National Yunlin University of Science and Technology"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yen-Yao","family":"Wang","sequence":"additional","affiliation":[{"name":"Auburn University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Chen-Bin","family":"Yang","sequence":"additional","affiliation":[{"name":"Taichung Commercial Bank"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1112","published-online":{"date-parts":[[2021,7,19]]},"reference":[{"key":"2024082915282865700_i1558-7959-36-1-181-Abalo1","doi-asserted-by":"crossref","unstructured":"Abalo,\n              J.,\n            \n            \n              Varela\n              J.,\n             and\n\t\t\t\t\t\tManzanoV.\n          2007.\n\t\t\t\t\tImportance values for Importance\u2013Performance Analysis: A formula for spreading out values derived from preference rankings.\n\t\t\t\t\tJournal of Business Research60 (\n\t\t\t\t\t2):\n\t\t\t\t\t115\u2013121.\n\t\t\t\t\thttps:\/\/doi.org\/10.1016\/j.jbusres.2006.10.009","DOI":"10.1016\/j.jbusres.2006.10.009"},{"key":"2024082915282865700_i1558-7959-36-1-181-Chang1","doi-asserted-by":"crossref","unstructured":"Chang,\n              H. H.\n            \n          \n          2006.\n\t\t\t\t\tTechnical and management perceptions of enterprise information system importance, implementation and benefits.\n\t\t\t\t\tInformation Systems Journal16 (\n\t\t\t\t\t3):\n\t\t\t\t\t263\u2013\n\t\t\t\t\t292.\n\t\t\t\t\thttps:\/\/doi.org\/10.1111\/j.1365-2575.2006.00217.x","DOI":"10.1111\/j.1365-2575.2006.00217.x"},{"key":"2024082915282865700_i1558-7959-36-1-181-Cram1","doi-asserted-by":"crossref","unstructured":"Cram,\n              W. A.,\n            \n            \n              Proudfoot\n              J. G.,\n             and\n\t\t\t\t\t\tD'arcyJ.\n          2017.\n\t\t\t\t\tOrganizational information security policies: A review and research framework.\n\t\t\t\t\tEuropean Journal of Information Systems26 (\n\t\t\t\t\t6):\n\t\t\t\t\t605\u2013641.\n\t\t\t\t\thttps:\/\/doi.org\/10.1057\/s41303-017-0059-9","DOI":"10.1057\/s41303-017-0059-9"},{"key":"2024082915282865700_i1558-7959-36-1-181-Eisenhardt1","doi-asserted-by":"crossref","unstructured":"Eisenhardt,\n              K. M.\n            \n          \n          1989.\n\t\t\t\t\tBuilding theories from case study research.\n\t\t\t\t\tAcademy of Management Review14 (\n\t\t\t\t\t4):\n\t\t\t\t\t532\u2013\n\t\t\t\t\t550.\n\t\t\t\t\thttps:\/\/doi.org\/10.2307\/258557","DOI":"10.5465\/amr.1989.4308385"},{"key":"2024082915282865700_i1558-7959-36-1-181-Hamill1","doi-asserted-by":"crossref","unstructured":"Hamill,\n              J. T.,\n            \n            \n              Deckro\n              R. F.,\n             and\n\t\t\t\t\t\tKloeber,J. M.Jr.\n          2005.\n\t\t\t\t\tEvaluating information assurance strategies.\n\t\t\t\t\tDecision Support Systems39 (\n\t\t\t\t\t3):\n\t\t\t\t\t463\u2013\n\t\t\t\t\t484.\n\t\t\t\t\thttps:\/\/doi.org\/10.1016\/j.dss.2003.11.004","DOI":"10.1016\/j.dss.2003.11.004"},{"key":"2024082915282865700_i1558-7959-36-1-181-Jemmasi1","doi-asserted-by":"crossref","unstructured":"Jemmasi,\n              M.,\n            \n            \n              Strong\n              K. C.,\n             and\n\t\t\t\t\t\tTaylorS. A.\n          1994.\n\t\t\t\t\tMeasuring service quality for strategic planning and analysis in service firms.\n\t\t\t\t\tJournal of Applied Business Research10 (\n\t\t\t\t\t4):\n\t\t\t\t\t24\u2013\n\t\t\t\t\t34.\n\t\t\t\t\thttps:\/\/doi.org\/10.19030\/jabr.v10i4.5904","DOI":"10.19030\/jabr.v10i4.5904"},{"key":"2024082915282865700_i1558-7959-36-1-181-Johnson1","doi-asserted-by":"crossref","unstructured":"Johnson,\n              A.,\n            \n            \n              Dempsey,\n              K.\n            \n            \n              Ross\n              R.,\n            \n            \n              Gupta\n              S.,\n             and\n\t\t\t\t\t\tBaileyD..\n\t\t\t\t\t2011. Guide for security-focused configuration management of information systems.\n\t\t\t\t\tAvailable at: https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-128.pdf","DOI":"10.6028\/NIST.SP.800-128-2011"},{"key":"2024082915282865700_i1558-7959-36-1-181-Kahyaoglu1","doi-asserted-by":"crossref","unstructured":"Kahyaoglu,\n              S. B.,\n             and\n\t\t\t\t\t\tCaliyurtK.\n          2018.\n\t\t\t\t\tCyber security assurance process from the internal audit perspective.\n\t\t\t\t\tManagerial Auditing Journal 33(4): 360\u2013376.","DOI":"10.1108\/MAJ-02-2018-1804"},{"key":"2024082915282865700_i1558-7959-36-1-181-Malimage1","doi-asserted-by":"crossref","unstructured":"Malimage,\n              K.,\n            \n            \n              Raddatz\n              N.,\n            \n            \n              Trinkle\n              B. S.,\n            \n            \n              Crossler\n              R. E.,\n             and\n\t\t\t\t\t\tBaaskeR.\n          2020.\n\t\t\t\t\tImpact of deterrence and inertia on information security policy changes.\n\t\t\t\t\tJournal of Information Systems34 (\n\t\t\t\t\t1):\n\t\t\t\t\t123\u2013\n\t\t\t\t\t134.\n\t\t\t\t\thttps:\/\/doi.org\/10.2308\/isys-52400","DOI":"10.2308\/isys-52400"},{"key":"2024082915282865700_i1558-7959-36-1-181-Martilla1","doi-asserted-by":"crossref","unstructured":"Martilla,\n              J. A.,\n             and\n\t\t\t\t\t\tJamesJ. C.\n          1977.\n\t\t\t\t\tImportance-performance analysis.\n\t\t\t\t\tJournal of Marketing41 (\n\t\t\t\t\t1):\n\t\t\t\t\t77\u2013\n\t\t\t\t\t79.\n\t\t\t\t\thttps:\/\/doi.org\/10.1177\/002224297704100112","DOI":"10.1177\/002224297704100112"},{"key":"2024082915282865700_i1558-7959-36-1-181-McCormac1","doi-asserted-by":"crossref","unstructured":"McCormac,\n              A.,\n            \n            \n              Zwaans\n              T.,\n            \n            \n              Parsons\n              K.,\n            \n            \n              Calic\n              D.,\n            \n            \n              Butavicius\n              M.,\n             and\n\t\t\t\t\t\tPattinsonM.\n          2017.\n\t\t\t\t\tIndividual differences and information security awareness.\n\t\t\t\t\tComputers in Human Behavior69:\n\t\t\t\t\t151\u2013\n\t\t\t\t\t156.\n\t\t\t\t\thttps:\/\/doi.org\/10.1016\/j.chb.2016.11.065","DOI":"10.1016\/j.chb.2016.11.065"},{"key":"2024082915282865700_i1558-7959-36-1-181-Mouratidis1","doi-asserted-by":"crossref","unstructured":"Mouratidis,\n              H.,\n            \n            \n              Jahankhani\n              H.,\n             and\n\t\t\t\t\t\tNkhomaM. Z.\n          2008.\n\t\t\t\t\tManagement versus security specialists: An empirical study on security related perceptions.\n\t\t\t\t\tInformation Management & Computer Security16 (\n\t\t\t\t\t2):\n\t\t\t\t\t187\u2013\n\t\t\t\t\t205.\n\t\t\t\t\thttps:\/\/doi.org\/10.1108\/09685220810879645","DOI":"10.1108\/09685220810879645"},{"key":"2024082915282865700_i1558-7959-36-1-181-NationalInstituteofStandardsandTechnologyNIST1","unstructured":"National Institute of Standards and Technology (NIST).\n          2013.\n\t\t\t\t\tSpecial publication 800-53, revision 4: Security and privacy controls for federal information systems and organization.\n\t\t\t\t\tAvailable at: https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-53\/rev-4\/archive\/2015-01-22"},{"key":"2024082915282865700_i1558-7959-36-1-181-NationalInstituteofStandardsandTechnologyNIST2","unstructured":"National Institute of Standards and Technology (NIST).\n          \n          2017.\n\t\t\t\t\tSpecial publication 800-53, revision 5: Security and privacy controls for information systems and organization.\n\t\t\t\t\tAvailable at: https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-53r5.pdf"},{"key":"2024082915282865700_i1558-7959-36-1-181-Nuijten1","doi-asserted-by":"crossref","unstructured":"Nuijten,\n              A.,\n            \n            \n              Keil\n              M.,\n            \n            \n              Van der Pijl\n              G.,\n             and\n\t\t\t\t\t\tCommandeurH.\n          2018.\n\t\t\t\t\tIT managers' vs. IT auditors' perceptions of risks: An actor-observer asymmetry perspective.\n\t\t\t\t\tInformation & Management55 (\n\t\t\t\t\t1):\n\t\t\t\t\t80\u2013\n\t\t\t\t\t93.\n\t\t\t\t\thttps:\/\/doi.org\/10.1016\/j.im.2017.04.002","DOI":"10.1016\/j.im.2017.04.002"},{"key":"2024082915282865700_i1558-7959-36-1-181-Nunnally1","unstructured":"Nunnally,\n              J. C.,\n             and\n\t\t\t\t\t\tBernsteinI. H.\n          1994.\n\t\t\t\t\tPsychometric Theory.\n\t\t\t\t\tNew York, NY:McGraw-Hill Companies."},{"key":"2024082915282865700_i1558-7959-36-1-181-Posey1","doi-asserted-by":"crossref","unstructured":"Posey,\n              C.,\n            \n            \n              Roberts\n              T. L.,\n            \n            \n              Lowry\n              P. B.,\n             and\n\t\t\t\t\t\tHightowerR. T.\n          2014.\n\t\t\t\t\tBridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders.\n\t\t\t\t\tInformation & Management51 (\n\t\t\t\t\t5):\n\t\t\t\t\t551\u2013\n\t\t\t\t\t567.\n\t\t\t\t\thttps:\/\/doi.org\/10.1016\/j.im.2014.03.009","DOI":"10.1016\/j.im.2014.03.009"},{"key":"2024082915282865700_i1558-7959-36-1-181-Shackleford1","unstructured":"Shackleford,\n              D.\n            \n          \n          2012.\n\t\t\t\t\tSecure configuration management demystified.\n\t\t\t\t\tAvailable at: https:\/\/www.sans.org\/reading-room\/whitepapers\/analyst\/secure-configuration-management-demystified-35205"},{"key":"2024082915282865700_i1558-7959-36-1-181-Spears1","doi-asserted-by":"crossref","unstructured":"Spears,\n              J. L.,\n            \n            \n              Barki\n              H.,\n             and\n\t\t\t\t\t\tBartonR. R.\n          2013.\n\t\t\t\t\tTheorizing the concept and role of assurance in information systems security.\n\t\t\t\t\tInformation & Management50 (\n\t\t\t\t\t7):\n\t\t\t\t\t598\u2013\n\t\t\t\t\t605.\n\t\t\t\t\thttps:\/\/doi.org\/10.1016\/j.im.2013.08.004","DOI":"10.1016\/j.im.2013.08.004"},{"key":"2024082915282865700_i1558-7959-36-1-181-Steinbart1","doi-asserted-by":"crossref","unstructured":"Steinbart,\n              P. J.,\n            \n            \n              Raschke\n              R. L.,\n            \n            \n              Gal\n              G.,\n             and\n\t\t\t\t\t\tDillaW. N.\n          2012.\n\t\t\t\t\tThe relationship between internal audit and information security: An exploratory investigation.\n\t\t\t\t\tInternational Journal of Accounting Information Systems13 (\n\t\t\t\t\t3):\n\t\t\t\t\t228\u2013\n\t\t\t\t\t243.\n\t\t\t\t\thttps:\/\/doi.org\/10.1016\/j.accinf.2012.06.007","DOI":"10.1016\/j.accinf.2012.06.007"},{"key":"2024082915282865700_i1558-7959-36-1-181-Steinbart2","doi-asserted-by":"crossref","unstructured":"Steinbart,\n              P. J.,\n            \n            \n              Raschke\n              R. L.,\n            \n            \n              Gal\n              G.,\n             and\n\t\t\t\t\t\tDillaW. N.\n          2013.\n\t\t\t\t\tInformation security professionals' perceptions about the relationship between the information security and internal audit functions.\n\t\t\t\t\tJournal of Information Systems27 (\n\t\t\t\t\t2):\n\t\t\t\t\t65\u2013\n\t\t\t\t\t86.\n\t\t\t\t\thttps:\/\/doi.org\/10.2308\/isys-50510","DOI":"10.2308\/isys-50510"},{"key":"2024082915282865700_i1558-7959-36-1-181-Steinbart3","doi-asserted-by":"crossref","unstructured":"Steinbart,\n              P. J.,\n            \n            \n              Raschke\n              R. L.,\n            \n            \n              Gal\n              G.,\n             and\n\t\t\t\t\t\tDillaW. N.\n          2016.\n\t\t\t\t\tSECURQUAL: An instrument for evaluating the effectiveness of enterprise information security programs.\n\t\t\t\t\tJournal of Information Systems30 (\n\t\t\t\t\t1):\n\t\t\t\t\t71\u2013\n\t\t\t\t\t92.\n\t\t\t\t\thttps:\/\/doi.org\/10.2308\/isys-51257","DOI":"10.2308\/isys-51257"},{"key":"2024082915282865700_i1558-7959-36-1-181-Steinbart4","doi-asserted-by":"crossref","unstructured":"Steinbart,\n              P. J.,\n            \n            \n              Raschke\n              R. L.,\n            \n            \n              Gal\n              G.,\n             and\n\t\t\t\t\t\tDillaW. N.\n          2018.\n\t\t\t\t\tThe influence of a good relationship between the internal audit and information security functions on information security outcomes.\n\t\t\t\t\tAccounting, Organizations and Society71:\n\t\t\t\t\t15\u2013\n\t\t\t\t\t29.\n\t\t\t\t\thttps:\/\/doi.org\/10.1016\/j.aos.2018.04.005","DOI":"10.1016\/j.aos.2018.04.005"},{"key":"2024082915282865700_i1558-7959-36-1-181-Torkura1","doi-asserted-by":"crossref","unstructured":"Torkura,\n              K.,\n            \n            \n              Sukmana\n              M. I.,\n            \n            \n              Cheng\n              F.,\n             and\n\t\t\t\t\t\tMeinelC.\n          2021.\n\t\t\t\t\tContinuous auditing and threat detection in multi-cloud infrastructure.\n\t\t\t\t\tComputers & Security102:\n\t\t\t\t\t102124.\n\t\t\t\t\thttps:\/\/doi.org\/10.1016\/j.cose.2020.102124","DOI":"10.1016\/j.cose.2020.102124"},{"key":"2024082915282865700_i1558-7959-36-1-181-Trinkle1","doi-asserted-by":"crossref","unstructured":"Trinkle,\n              B. S.,\n            \n            \n              Crossler\n              R. E.,\n             and\n\t\t\t\t\t\tWarkentinM.\n          2014.\n\t\t\t\t\tI'm game, are you? Reducing real-world security threats by managing employee activity in online social networks.\n\t\t\t\t\tJournal of Information Systems28 (\n\t\t\t\t\t2):\n\t\t\t\t\t307\u2013\n\t\t\t\t\t327.\n\t\t\t\t\thttps:\/\/doi.org\/10.2308\/isys-50776","DOI":"10.2308\/isys-50776"},{"key":"2024082915282865700_i1558-7959-36-1-181-Venkatesh1","doi-asserted-by":"crossref","unstructured":"Venkatesh,\n              V.,\n            \n            \n              Brown\n              S. A.,\n             and\n\t\t\t\t\t\tBalaH.\n          2013.\n\t\t\t\t\tBridging the qualitative-quantitative divide: Guidelines for conducting mixed methods research in information systems.\n\t\t\t\t\tManagement Information Systems Quarterly37 (\n\t\t\t\t\t1):\n\t\t\t\t\t21\u2013\n\t\t\t\t\t54.\n\t\t\t\t\thttps:\/\/doi.org\/10.25300\/MISQ\/2013\/37.1.02","DOI":"10.25300\/MISQ\/2013\/37.1.02"},{"key":"2024082915282865700_i1558-7959-36-1-181-Wang1","doi-asserted-by":"crossref","unstructured":"Wang,\n              T.,\n            \n            \n              Wang\n              Y.-Y.,\n             and\n\t\t\t\t\t\tYenJ.-C.\n          2019.\n\t\t\t\t\tIt's not my fault: The transfer of information security breach information.\n\t\t\t\t\tJournal of Database Management30 (\n\t\t\t\t\t3):\n\t\t\t\t\t18\u2013\n\t\t\t\t\t37.\n\t\t\t\t\thttps:\/\/doi.org\/10.4018\/JDM.2019070102","DOI":"10.4018\/JDM.2019070102"},{"key":"2024082915282865700_i1558-7959-36-1-181-Willison1","doi-asserted-by":"crossref","unstructured":"Willison,\n              R.,\n            \n            \n              Warkentin\n              M.,\n             and\n\t\t\t\t\t\tJohnstonA. C.\n          2018.\n\t\t\t\t\tExamining employee computer abuse intentions: Insights from justice, deterrence and neutralization perspectives.\n\t\t\t\t\tInformation Systems Journal28 (\n\t\t\t\t\t2):\n\t\t\t\t\t266\u2013\n\t\t\t\t\t293.\n\t\t\t\t\thttps:\/\/doi.org\/10.1111\/isj.12129","DOI":"10.1111\/isj.12129"},{"key":"2024082915282865700_i1558-7959-36-1-181-Wu1","doi-asserted-by":"crossref","unstructured":"Wu,\n              J.,\n            \n            \n              Wang\n              Y.,\n            \n            \n              Zhang\n              R.,\n             and\n\t\t\t\t\t\tCaiJ.\n          2018.\n\t\t\t\t\tAn approach to discovering product\/service improvement priorities: Using dynamic importance-performance analysis.\n\t\t\t\t\tSustainability10 (\n\t\t\t\t\t10):\n\t\t\t\t\t3564.\n\t\t\t\t\thttps:\/\/doi.org\/10.3390\/su10103564","DOI":"10.3390\/su10103564"}],"container-title":["Journal of Information Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/publications.aaahq.org\/jis\/article-pdf\/36\/1\/181\/8003\/i1558-7959-36-1-181.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/publications.aaahq.org\/jis\/article-pdf\/36\/1\/181\/8003\/i1558-7959-36-1-181.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,8,29]],"date-time":"2024-08-29T17:00:46Z","timestamp":1724950846000},"score":1,"resource":{"primary":{"URL":"https:\/\/publications.aaahq.org\/jis\/article\/36\/1\/181\/992\/Information-Security-Assurance-and-the-Role-of"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,7,19]]},"references-count":29,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2021,7,19]]},"published-print":{"date-parts":[[2022,3,1]]}},"URL":"https:\/\/doi.org\/10.2308\/isys-2020-065","relation":{},"ISSN":["1558-7959","0888-7985"],"issn-type":[{"value":"1558-7959","type":"electronic"},{"value":"0888-7985","type":"print"}],"subject":[],"published":{"date-parts":[[2021,7,19]]}}}