Carol Hsu

Circuits of power in creating de jure standards: shaping an international information systems security standard

This paper addresses the role of power and politics in setting standards. It examines the interaction of external contingencies, powerful agents, resources, meaning, and membership of relevant social and institutional groupings in generating successful political outcomes. To study these interactions, the paper adopts the circuits of power, a theoretical framework taken from the social sciences, and applies it to understanding the creation and development of the first standard in information security management. An informal group of UK security chiefs sparked off a process which led first to BS7799, the British standard, and later to ISO 17799, the international standard. The case study portrays how the institutionalization of this ad hoc development process results from the interactions of power among the stakeholders involved. The case study also shows how the different interests and objectives of the stakeholders were influenced by exogenous contingencies and institutional forces. The paper discusses theoretical and practical implications for the future development of such standards.

Institutional Influences on Information Systems Security Innovations

This research investigates information security management as an administrative innovation. Although a number of institutional theories deal with information systems (IS) innovation in organizations, most of these institutional-centered frameworks overlook external economic efficiency and internal organizational capability in the presence of pressures of institutional conformity. Using Korea as the institutional setting, our research model posits that economic-based consideration will moderate the institutional conformity pressure on information security adoption while organization capability will influence the institutional confirmation of information security assimilation. The model is empirically tested using two-stage survey data from a field study of 140 organizations in Korea. The results indicate that in addition to institutional influences, our six proposed economic-based and organizational capability moderating variables all have significant influences on the degree of the adoption and assimilation of information security management. We conclude with implications for research in the area of organizational theory and the information security management literature, and for practices regarding how managers can factor into their information security planning the key implementation variables discovered in this study. The robust setting of the study in Korean firms allows us to generalize the theory to a new context and across cultures.

Frame misalignment: interpreting the implementation of information systems security certification in an organization

Although several studies have discussed the framework and value of information systems (IS) security standards and certification, there has been relatively little empirical research on how different groups of stakeholders in an organization interpret and behave during the implementation process. In an attempt to fill this research gap, this study employs a socio-cognitive perspective, namely the concept of frames analysis, to investigate how the managers and employees of a financial institution make sense of IS security certification, BS 7799 Part 2, and how these interpretations influence their actions. Using an interpretive case study approach, the findings show that the expectations of management have a strong impact on the implementation of the certification process. Moreover, the incongruence between the perceptions of managers and those of the certification team and other employees means that IS security management concepts may not be fully embedded in the organizations work practices and routines. This article argues that during the certification process, managers should place more emphasis on the identification of frame incongruence and undertake early intervention to align frames in order to achieve overall security effectiveness in the organization.

A question of trust

An economic perspective on quality standards in the certification services market.

A Legitimacy Challenge of a Cross-Cultural Interorganizational Information System

This paper studies the adoption and diffusion of a cross-cultural Interorganizational Information System (IOS), which is used to streamline the processing of financial transactions between European investment fund companies and Taiwanese banks. Drawing from institutional and organizational legitimacy theory, we argue that the adoption and implementation of technological innovation is contingent upon its alignment with three institutional pillars in different countries and the deployment of legitimation strategies by stakeholders. Departing from classical innovation diffusion theory, our empirical investigation reveals that the implementation of a cross-cultural IOS is a dynamic process involving the recognition, understanding, and management of the regulative, normative, and cognitive challenges arising in two different institutional settings. This paper contributes to the growing body of research that highlights the significance of social and institutional influences on the adoption of IOS in a global environment.

Institutionalizing operational risk management: an empirical study

This paper examines the development of operational risk management (ORM) in a financial organization, focusing in particular on the role of IT in institutionalizing the new regime. Through an interpretive case study in a major US financial institution, the paper uses Giddens’ structuration theory to examine how it adjusts to the demands of protecting itself against new operational risks. The discussion and results of our study are expressed in three propositions: (1) the regulatory context and technological development affect the shape and the outcome of ORM; (2) implementing ORM is a process of reflexive monitoring and transforming organizational practices in a financial institution; (3) the role of IT in ORM is contingent on the extant organizational structure and on the choice of risk management approach.

Creating the experience economy in e-commerce

Introduction Advances in information technology together with the forces of globalization have accelerated the growth of service industries. In 2003, the OECD reported that service industries now account for over 60% of both employment and the gross domestic product (GDP) of OECD member countries. The U.S Bureau of Labor Statistics (BLS) has forecast strong employment growth in the American service sector between 2004 and 2014. Although service industries are expanding, Gilmore and Pine argue that, the growing commoditisation of services offered has gradually transformed the competition for market share from focusing on the quality of services to the creation of memorable experiences. As a consequence, the competitive position of a firm now depends to a large extent on its ability to generate impressive experiences through innovative delivery channels. In this article, we adopt Gilmore and Pines view that the economic value of the experience economy lies in co-producing the staging experiences via customer participation and connection. Furthermore, we suggest that current technologies and the growth of the Internet have both enabled and strengthened the opportunities for experience-oriented offerings beyond limitations of time and place. In following sections, we first describe the current practice of experience economy in electronic commerce. Taking the iCare health care service as an example, we demonstrate how collaborative pricing over the Internet can further provide added-value to the production of experiences offered in the electronic marketplace.

Email adaptation for conflict handling: A case study of cross-border inter-organisational partnership in East Asia

This paper explores the context of email‐based communication in an established but fragile, inter‐organisational partnership, which was often overlain with conflict. Drawing upon adaptation theory, this study explores how participants adapt to the use of email to handle conflict. Extensive data were obtained during a 6‐month field study of a case of cross‐border inter‐organisational collaboration in East Asia. We observed that the individuals involved in the cross‐border partnership used email as a lean form of communication to stop covert conflict from explicitly emerging. In contrast to prior research on the leanness of email in managing conflict, we found that under the described conflict situation the very leanness of email was appreciated and thus, exploited by those concerned to manage the conflict situation. Specifically, we identified 4 key conflict‐triggered adaptation strategies, namely, interaction avoidance, disempowering, blame‐protection, and image‐sheltering that drove the ways in which email was adapted to maintain organisational partnerships under conflict.

Enabling Effective Operational Risk Management in a Financial Institution: An Action Research Study

Abstract Action research (AR) is significant for its promise to bridge the chasm between rigor and relevance by seeking to solve real-world problems while building scientific knowledge. In this spirit, in our research project, we argue for a return to the essence of AR—that is, focusing on problem, action, and reflection. Adopting the style of AR known as dialogical AR, we address the issue of operational risk management as encountered by a financial institution in Taiwan. In this AR project, the researchers work collaboratively with workers in a bank to manage the knowledge creation process as part of an operational risk management program. Through three AR cycles, our findings demonstrate that ongoing knowledge creation facilitates the transformation of existing organizational culture and helps practitioners to identify different types of operational risks. We also highlight the conditions under which insights from reflective dialogues between practitioners and researchers can encourage managers to open themselves to new and different ways of thinking and acting. Finally, we offer principles for undertaking effective dialogical AR.

The Impact of ISO 27001 Certification on Firm Performance

The extensive organizational dependence on information technology (IT), along with worsening impact of information security incidents, has made information security one of the top management concerns. The ISO 27001 standard provides guidance to a sound information security management system (ISMS). However, implementation and accreditation costs can also be considerable. In this study, we explored whether the certification can benefit organizations by signaling the managements attitude toward security management and the appropriateness of ISMS implementation. We investigated firm performance after the ISO 27001 certification with samples from the United States and selected European countries. Different from our expectation, we found no evidence that ISO 27001 certification brought benefits to the certified firm in terms of return-on-assets and stock market performance. We attributed the results to the nature of ISO 27001 that a good information security management would be seen as an obligation, instead of a competitive advantage.