AdamsJ. (1999), ‘Risk-Benefit Analysis: Who Wants It? Who Needs It?’, Cost-Benefit Analysis Conference, 8–10th October, Yale University.
2.
AivazianC. (1998), ‘Information security during organisational transitions’, Information Strategy: The Executive's Journal, Vol. 14, No. 3, pp. 21–27.
3.
AngellI. O. (1993), ‘Computer security in these uncertain times: the need for a new approach’, Proceedings of The Tenth World Conference on Computer Security, Audit and Control, COMPSEC, London, UK: Elsevier Advanced Technology, pp. 382–388.
4.
ApplegateL. M.AustinR. D. and McFarlanF. W. (2003), Corporate information strategy and management: text and cases, Boston: McGraw-Hill Irwin.
5.
AytesK. and ConnollyT. (2004), ‘Computer Security and Risky Computing Practices: A Rational Choice Perspective’, Journal of Organisational and End User Computing, Vol. 16, No. 3, pp. 22–40.
6.
AytesK. and ConollyT. (2003), ‘A Research Model for Investigating Human Behavior Related to Computer Security’, Americas Conference on Information Systems, Tampa, Florida.
7.
BackhouseJ. and DhillonG. (1996), ‘Structures of responsibility and security of information systems’, European Journal of Information Systems, Vol. 5, No. 1, pp. 2–9.
8.
BaskervilleR. (1991), ‘Risk analysis: An interpretive feasibility tool in justifying information systems security’, European Journal of Information Systems, Vol. 1, No. 2, pp. 121–130.
9.
BeatsonJ. G. (1991), ‘Security-A Personnel Issue: The Importance of Personnel Attitudes and Security Education’, In: DittrichK.RautakiviS. and SaariJ. (eds.) (1990), Proceedings of the Sixth IFIP International Conference on Computer Security and Information Integrity in our Changing World, IFIP/Sec 90, Espoo, Helsinki, Finland, 23rd–25th May, Amsterdam: Elsevier Science Publishers, pp. 29–38,
10.
BelangerF.HillerJ. S. and SmithW. J. (2002), ‘Trustworthiness in Electronic Commerce: The Role of Privacy, Security, and Site Attributes’, Journal of Strategic Information Systems, Vol. 11, pp. 245–270.
11.
BiaM. and KalikaM. (2004), ‘Adopting an ICT code of conduct: an empirical study of organizational factors’, European and Mediterranean Conference on Information Systems, Carthage, Tunisia.
12.
BirchD. G. W. and McEvoyN. A. (1992), ‘Risk analysis for Information Systems’, Journal of Information Technology, Vol. 7, No. 1, pp. 44–53.
13.
BirchallD.EzingeardJ.-N. and McFadzeanE. (2003), Information Security: Setting the Boardroom Agenda, London: GRIST.
14.
BoockholdtJ. L. (1987), ‘Security and Integrity Controls for Microcomputers: A Summary Analysis’, Information and Management, Vol. 13, pp. 33–41.
15.
BoockholdtJ. L. (1989), ‘Implementing Security and Integrity in Micro-Mainframe Networks’, MIS Quarterly, Vol. 13, No. 2, pp. 135–144.
16.
Bowen-SchireM.ReidB.EzingeardJ.-N. and BirchallD. (2004), ‘Identity Management and Power in the Discourse of Information Security Managers’, 6th International Conference on Organizational Discourse, International Centre for Research in Organizational Discourse, Strategy and Change (ICRODSC), Amsterdam.
17.
BrewerJ. and HunterA. (1989), Multimethod research: a synthesis of styles, Newbury Park, Ca: Sage Publications.
18.
CreswellJ. W. M. and DanaL. (2000), ‘Determining Validity in Qualitative Inquiry’, Theory Into Practice, Vol. 39, No. 3, pp. 124–130.
19.
CSI (2005), CSI/FBI Computer Crime and Security Tenth Survey, San Francisco: Computer Security Institute/Federal Bureau of Investigations.
20.
CyertR. M. and MarchJ. G. (1992), A behavioral theory of the firm, Englewood Cliffs, Prentice-Hall.
DenscombeM. (2001), ‘Critical incidents and the perception of health risks: the experiences of young people in relation to their use of alcohol and tobacco’, Health, Risk and Society, Vol. 3, pp. 293–306.
23.
DhillonG. (2004), ‘The challenge of managing information security – Guest Editorial’, International Journal of Information Management, Vol. 24, pp. 3–4.
24.
DhillonG. and BackhouseJ. (2001), ‘Current directions in IS security research: toward socio-organisational perspectives’, Information Systems Journal, Vol. 11, No. 2, pp. 127–153.
25.
DoolinB. (2003), ‘Narratives of change: Discourse, technology and organisation’, Organisation, Vol. 10, No. 4, pp. 751–770.
DuttaA. and McCrohanK. (2002), ‘Management's role in information security in a cyber economy’, California Management Review, Vol. 45, No. 1, pp. 67–87.
EttredgeM. and RichardsonV. J. (2002), ‘Assessing the Risk in E-Commerce’, Proceedings of the 35th Annual Hawaii International Conference on System Sciences, Hawaii, US.
30.
EttredgeM. and RichardsonV. J. (2003), ‘Information Transfer among Internet Firms: The Case of Hacker Attacks’, Journal of Information Systems, Vol. 17, No. 2, pp. 71–82.
31.
EzingeardJ.-N.McFadzeanE. and BirchallD. (2003), ‘Board of Directors and Information Security: A perception grid’, British Academy of Management Conference, Harrogate, UK, Paper 222.
32.
FeenyD. F.EdwardsB. R. and SimpsonK. M. (1992), ‘Understanding the CEO/CIO relationship’, MIS Quarterly, Vol. 16, No. 4, pp. 435–448.
33.
FiggJ. (1999), ‘Survey notes Global Information security trends’, The Internal Auditor, Vol. 56, No. 4, pp. 14–15.
34.
FrankJ.ShamirB. and BriggsW. (1991), ‘Security-Related Behavior of PC Users in Organisations’, Information and Management, Vol. 21, pp. 127–135.
35.
FulfordH. and DohertyN. F. (2003), ‘The application of information security policies in large UK-based organisations: an exploratory investigation’, Information Management and Computer Security, Vol. 11, No. 3, pp. 106–114.
36.
GargA. (2003), ‘What Does an Information Security Breach Really Cost? Evidence and Implications’, Information Strategy: The Executive's Journal, Vol. 19, No. 4, pp. 21–25.
37.
GargA.CurtisJ. and HalperH. (2003), ‘Quantifying the financial impact of IT security breaches’, Information Management and Computer Security, Vol. 11, No. 2/3, pp. 74–83.
38.
GoodhueD. L. and StraubD. W. (1991), ‘Security Concerns of System Users: A Study of Perceptions of the Adequacy of Security’, Information and Management, Vol. 20, No. 1, pp. 13–27.
39.
HamiltonS. (2000), ‘Controlling Risks’, In: Marchand, D. A., Competing with Information: A Manager's Guide to Creating Business Value with Information Content, John Wiley and Sons, pp. 210–228.
40.
HardyC.PalmerI. and PhillipsN. (2002), ‘Discourse as a strategic resource’, Human Relations, Vol. 53, Vol. 9, pp. 1227–48.
41.
HendryC. and PettigrewA. (1992), ‘Patterns of strategic change in the development of human resource management’, British Journal of Management, Vol. 3, No. 3, pp. 137–156.
42.
HiggsD. (2003), Review of the Role and Effectiveness of Non-Executive Directors, London, UK: Department of Trade and Industry.
43.
HirschheimR. and SabherwalR. (2001), ‘Detours in the Path toward Strategic Information Systems Alignment’, California Management Review, Vol. 44, No. 1, pp. 87–108.
44.
HitchingsJ. (1996), ‘A practical solution to the complex human issues of information security design’, In: KatsikasS. K. and GritzalisD. (eds.) Information Systems Security. Facing the information society of the 21st century, London: Chapman and Hall, pp. 3–11
45.
HoffmanD. (2001), ‘Operational Risk Management: A Board-Level Issue’, Bank Accounting and Finance, Vol. 14, Winter, pp. 21–30.
46.
HovavA. and D'ArcyJ. (2003), ‘The Impact of Denial-of-Service Attack Announcements on the Market Value of Firms’, Risk Management and Insurance Review, Vol. 6, No. 2, pp. 97–121.
47.
ISO (2000), ‘ISO/IEC 17799:2000 Code of practice for information security management’, Geneva: ISO, csrc.nist.gov/publications/secpubs/otherpubs/reviso-faq.pdf
48.
FoxC. and ZonneveldP. (2003), IT Control Objectives for Sarbanes-Oxley, Rolling Meadows, IL: IT Governance Institute.
JudgeW. Q. and ZeithamlC. P. (1992), ‘Institutional and Strategic Choice Perspectives on Board Involvement in the Strategic Decision Process’, Academy of Management Journal, Vol. 35, pp. 766–794.
51.
KankanhalliA.TeoH.-H.TanB.C.Y. and WeiK.-K. (2003), ‘An integrative study of information systems security effectiveness’, International Journal of Information Management, Vol. 23, No. 2, pp. 139–154.
52.
KotterJ. P. (1996), Leading change, Boston, Mass: Harvard Business School Press.
53.
LiH.HingG.RossM. and StaplesG. (2000), ‘Bs7799: A Suitable Model for Information Security Management’, Americas Conference on Information Systems, Long Beach, California, US.
54.
LochK. D.CarrH. H. and WarkentinM. E. (1992), ‘Threats to Information Systems: Today's Reality, Yesterday's Understanding’, MIS Quarterly, Vol. 16, No. 2, June, pp. 173–186.
55.
LohmeyerD. F.McCroryJ. and PogrebS. (2002), ‘Managing information security’, The McKinsey Quarterly, (Special Edition on Information Security), Vol. 2, pp. 12–15.
56.
MarchJ. G. (1978), ‘Bounded rationality, ambiguity, and the engineering of choice’, The Rand Journal of Economics, Vol. 9, No. 2, pp. 587–608.
57.
MarchJ. G. and ShapiraZ. (1987), ‘Managerial perspectives on risk and risk taking’, Management Science, Vol. 33, No. 11, pp. 1404–1418.
58.
MilesM. B. and HubermanA. M. (1994), Qualitative data analysis: an expanded sourcebook, Thousand Oaks, Calif: Sage.
59.
ParkerX. L. (2001), ‘Understanding Risk’, Internal Auditor, Vol. 58, No. 1, pp. 61–65.
60.
PettigrewA. M. (1990), ‘Longitudinal Field Research On Change: Theory And Practice’, Organization Science: A Journal of the Institute of Management Sciences, Vol. 1, No. 3,pp. 267.
61.
RainerR. K. J.SnyderC. A. and CarrH. H. (1991), ‘Risk Analysis for Information Technology’, Journal of Management Information Systems, Vol. 8, No. 1, pp. 129–147.
62.
ReichB. H. and BenbasatI. (1996), ‘Measuring the Linkage Between Business and Information Technology Objectives’, MIS Quarterly, Vol. 20, No. 1, pp. 55–81.
63.
SiponenM. T. (2001), ‘An Analysis of the Recent IS Security Development Approaches: Descriptive and Prescriptive Implications’, In: Dhillon, G. (ed.), Information Security Management: Global Challenges in the New Millennium, Hershey, PA: Idea Group Publishing.
64.
SiponenM. T. (2005), ‘An analysis of the traditional IS security approaches: implications for research and practice’, European Journal of Information Systems, Vol. 14, No. 3, pp. 303–315.
65.
von SolmsB. (2001), ‘Corporate Governance and Information Security’, Computers and Security, Vol. 20, No. 3, pp. 215–218.
66.
StraubD. W. and WelkeR. J. (1998), ‘Coping with systems risk: Security planning models for management decision making’, MIS Quarterly, Vol. 22, No. 4, pp. 441–469.
67.
VenkatramanN. (1998), ‘IT Agenda 2000: Not Fixing Technical Bugs But Creating Business Value’, European Management Journal, Vol. 16, No. 5, pp. 573–585.
68.
VermeulenC. and von SolmsR. (2002), ‘The information security management toolbox – taking the pain out of security management’, Information Management and Computer Security, Vol. 10, No. 2, pp. 119–125.
69.
WardJ. M. (1988), ‘Information Systems and Technology Application Portfolio Management – an Assessment of Matrix-Based Analyses’, Journal of Information Technology, Vol. 3, No. 3, pp. 205–215.
70.
WarmanA. R. (1992), ‘Organizational computer security policy: the reality’, European Journal of Information Systems, Vol. 1, No. 5, pp. 305–310.
71.
WebbD. and PettigrewA. (1999), ‘The temporal development of strategy: Patterns in the UK insurance industry’, Organization Science, Vol. 10, No. 5, pp. 601–621.
72.
ZviranM. and HagaW. (1999), ‘Password Security: An Empirical Study’, Journal of Management Information Systems, Vol. 15, No. 4, pp. 161–185.