This Article Full Text (PDF) References Alert me when this article is cited Alert me if a correction is posted Services Email this article to a friend Similar articles in this journal Alert me to new issues of the journal Download to citation manager Citing Articles Citing Articles via Google Scholar Google Scholar Articles by Ransbotham, S. Articles by Mitra, S. Search for Related Content

Choice and Chance: A Conceptual Model of Paths to Information Security Compromise

Carroll School of Management, Boston College, Chestnut Hill, Massachusetts 02467
College of Management, Georgia Institute of Technology, Atlanta, Georgia 30308
sam.ransbotham{at}bc.edu
saby.mitra{at}mgt.gatech.edu

No longer the exclusive domain of technology experts, information security is now a management issue. Through a grounded approach using interviews, observations, and secondary data, we advance a model of the information security compromise process from the perspective of the attacked organization. We distinguish between deliberate and opportunistic paths of compromise through the Internet, labeled choice and chance, and include the role of countermeasures, the Internet presence of the firm, and the attractiveness of the firm for information security compromise. Further, using one year of alert data from intrusion detection devices, we find empirical support for the key contributions of the model. We discuss the implications of the model for the emerging research stream on information security in the information systems literature.

Key Words: information security management; computer crime; information systems risk management
History: This paper was received on May 10, 2006.