End-User Computing is Bad for Organization

End-User Computing is Bad for Organization

Over recent decades most work organizations have come to depend on information technology for internal operations such as record-keeping, external transactions such as financial transfers, and mediated communications of all types (e.g., email). As connectivity among devices has increased, so has the likelihood of intrusion, theft, defacement, and other forms of loss. Surprisingly, although organizations tend to be more concerned about vulnerability to external threats, recent industry research suggests that a substantial proportion of security incidents originate from inside the organization. Estimates of this proportion vary: a report by Ernst and Young (2002) suggested that more than three-quarters of security breaches resulted from inside activity whereas the most recent Computer Security Institute report indicated that about half of all incidents arose from inside activity (Gordon et al., 2004, p. 4). At the low end, losses from security breaches have been estimated at approximately $20 billion per year (counting U.S. organizations only; Security Wire Digest, 2000). These losses have spurred increased spending on information security specialists and technology: according to a 2002 industry survey by Information Security Magazine, very large organizations spend an average of $6 million per year apiece on information security. Smaller organizations spend on average nearly 20% of their overall information technology budgets on security-related products. A substantial IT sub-industry designs, develops, and markets of security devices such as firewalls.

One organizational constraint that impacts the effectiveness of these technologies, however, lies in the computings of the human agents who access, use, administer, and maintain information resources (e.g., von Solms and von Solms, 2004 and Vroom and von Solms, 2004). Appropriate and constructive computing by end users, system administrators, and others can enhance the effectiveness of information security while inappropriate and destructive computings can substantially inhibit its effectiveness. In the present article we focused on developing a systematic understanding of the range of end user computings that may influence information security effectiveness in organizations. We constructed and tested a taxonomy of information computings and we surveyed employees in a large number of organizations with respect to one of the key end user computings that appeared in the taxonomy, namely password management.

Information security and end user computing: an overview

Much research on information security focuses on algorithms, methods, and standards that support the three basic functions of information security: confidentiality, integrity, and availability. In addition to this basic research in computer science and mathematics, human factors experts have worked to simplify and rationalize the user interfaces of security-related systems. Likewise, management experts have analyzed business risks associated with information systems and have drafted organizational policies to cope with these risks (see, e.g., Dhillon and Backhouse, 2000). We believe that an important additional layer in this assortment of approaches lies between the human-computer interface and management concerns for risk, business processes, and finances. Specifically, several researchers have begun to develop concepts, theory, and research relevant to human computing in organizations and how that computing affects information security. For example, von Solms and his ...