Increasing information security losses, coupled with more closely regulated security risk disclos... more Increasing information security losses, coupled with more closely regulated security risk disclosure, are raising the importance of information security standards for identifying control gaps and for implementing appropriate and effective information security controls. Despite the growing importance and variety of information security standards, and the large amount of resources involved in their adoption, there remains a lack of theoretical development in this area. The objective of this paper is to develop a better understanding of information security controls defined in standards, by analyzing and comparing their control sets. Our analysis of control sets in two prominent information security standards led to the discovery of a new class of controls - generative controls – which was not previously recognized in the information security literature, and also to the proposition of a new classification scheme with simple metrics for analyzing control sets in standards. This discovery serves as a building block for the proposition of a new theory called ‘generative control theory’ (GCT) for information security. This theory, together with its underlying concepts, explain how the presence of generative controls defined in standards allows them to be applicable to a large number of widely differing organizations, and thereby assures the implementation of appropriate and effective information security controls in those organizations. It also explains the implications of the presence of generative controls in standards for practitioners, researchers and compliance auditors. For example, generative controls present a higher risk of creative compliance. Finally, this study provides recommendations regarding the design, implementation and audit of controls as defined in standards
2020 2nd International Workshop on Artificial Intelligence and Education, 2020
Research on the acceptance of mandatory technologies is rare and even more in the education field... more Research on the acceptance of mandatory technologies is rare and even more in the education field. The few studies on technology acceptance that paid attention to the habit construct in mandatory use contexts produced confusing findings. The purpose of this research is to shed light on the role of habit in the acceptance of mandatory technologies. A sample of 475 students using a mandatory learning management system for their online courses filled an online questionnaire. Results showed that relationships between the habit construct and intrinsic value and behavioral intention are both significant and that adding intrinsic value as a mediator between habit and behavioral intention increases the explained variance of behavioral intention significantly. This research contributes to advance theory on technology acceptance in mandatory use contexts and provides insights for practitioners into how to enhance the acceptance of technologies in mandatory use environments.
Without being exhaustive, this study reviews important theoretical perspectives used by informati... more Without being exhaustive, this study reviews important theoretical perspectives used by information system (IS) researchers to study the influence of information technology (IT) on organizations and their members in the last five decades. We illustrate these theoretical perspectives by selecting and describing exemplars published in each decade and explain their implications for researchers and practitioners. Our results show that in each of the last five decades, a new theoretical perspective was developed and adopted to extend the previous decade’s rhetoric by getting further away from technological determinism in the sixties and closer to more balanced causal arguments explaining the consequences of IT on organizations and their members. Our analysis suggests important implications such as the need for IS researchers to restore theoretical attention to material IT artifacts in IS research and potential approaches that can be used to achieve this goal.
This contribution to the Ken D. Eason special issue is an illustration of the value of socio-tech... more This contribution to the Ken D. Eason special issue is an illustration of the value of socio-technical analysis applied at an organizational level. We provide a brief historical overview of socio-technical IS research and review studies investigating the impact of IT on organizational structures in the last five decades, identifying a dominating (new) research theme in each decade. A key overall impact of IT in all decades has been a dramatic decrease in transaction costs making it increasingly easier for organizations to source from external providers. A five level taxonomy of sourcing arrangement is developed together with a framework of organizational activities, and a number of significant cases are offered of how organizations are sourcing practically all types of business processes, including innovation. We argue that future IT will further accelerate the movement towards more sourcing, eventually leading to a new type of organization that we call the Ambient organization.
This contribution to the Ken D. Eason special issue is an illustration of the value of socio-tech... more This contribution to the Ken D. Eason special issue is an illustration of the value of socio-technical analysis applied at an organizational level. We provide a brief historical overview of socio-technical IS research and review studies investigating the impact of IT on organizational structures in the last five decades, identifying a dominating (new) research theme in each decade. A key overall impact of IT in all decades has been a dramatic decrease in transaction costs making it increasingly easier for organizations to source from external providers. A five level taxonomy of sourcing arrangement is developed together with a framework of organizational activities, and a number of significant cases are offered of how organizations are sourcing practically all types of business processes, including innovation. We argue that future IT will further accelerate the movement towards more sourcing, eventually leading to a new type of organization that we call the Ambient organization.
Leo Award Invited Paper We begin with a retrospective reflection on the first author's research c... more Leo Award Invited Paper We begin with a retrospective reflection on the first author's research career, which in large part is devoted to research about the implications of information technology (IT) for organizational change. Although IT has long been associated with organizational change, our historical review of the treatment of technology in organization theory demonstrates how easily the material aspects of organizations can disappear into the backwaters of theory development. This is an unfortunate result since the material characteristics of IT initiatives distinguish them from other organizational change initiatives. Our aim is to restore materiality to studies of IT impact by tracing the reasons for its disappearance and by offering options in which IT's materiality plays a more central theoretical role. We adopt a socio-technical perspective that differs from a strict sociomaterial perspective insofar as we wish to preserve the ontological distinction between material artifacts and their social context of use. Our analysis proceeds using the concept of " affordance " as a relational concept consistent with the socio-technical perspective. We then propose extensions of organizational routines theory that incorporate material artifacts in the generative system known as routines. These contributions exemplify two of the many challenges inherent in adopting materiality as a new research focus in the study of IT's organizational impacts.
Increasing information security losses, coupled with more closely regulated security risk disclos... more Increasing information security losses, coupled with more closely regulated security risk disclosure, are raising the importance of information security standards for identifying control gaps and for implementing appropriate and effective information security controls. Despite the growing importance and variety of information security standards, and the large amount of resources involved in their adoption, there remains a lack of theoretical development in this area. The objective of this paper is to develop a better understanding of information security controls defined in standards, by analyzing and comparing their control sets. Our analysis of control sets in two prominent information security standards led to the discovery of a new class of controls - generative controls – which was not previously recognized in the information security literature, and also to the proposition of a new classification scheme with simple metrics for analyzing control sets in standards. This discovery serves as a building block for the proposition of a new theory called ‘generative control theory’ (GCT) for information security. This theory, together with its underlying concepts, explain how the presence of generative controls defined in standards allows them to be applicable to a large number of widely differing organizations, and thereby assures the implementation of appropriate and effective information security controls in those organizations. It also explains the implications of the presence of generative controls in standards for practitioners, researchers and compliance auditors. For example, generative controls present a higher risk of creative compliance. Finally, this study provides recommendations regarding the design, implementation and audit of controls as defined in standards
2020 2nd International Workshop on Artificial Intelligence and Education, 2020
Research on the acceptance of mandatory technologies is rare and even more in the education field... more Research on the acceptance of mandatory technologies is rare and even more in the education field. The few studies on technology acceptance that paid attention to the habit construct in mandatory use contexts produced confusing findings. The purpose of this research is to shed light on the role of habit in the acceptance of mandatory technologies. A sample of 475 students using a mandatory learning management system for their online courses filled an online questionnaire. Results showed that relationships between the habit construct and intrinsic value and behavioral intention are both significant and that adding intrinsic value as a mediator between habit and behavioral intention increases the explained variance of behavioral intention significantly. This research contributes to advance theory on technology acceptance in mandatory use contexts and provides insights for practitioners into how to enhance the acceptance of technologies in mandatory use environments.
Without being exhaustive, this study reviews important theoretical perspectives used by informati... more Without being exhaustive, this study reviews important theoretical perspectives used by information system (IS) researchers to study the influence of information technology (IT) on organizations and their members in the last five decades. We illustrate these theoretical perspectives by selecting and describing exemplars published in each decade and explain their implications for researchers and practitioners. Our results show that in each of the last five decades, a new theoretical perspective was developed and adopted to extend the previous decade’s rhetoric by getting further away from technological determinism in the sixties and closer to more balanced causal arguments explaining the consequences of IT on organizations and their members. Our analysis suggests important implications such as the need for IS researchers to restore theoretical attention to material IT artifacts in IS research and potential approaches that can be used to achieve this goal.
This contribution to the Ken D. Eason special issue is an illustration of the value of socio-tech... more This contribution to the Ken D. Eason special issue is an illustration of the value of socio-technical analysis applied at an organizational level. We provide a brief historical overview of socio-technical IS research and review studies investigating the impact of IT on organizational structures in the last five decades, identifying a dominating (new) research theme in each decade. A key overall impact of IT in all decades has been a dramatic decrease in transaction costs making it increasingly easier for organizations to source from external providers. A five level taxonomy of sourcing arrangement is developed together with a framework of organizational activities, and a number of significant cases are offered of how organizations are sourcing practically all types of business processes, including innovation. We argue that future IT will further accelerate the movement towards more sourcing, eventually leading to a new type of organization that we call the Ambient organization.
This contribution to the Ken D. Eason special issue is an illustration of the value of socio-tech... more This contribution to the Ken D. Eason special issue is an illustration of the value of socio-technical analysis applied at an organizational level. We provide a brief historical overview of socio-technical IS research and review studies investigating the impact of IT on organizational structures in the last five decades, identifying a dominating (new) research theme in each decade. A key overall impact of IT in all decades has been a dramatic decrease in transaction costs making it increasingly easier for organizations to source from external providers. A five level taxonomy of sourcing arrangement is developed together with a framework of organizational activities, and a number of significant cases are offered of how organizations are sourcing practically all types of business processes, including innovation. We argue that future IT will further accelerate the movement towards more sourcing, eventually leading to a new type of organization that we call the Ambient organization.
Leo Award Invited Paper We begin with a retrospective reflection on the first author's research c... more Leo Award Invited Paper We begin with a retrospective reflection on the first author's research career, which in large part is devoted to research about the implications of information technology (IT) for organizational change. Although IT has long been associated with organizational change, our historical review of the treatment of technology in organization theory demonstrates how easily the material aspects of organizations can disappear into the backwaters of theory development. This is an unfortunate result since the material characteristics of IT initiatives distinguish them from other organizational change initiatives. Our aim is to restore materiality to studies of IT impact by tracing the reasons for its disappearance and by offering options in which IT's materiality plays a more central theoretical role. We adopt a socio-technical perspective that differs from a strict sociomaterial perspective insofar as we wish to preserve the ontological distinction between material artifacts and their social context of use. Our analysis proceeds using the concept of " affordance " as a relational concept consistent with the socio-technical perspective. We then propose extensions of organizational routines theory that incorporate material artifacts in the generative system known as routines. These contributions exemplify two of the many challenges inherent in adopting materiality as a new research focus in the study of IT's organizational impacts.
Uploads
Papers by Benoit Raymond