Prior Publisher

The Association of Digital Forensics, Security and Law (ADFSL)


This study proposes using an established common body of knowledge (CBK) as one means of organizing information security literature. Consistent with calls for more relevant information systems (IS) research, this industrydeveloped framework can motivate future research towards topics that are important to the security practitioner. In this review, forty-eight articles from ten IS journals from 1995 to 2004 are selected and cross-referenced to the ten domains of the information security CBK. Further, we distinguish articles as empirical research, frameworks, or tutorials. Generally, this study identified a need for additional empirical research in every CBK domain including topics related to legal aspects of information security. Specifically, this study identified a need for additional IS security research relating to applications development, physical security, operations security, and business continuity. The CBK framework is inherently practitioner oriented and using it will promote relevancy by steering IS research towards topics important to practitioners. This is important considering the frequent calls by prominent information systems scholars for more relevant research. Few research frameworks have emerged from the literature that specifically classify the diversity of security threats and range of problems that businesses today face. With the recent surge of interest in security, the need for a comprehensive framework that also promotes relevant research can be of great value.


9/11 Commission. (2004). The 9/11 commission report - final report of the national commission on terrorist attacks upon the united states (Authorized, First ed.). New York: W. W. Norton & Company.

Al-Ayed, A., Furnell, S. M., Zhao, D., & Dowland, P. S. (2005). An automated framework for managing security vulnerabilities. Information Management & Computer Security, 13(2/3), 156-166.

Aljifri, H. A., Pons, A., & Collins, D. (2003). Global e-commerce: A framework for understanding and overcoming the trust barrier. Information Management & Computer Security, 11(2/3), 130-138.

Arnone, M. (2005, May 16). Airport security enters a new phase. Federal Computer Week. Retrieved May 19, 2005, from www.fcw.com/article88687-04-25-05-web

Backhouse, J., & Dhillon, G. (1996). Structures of responsibility and security of information systems. European Journal of Information Systems, 5(1), 2- 9.

Bagchi, K., & Udo, G. (2003). An analysis of the growth of computer and internet security breaches. Communications of the AIS, 12(46), 684-700.

Baskerville, R. L., & Myers, M. D. (2004). Special issue on action research in information systems: Making IS research relevant to practice. Forward. MIS Quarterly, 28(3), 329-335.

Baskerville, R. L., & Portougal, V. (2003). A possibility theory framework for security evaluation in national infrastructure protection. Journal of Database Management, 14(2), 1-13.

Benbasat, I., & Zmud, R. W. (1999). Empirical research in information systems: The practice of relevance. MIS Quarterly, 23(1), 3-16.

Bento, A., & Bento, R. (2004). Empirical test of a hacking model: An exploratory study. Communications of the AIS, 14(32), 678-690.

Boncella, R. J. (2000). Web security for e-commerce. Communications of the AIS, 4(11), 1-42.

Boncella, R. J. (2001). Internet privacy - at home and at work. Communications of the AIS, 7(14), 269-282.

Boncella, R. J. (2002). Wireless security: An overview. Communications of the AIS, 9(15), 269-282. Boncella, R. J. (2004). Web services and web services security. Communications of the AIS, 14(18), 344-363.

Brancheau, J. C., Janz, B. D., & Wetherbe, J. C. (1996). Key issues in information systems management: 1994-95 SIM results. MIS Quarterly, 20(2), 225-242.

Cavusoglu, H., Cavusoglu, H., & Raghunathan, S. (2004). Economics of IT security management: Four improvements to current security practices. Communications of the AIS, 14(3), 65-75.

Cheng, E. C. (2000). An object-oriented organizational model to support dynamic role-based access control in electronic commerce. Decision Support Systems, 29(4), 357-369.

Computer Sciences Corporation. (2005). Information security tops list of CFO concerns. Retrieved June 9, 2005, from http://www.csc.com/newsandevents/news/4042.shtml

Cronin, B., & Crawford, H. (1999). Information warfare: Its applications in military and civilian contexts. Information Society, 15(4), 257-264.

Dawkins, J., Clark, K., Manes, G., & Papa, M. (2005). A framework for unified network security management: Identifying and tracking security threats on converged networks. Journal of Network & Systems Management, 13(3), 253-267.

Dennis, A. R. (2001). Relevance in information systems research. Communications of the AIS, 6(10), 1-6.

Dhillon, G., & Backhouse, J. (2001). Current directions in IS security research: Towards socio-organizational perspectives. Information Systems Journal, 11(2), 127-153.

Eloff, M. N., & von Solms, S. H. (2000). Information security management: A hierarchical framework for various approaches. Computers & Security, 19(3), 243-256.

Farhoomand, A., & McCauley, M. (2001). Tradecard: Building a global trading electronic payment system. Communications of the AIS, 7(18), 1-37.

Fernandes, A. D. (2001). Risking "trust" in a public key infrastructure: Old techniques of managing risk applied to new technology. Decision Support Systems, 31(3), 303-322.

Finne, T. (1998). A conceptual framework for information security management. Computers & Security, 17(4), 303-307.

Friman, H. (2001). A systems view of information warfare. Journal of Information Warfare, 1(1), 25-32.

Gavish, B., & Gerdes, J. H., Jr. (1998). Anonymous mechanisms in group decision support systems communication. Decision Support Systems, 23(4), 297-328.

Gopal, R. D., & Sanders, G. L. (1997). Preventive and deterrent controls for software piracy. Journal of Management Information Systems, 13(4), 29-47.

Gorgone, J. T., Davis, G. B., Valacich, J. S., Topi, H., Feinstein, D. L., & Longenecker, H. E., Jr. (2002). IS 2002 model curriculum and guidelines for undergraduate degree programs in information systems. Communications of the AIS, 11(1), 1-63.

Gupta, A., Stahl, D. O., & Whinston, A., B. (1998). Managing computing resources in intranets: An electronic commerce perspective. Decision Support Systems, 24(1), 55-69.

Gupta, A., Tung, Y. A., & Marsden, J. R. (2004). Digital signature: Use and modification to achieve success in next generation e-business processes. Information & Management, 41(5), 561-575.

Hansche, S., Berti, J., & Hare, C. (2004). Official (ISC)2 guide to the CISSP exam. New York: Auerbach.

Harrington, S. J. (1996). The effect of codes of ethics and personal denial of responsibility on computer abuse judgments and intentions. MIS Quarterly, 20(3), 257-278.

Henderson, S. C., & Snyder, C. A. (1999). Personal information privacy: Implications for MIS managers. Information & Management, 36(4), 213-220.

Hoffer, J. A., & Straub, D. W. (1989). The 9 to 5 underground: Are you policing computer crimes? Sloan Management Review, 35-43.

International Information Systems Security Certification Consortium. (2002). CISSP certification common body of knowledge study guide. Framingham, MA: (ISC)2 .

Internet Systems Consortium. (2005). Internet domain survey. Retrieved May 1, 2005, from www.isc.org

ISO/IEC. (2005). Information technology - code of practice for information security management (No. ISO/IEC 17799:2005): The International Standards Organization/The International Electrotechnical Commission.

Jung, B., Han, I., & Lee, S. (2001). Security threats to internet: A Korean multiindustry investigation. Information & Management, 38(8), 487-498.

Kesh, S., Ramanujan, S., & Nerur, S. (2002). A framework for analyzing ecommerce security. Information Management & Computer Security, 10(4), 149-148.

Khazanchi, D., & Sutton, S. G. (2001). Assurance services for business-tobusiness electronic commerce: A framework and implications. Journal of the Association for Information Systems, 1(11), 1-55.

Kim, J., Lee, J., Han, K., & Lee, M. (2002). Business as buildings: Metrics for the architectural quality of internet businesses. Information Systems Research, 13(3), 239-254.

Klang, M. (2001). Who do you trust? Beyond encryption, secure e-business. Decision Support Systems, 31(3), 293-301.

Knapp, K. J., & Boulton, W. R. (2006). Cyber warfare threatens corporations: Expansion into commercial environments. Information Systems Management, 23(2), 76-87.

Knapp, K. J., Morris, R., Rainer, K. R., Jr., & Byrd, T. A. (2003). Defense mechanisms of biological cells: A framework for network security thinking. Communications of the AIS, 12(47), 701-719.

Koh, C. E., & Watson, H. J. (1998). Data management in executive information systems. Information & Management, 33(6), 301-312.

Kotulic, A. G., & Clark, J. G. (2004). Why there aren't more information security research studies. Information & Management, 41(5), 597-607.

Koufaris, M., & Hampton-Sosa, W. (2004). The development of initial trust in an online company by new customers. Information & Management, 41(3), 377-397.

Kwok, S. H., Cheung, S. C., Wong, K. C., Tsang, K. F., Lui, S. M., & Tam, K. Y. (2002). Integration of digital rights management into the internet open trading protocol. Decision Support Systems, 34(4), 413-425.

Kwok, S. H., Yang, C. C., Tam, K. Y., & Wong, J. S. W. (2004). SDMI-based rights management systems. Decision Support Systems, 38(1), 33-46.

Lee, S., & Han, I. (2000). Fuzzy cognitive map for the design of EDI controls. Information & Management, 37(1), 37-50.

Lee, S. M., Lee, S. G., & Yoo, S. (2004). An integrative model of computer abuse based on social control and general deterrence theories. Information & Management, 41(6), 707-718.

Liao, Z., & Cheung, M. T. (2002). Internet-based e-banking and consumer attitudes: An empirical study. Information & Management, 39(4), 283- 295.

Liu, C., Marchewka, J. T., Lu, J., & Yu, C.-S. (2004). Beyond concern: A privacy-trust-behavioral intention model of electronic commerce. Information & Management, 42(1), 127-142.

Lowry, P. B., Romans, D., & Curtis, A. (2004). Global journal prestige and supporting disciplines: A scientometric study of information systems journals. Journal of the Association for Information Systems, 5(2), 29- 77.

Luftman, J., & McLean, E. R. (2004). Key issues for IT executives. MIS Quarterly Executive, 3(2), 89-104.

Maña, A., Lopez, J., Ortega, J. J., Pimentel, E., & Troya, J. M. (2004). A framework for secure execution of software. International Journal of Information Security, 3(2), 99-112.

Martin, J. (1973). Security, accuracy, and privacy in computer systems. Englewood Cliffs, NJ: Prentice-Hall.

Panko, R. R. (2003). Slammer: The first blitz worm. Communications of the AIS, 11(12), 207-218.

Panko, R. R. (2004). Corporate computer and network security. New Jersey: Prentice Hall.

Parker, D. B. (1981). Computer security management. Reston, Virginia: Reston Publishing Company.

Payne, C. (2002). On the security of open source software. Information Systems Journal, 12(1), 61-78.

Pearson, M. J., Pearson, A., & Shim, J. P. (2005). The relevancy of information systems research: The practitioner's view. Information Resources Management Journal, 18(3), 50-67.

Peffers, K., & Ya, T. (2003). Identifying and evaluating the universe of outlets for information systems research: Ranking the journals. Journal of Information Technology Theory and Application, 5(1), 63-84.

Post, G., & Kagan, A. (2000). Management tradeoffs in anti-virus strategies. Information & Management, 37(1), 13-24.

Posthumus, S., & von Solms, R. (2004). A framework for the governance of information security. Computers & Security, 23(8), 638-646.

Quigley, M. (2004). Information security and ethics: Social and organization issues. Hershey, PA: IRM Press.

Raikow, D. (2004, July 9). Do small devices equal big threat? eWeek. Retrieved May 19, 2005, from www.eweek.com/article2/0,1759,1621784,00.asp

Rees, J., Bandyopadhyay, S., & Spafford, E. H. (2003). PFIRES: A policy framework for information security. Communications of the ACM, 46(7), 101-106.

Rohm, A. W., & Pernul, G. (2000). COPS: A model and infrastructure for secure and fair electronic markets. Decision Support Systems, 29(4), 343-355.

Ryan, S. D., & Bordoloi, B. (1997). Evaluating security threats in mainframe and client/server environments. Information & Management, 32(3), 137-146.

Sampler, J. L. (2000). The internet changes everything (ICE) age. In R. W. Zmud (Ed.), Framing the domains of IT management (pp. 209-220). Cincinnati, Ohio: Pinnaflex Educational Resources, Inc.

Sarathy, R., & Muralidhar, K. (2002). The security of confidential numerical data in databases. Information Systems Research, 13(4), 389-403.

Schou, C. D., & Trimmer, K. J. (2004). Information assurance and security. Journal of Organizational and End User Computing, 16(3), i-vii.

Srivastava, R. P., & Mock, T. J. (2000). Evidential reasoning for webtrust assurance services. Journal of Management Information Systems, 16(3), 11-32.

Stafford, T. F., & Urbaczewski, A. (2004). Spyware: The ghost in the machine. Communications of the AIS, 14(15), 291-306.

Stewart, K. A., & Segars, A. H. (2002). An empirical examination of the concern for information privacy instrument. Information Systems Research, 13(1), 36-49.

Straub, D. W. (1990). Effective IS security: An empirical study. Information Systems Research, 1(3), 255-276.

Straub, D. W., & Goodhue, D. L. (1991). Security concerns of system users. A study of perceptions of the adequacy of security. Information & Management, 20(1), 13-27.

Straub, D. W., & Nance, W. D. (1990). Discovering and disciplining computer abuse in organizations: A field study. MIS Quarterly, 14(1), 45-60.

Straub, D. W., & Welke, R. J. (1998). Coping with systems risk: Security planning models for management decision making. MIS Quarterly, 22(4), 441-469.

Sundararajan, A. (2004). Managing digital piracy: Pricing and protection. Information Systems Research, 15(3), 287-308.

Taylor, S. M., & Giannantonio, C. M. (1993). Forming, adapting, and terminating the employment relationship: A review of the literature from individual, organizational, & interactionist perspectives. Journal of Management, 19(2), 461-515.

Thuraisingham, B. (1995). Multilevel security for information retrieval systems. Information & Management, 28(1), 49-61.

Trompeter, C. M., & Eloff, J. H. P. (2001). A framework for the implementation of socio-ethical controls in information security. Computers & Security, 20(5), 384-392.

Varshney, U. (2003). Wireless i: Mobile and wireless information systems: Applications, networks, and research problems. Communications of the AIS, 12(11), 155-166.

Vijayan, J. (2004, June 28). ISO endorses key security certification. Computerworld, 38, 1-2.

Volonino, L., Gessner, G. H., & Kermis, G. F. (2004). Holistic compliance with sarbanes-oxley. Communications of the AIS, 14(11), 219-233.

Webster, J., & Watson, R. T. (2002). Analyzing the past to prepare for the future: Writing a literature review. MIS Quarterly, 26(2), xii-xxiii.

Whitman, M. E., & Mattord, H. J. (2004). Management of information security. Cambridge, MA: Course Technology - Thompson Learning.

Whitworth, B., & Zaic, M. (2003). The WOSP model: Balanced information system design and evaluation. Communications of the AIS, 12(17), 258- 282.

Yemini, Y., Dailianas, A., Florissi, D., & Huberman, G. (2000). Marketnet: Protecting access to information systems through financial market controls. Decision Support Systems, 28(1/2), 205-216.

Zmud, R. (1998). Editor's comments. MIS Quarterly, 22(2), xxxix-xxxii.

Zviran, M., & Haga, W. J. (1999). Password security: An empirical study. Journal of Management Information Systems, 15(4), 161-185.



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.