Strategic Information Systems Security: Definition and Theoretical Model

Information systems security has become a critical topic both academically and in industry due to its importance in today’s organizational environment. But while its criticality is undeniable, information systems security continues to be viewed reactively, as a “necessary evil,” or, worse, as a black hole with little or no ROI. Researchers and practitioners alike have generally been reticent to acknowledge the strategic potential of information systems security. This paper provides a first step towards helping managers justify their investments in information systems security by identifying its strategic potential. In doing so, we address three basic questions; why is information systems security important, what is strategic information systems security, and how does the strategic potential of information system security affect firm performance. Dynamic capabilities theory is utilized to propose a theoretical framework for strategic information systems security. We propose that information systems security provides the infrastructure necessary for agility, which in turn impacts firm performance. Specifically, information systems security enables sensing and responding to customer, partner/supplier, and internal organizational opportunities to positively impact firm performance. We also propose that the trust generated by solid security and security policy can enhance relationships with both customers and partners/suppliers.