Notes

References

[1] O. Adam, A. Hofer, S. Zang, C. Hammer, M. Jerrentrup, and S. Leinenbach,
A collaboration framework for cross-enterprise business process management,
Preproceedings of the First International Conference on Interoperability of
Enterprise Software and Application (Geneva, Switzerland), 23{25 February
2005.

[2] R. Ahlswede, N. Cai, S. Li, and R. Yeung, Network information °ow, IEEE
Transactions on Information Theory 46 (2000), no. 4.

[3] S. Aissi, P. Malu, and K. Srinivasan, E-business process modeling: The next
big step, Computer 35 (2002), no. 5, 55{62.

[4] E. Albrechtsen, A qualitative study of user's view on information security,
Computers & Security 26 (2007), 276{289.

[5] B. Anderson, J. Hansen, P. Lowry, and S. Summers, Model checking for design
and assurance of e-business processes, Decision Support Systems 39 (2005),
333{344.

[6] R. Anderson, Why cryptosystems fail?, Proceedings of the 1st ACM conference
on Computer and Communications Security, ACM, 1993.

[7] , Why information security is hard|an economic perspective, Proceed-
ings of the 17th Annual Computer Security Applications Conference (New
Orleans, Louisiana), 10{14 December 2001.

[8] A. Andreu, Professional Pen Testing for Web Applications, Wiley Publishing,
Inc., 2006.

[9] S. Androutsellis-Theotokis, D. Spinellis, and V. Karakoidas, Performing peer-
to-peer e-business transactions: A requirements analysis and perliminary de-
sign proposal, IADIS, International e-Commerce 2004 Conference, December
2004, pp. 399{404.

[10] R. Anthony, Planning and Control Systems: A Framework for Analysis, Har-
vard University Press, 1965.

[11] L. M. Applegate, E-business handbook, The St. Lucie Press, 2002.

[12] I. Arce, The weakest link revisited, Security & Privacy, IEEE (2003), 72{76.

[13] F. Armknecht, A. Festag, D. Westho®, and K. Zeng, Cross-layer privacy en-
hancement and non-repudiation in vehicular communication, 4th Workshop
on Mobile Ad-Hoc Networks (WMAN) (Bern, Switzerland), March 2007.

[14] D. Avison and G. Fitzgerald, Information Systems Development|
Methodologies, Techniques and Tools, 3rd ed., McGraw-Hill Education (UK).

[15] D. Avison, F. Lau, M. Myers, and P. Nielsen, Action research, Communica-
tions of the ACM 42 (1999), no. 1, 94{97.

[16] Y. Bar-Yam, Unifying principles in complex systems, New England Complex
Systems Institute, 24 Mt. Auburn St., Cambridge, MA 02138, 2003, can be
found at http://www.necsi.edu/projects/yaneer/ComplexSystems.pdf.

[17] A. Barabasi, Linked: The New Science of Networks, Perseus Books,U.S., 2003.

[18] A. Barrat, M. Barthelemy, R. Pastor-Satorras, and A. Vespignani, The archi-
tecture of complex weighted networks, Proceedings of the National Academy
of Sciences, USA, vol. 101, 2004, pp. 3747{3752.

[19] R. Baskerville, Information systems security design methods: implications for
information systems development, ACM Computing Surveys 25 (1993), no. 4,
375{414.

[20] , Investigating information systems with action research, Communica-
tions of the AIS 2 (1999).

[21] R. Baskerville and M. Myers, Special issue on action research in information
systems: Making IS research relevant to practice (foreword), MIS Quarterly
28 (2004), no. 3, 329{335.

[22] I. Benbasat and R. Zmud, Empirical research in information systems: The
practice of relevance, MIS Quarterly 23 (1999)), no. 1, 3{16.

[23] S. Bennett, S. McRobb, and R. Farmer, Object-Oriented Systems Analysis
and Design, 2nd ed., McGraw-Hill, 2002.

[24] S. Bernard, Information lifecycle security risk assessment: A tool for closing
security gaps, Computers & Security 26 (2007), 26{30.

[25] M. Bishop, Introduction to Computer Security, Addison-Wesley, 2005.

[26] S. Boccaletti, V. Latora, Y. Moreno, M. Chavez, and D.-U. Hwang, Complex
networks: Structure and dynamics, Physics Reports 424 (2006), 175{308.

[27] P. Bocij, D. Cha®ey, A. Greasley, and S. Hickie, Business Information Sys-
tems, 2nd ed., Finanacial Times, Prentice Hall. An imprint of Pearson Edu-
cation, 2003.

[28] L. Bodin, L. Gordon, and M. Loeb, Evaluating information security invest-
ments using the analytic hierarchy process, Communivations of the ACM 48
(2005), no. 2, 78{83.

[29] W. Boni and G. Kovacich, Netspionage - The Global Threat to Information,
Butterworth-Heinemann, 2000.

[30] A. Bossi, R. Focardi, D. Macedonio, C. Piazza, and S. Rossi, Unwinding in
information °ow security, Electronic Notes in Theoretical Computer Science
(2004), 127{154.

[31] D. Bradbury, Saving private Ryan|but losing the war?, Infosecurity Today 1
(2004), no. 2, 36{38.

[32] , Why we love to hate our telcos, Infosecurity Today 1 (2004), no. 6,
18{20.

[33] R. Bragg, M. Phodes-Ousley, and K. Strassberg, Network Security: The Com-
plete Reference, McGraw-Hill/Osborne, 2004.
324

[34] R. Breu, K. Burger, M. Hafner, and G. Popp, Towards a systematic develop-
ment of secure systems, Information Systems Security 13 (2004), 5{13.

[35] BSI British Standard Institute, http://www.bsi-global.com/.

[36] E. Brynjolfsson, The IT productivity gap, Optimize (2003), no. 22.

[37] E. Brynjolfsson and L. Hitt, Productivity, business pro¯tability, and consumer
surplus: Three di®erent measuress of information technology value, MIS Quar-
terly 20 (1996), no. 2.

[38] C. Burney, Information Security Management Handbook, 5th ed., ch. Roles
and Responsibilities of the Information Ssystems Security O±cer, pp. 865{
870, Auerbach, 2004.

[39] K. Buszta, Information Security Management Handbook, 5th ed., ch. Security
Management, pp. 677{684, Auerbach, 2004.

[40] J.A. Byrne, The futurist who fathered the ideas, Business Week (1993).

[41] A. Calaprice, The New Quotable Einstein, Prinston University Press, 2005,
Collected and edited by Alice Calaprice.

[42] N. Carr, IT does not matter, Harvard Business Review, May 2003.

[43] , Does IT Matter? Information Technology and the Corrosion of Com-
petitive Advantage, Harvard Business School Press, 2004.

[44] E. Casey, Case study: Network intrusion investigation|lessons in forensic
preparation, Digital Investigation (2005), no. 4, 254{260.

[45] D. Cecez-Kecmanovic, Doing critical IS research: The question of methodol-
ogy, Qualitative research in IS: issues and trends (2001), 141{162.

[46] D. Cha®ey, E-Business and E-Commerce Management, Prentice Hall, Finan-
cial Times, 2002.

[47] G. Chakrabarti, A. Manimaran, Internet infrastructure security: A taxonomy,
Network, IEEE 16 (2002), no. 6, 13{21.
325

[48] L. Chao, Autonomic computing, Intel Technology Journal 10 (2006), no. 4.

[49] W. Chen and R. Hirschheim, A paradigmatic and methodological examina-
tion of Information Systems research from 1991 to 2001, Information Systems
Journal 14 (2004), no. 3, 197{235.

[50] J. Chirillo and E. Danielyan, SUN certi¯ed security administrator for Solaris
9 & 10 study guide, 1 edition ed., McGraw-Hill Osborne Media, 2005.

[51] M. Christofer, Supply chains: A marketing perspective, Understanding Supply
Chains (S. New and R. Westbrook, eds.), Oxford University Press, 2004.

[52] C. Chua, D. Straub, H. Khoo, S. Kadiyala, and D. Kuechler, The evolution of
e-commerce research: A stakeholder perspective, Journal of Electronic Com-
merce Research 6 (2005), no. 4.

[53] D. Clark, S. Hunt, and P. Malacaria, A static analysis for quantifying infor-
mation °ow in a simple imperative language, Journal of Computer Security
15 (2007), no. 3, 321{371.

[54] I. Cox, M. Miller, J. Bloom, J. Fridrich, and T. Kalker, Digital Waremarking
and Steganography, 2nd ed., Morgan Kau®mann publishers. Elsevier, 2008.

[55] S. Crafa, M. Bugliesi, and G. Castagna, Information °ow security in boxed
ambients, Electronic Notes in Theoretical Computer Science 66 (2004), no. 3.

[56] M. Cronin, Unchained value: The new logic of digital business, HBSWK Pub-
lications (2000).

[57] B. Dahlbom, Postface: From infrastructure to networking, From Control to
Drift|The Dynamics of Corporate Information Infrastructures (C. Ciborra
and associates., eds.), Oxford University Press, 2001.

[58] T. Davenport and M. Markus, Rigor vs. relevance revisited: Response to Ben-
basat and Zmud, MIS Quarterly 23 (1999)), no. 1, 19{23.
326

[59] B. De Win, J. Van den Bergh, F. Matthijs, B. De Decker, and W. Joosen, A
security architecture for electronic commerce applications, SEC, 2000, pp. 491{
500.

[60] W. Delone and E. McLean, Information systems success: The quest for the
dependent variable, Information Systems Research 3 (1992), no. 1, 60{95.

[61] , The Delone and McLean model of information systems success: A
ten-year update, Journal of Management Information Systems 19 (2003), no. 4,
9{30.

[62] D. Denning, Information Warfare and Security, 12th printing ed., Addison-
Wesley, February 2006.

[63] D. Denning and P. Denning, Data security, ACM Computing Surveys 11
(1979), no. 3, 227{249.

[64] D.E. Denning, A lattice model of secure information °ow, Communications of
the ACM 19 (1976), no. 5, 236 { 243.

[65] A. Dent and C. Mitchell, User's guide to cryptography and standards, Artech
House, 2005.

[66] J. Dhillon and G. Torkzadeh, Value-focused assessment of information system
security in organizations, Information Systems Journal 16 (2006), no. 3, 293{

[67] I. Djordjevic, T. Dimitrakos, N. Romano, D. Mac Randal, and P. Ritrovato,
Dynamic security perimeters for inter-enterprise service integration, Future
Generation Computer Systems 23 (2007), no. 4, 633{657.

[68] N. Doherty and H. Fulford, Aligning the information security policy with the
strategic information systems plan, Computers & Security 25 (2006), no. 1,
55{63.

[69] D. Dzung, M. Naedele, T. von Ho®, and M. Crevatin, Security for indus-
trial communication systems, Proceedings of the IEEE, vol. 93, June 2005,
pp. 1152{1177.

[70] J. Fenton and J. Wolfe, Information Security Management Handbook, 5th ed.,
ch. Organising for Success: Some Human Resources Issues in InformationSe-
curity, pp. 887{898, Auerbach, 2004.

[71] K. Ferraiolo, J. Williams, and D. Landoll, Capability Maturity Model for Se-
curity Engineering, Proceedings of the Sixth Annual Canadian Computer Se-
curity Symposium, 1994.

[72] R. Focardi, R. Gorrieri, and F. Martinelli, Information °ow analysis in
a discrete-time process algebra, 13th IEEE Computer Security Foundations
Workshop (CSFW'00), 2000.

[73] R. Focardi and S. Rossi, Information fow security in dynamic contexts, Journal
of Computer Security 14 (2006), no. 1, 65{110.

[74] K. Forbus, Qualitative process theory, Arti¯cial Intelligence 24 (1984), 85{168.

[75] W. Ford and M. Baum, Secure Electronic Commerce: Building the Infrastruc-
ture for Digital Signatures and Encryption, Prentice-Hall, Inc., Upper Saddle
River, NJ, USA, 1997.

[76] K. Friedman, Theory construction in design research: Criteria, approaches
and methods, Design Studies 24 (2003).

[77] A. Fuchsberger, Intrusion detection systems and intrusion prevention systems,
Information Security Technical Report 10 (2005), no. 3, 134{139.

[78] S. Furnell, Cybercrime: Vandalizing the information society, ICWE 2003,
LNCS 2722 (J.M. Cueva Lovelle et al., ed.), Springer-Verlag Berlin Heidel-
berg, 2003, pp. 8{16.

[79] , Computer Insecurity, Springer-Verlag, London, 2005.
328

[80] , Why users cannot use security, Computers & Security 24 (2005),
274{279.

[81] , Making security usable, Computers & Security 26 (2007), 434{443.

[82] S. Furnell, P. Bryant, and A. Phippen, Assessing the security perceptions of
personal internet users, Computers & Security 26 (2007), 410{417.

[83] S. Furnell, A. Jusoh, and D. Katsabas, The challenges of understanding and
using security: A survey of end-users, Computers & Security 25 (2006), 27{
35.

[84] B. Gehling and D. Stankard, eCommerce security, InfoSecCD '05: Proceedings
of the 2nd annual conference on Information security curriculum development
(New York, NY, USA), ACM Press, September 2005, pp. 32{37.

[85] M. Gerber and R. von Solms, Management of risk in the information age,
Computers & Security 24 (2005), 16{30.

[86] P. Gloor, Making the e-Business Transformation, Springer-Verlag, London,
2000.

[87] S. Goel and V. Chen, Information security risk analysis|a matrix-based ap-
proach, Proceedings of the Information Resource Management Association
(IRMA) International Conference (Hershey, PA), Information Resources Man-
agement Association, May 2005.

[88] D. Gollman, E-commerce security, Computing & Control Engineering Journal
(2000).

[89] , Computer Security, John Wiley & Sons, 2003.

[90] S. Gregor, A theory of theories in Information Systems, Information Systems
Foundations: Building the Theoretical Base (S. Gregor and D. Hart, eds.),
Australian National University, Canberra, 2002.

[91] , The nature of theory in Information Systems, MIS quarterly 3 (2006).

[92] S. Gregor and D. Jones, The formulation of design theories for information
systems, Constructing the infrastructure for the knowledge economy: Methods
and tools, theory and practice (Linger et al., ed.), 2004.

[93] J. Grossman, Seven business logic °aws that put your website at risk,
online WhiteHat Security Whitepaper, October 2007, can be found at

http://www.whitehatsec.com/home/assets/WP bizlogic092407.pdf.
[94] E. Gummesson, Qualitative Methods in Management Research, 2nd ed., Sage
Publications, Inc., 2000.

[95] C. Gutierrez, E. Fernandez-Medina, and M. Piattini, Towards a process for
web services security, Journal of Research and Practicein Information Tech-
nology 38 (2006), no. 1, 57{67.

[96] J. Guttman, A. Herzog, J. Ramsdell, and C. Skorupka, Verifying informa-
tion °ow goals in security-enhanced Linux, Journal of Computer Security 13
(2005), no. 1, 115{134.

[97] C. Haley, J. Mo®ett, R. Laney, and B. Nuseibeh, A framework for security
requirements engineering, SESS'06, ACM, May 2006, pp. 35{41.

[98] S. Harris, CISSP All-In-One Exam Guide, second ed., McGraw-Hill/Osborne
Media, 2003.

[99] M. Hauswirth, M. Jazayeri, and M. Schneider, A phase model for e-commerce
business models and its application to security assessment, Proceedings of the
34th Hawaii International Conference on System Sciences, 2001.

[100] Z. Hayat, J. Reeve, and C. Boutle, Ubiquitous security for ubiquitous comput-
ing, Information Security Technical Report 12 (2007).

[101] M. Henning, The rise and fall of CORBA, Queue 4 (2006), no. 5, 28{34.

[102] R. Herold, Information Security Management Handbook, 5th ed., ch. Informa-
tion Protection: Organisation, Roles, and Separation of Duties, pp. 871{886,
Auerbach, 2004.

[103] G. Herrmann and G. Pernul, Viewing business-process security from di®erent
perspectives, International Journal of Electronic Commerce 3 (1999), no. 3,
89{103.

[104] A. Hevner, S. March, J. Park, and S. Ram, Design science in information
systems research, MIS Quarterly 28 (2004), no. 1, 75{106.

[105] R. Hirschheim and H. Klein, Four paradigms of information systems develop-
ment, Communications of the ACM 32 (1989), no. 10, 1199 { 1216.

[106] A. Holiday, Doing and Writing Qualitative Research, Sage publications, 2002.

[107] D. Hsiao, S. Madnick, and D. Kerr, Computer Security, Academic Press, Inc.
Orlando, FL, USA, 1979.

[108] V. Igure and R. Williams, Taxonomies of attacks and vulnerabilities in com-
puter systems, IEEE Communications Surveys & Tutorials. The Electronic
Magazine of Original Peer-Reviewed Survey Articles 10 (2008), 6{19.

[109] ISO International Standards Insistute, www.iso.org.

[110] Internet Society (ISOC), A brief history of the Internet, can be found online
at http://research.microsoft.com/users/padmanab/CSE561/papers/internet-
history.htm.

[111] A. Jaquith, The security of applications: Not all are created equal, Research
report, at Stake, 2002, can be found at: www.netsourceasia.net.

[112] N. Jarvis, E-commerce and encryption: Barriers to growth, Computers &
Security 18 (1999), no. 5, 429{431.

[113] X. Jiang, J. Hong, and J. Landay, Approximate information °ows: Socially-
based modeling of privacy in ubiquitous computing, Lecture Notes in Computer
Science, UbiComp 2002: Ubiquitous Computing : 4th International Confer-
ence, Gteborg, Sweden, Springer Berlin / Heidelberg, 2002.

[114] R. Johnson and A. Onwuegbuzie, Mixed methods research: A research para-
digm whose time has come, Educational Researcher 33 (2004), no. 7, 14{26.
331

[115] P. Jones, P. Beynon-Davies, and E. Muir, E-business barriers to growth within
the SME sector, Journal of Systems & Information Technology 7 (2003), no. 1{
2, 1{26.

[116] S. Jones, M. Wilikens, P. Morris, and M. Nasera, Trust requirements in e-
business, Communications of the ACM 43 (2000)), no. 12, 81{87.

[117] J. Joshi, W. Aref, A. Ghafoor, and E. Spa®ord, Security models for web-based
applications, Communications of the ACM 44 (2001), no. 2, 38{44.

[118] P. Jungck and S. Shim, Issues in high speed Internet security, Computer 37
(2004), no. 7, 36{42.

[119] S. Katsikas, J. Lopez, and G. Pernul, Trust, privacy and security in e-business:
Requirements and solutions, Lecture Notes in Computer Science 3746 (2005),
548{558.

[120] R. Kau®man and C. Wood, Revolutionary research strategies for e-business:
A philosophy of science view in the age of the Internet, Economics, Infor-
mation Systems, and Electronic Commerce Research: Advanced Empirical
Methodologies (R. J. Kau®man and P. A. Tallon (Eds.), eds.), Advances in
Management Information Systems Series, M. E. Sharpe, Armonk, NY, 2007.

[121] H. Klein and M. Myers, A set of principles for conducting and evaluating
interpretive ¯eld studies in Information Systems, MIS Quarterly 23 (1999),
no. 1, 67{94.

[122] M. Klein, H. Sayama, P. Faratin, and Y. Bar-Yam, A complex systems perspec-
tive on computer-supported collaborative design technology, Communications
of the ACM 45 (2002), no. 11, 27{31.

[123] K. Knorr and S. Rohrig, Security requirements of e-business processes, To-
wards the E-Society: First IFIP Conference on E-Commerce, E-Business,
and E-Government; Zurich, Switzerland, Oct. 4-5, 2001 (B. Schmid,
K. Stanoevska-Slabeva, and V. Tschammer, eds.), Kluwer Academic Pub-
lishers, Norwell, MA, 2001, pp. 73{86.

[124] N. Komninos, D. Vergados, and C. Douligeris, Authentication in a layered se-
curity approach for mobile ad hoc networks, Computers & Security 26 (2007),
373{380.

[125] I. Koskosas and R. Paul, A socio-organisational approach to Information Sys-
tems security risks, International Journal of Risk Assessment and Management
(IJRAM) 4 (2003), no. 2/3.

[126] B. Ksiezopolski and Z. Kotulski, Adaptable security mechanisms for dynamic
environments, Computers & Security 26 (2007), no. 3, 246{255.

[127] M. Kutter and F. Hartung, Introduction to Watermarking Techniques, In-
formation hiding techniques for steganography and digital watermarking
(S. Katzenbeisser and F. Petitcolas, eds.), 2000.

[128] S. Kwok, C. Yang, and K. Tam, Intellectual property protection for electronic
commerce applications, Journal of Electronic Commerce Research 5 (2004),
no. 1.

[129] D. Lacey, Inventing the future|the vision of the Jericho Forum, Information
Security Technical Report 10 (2005), 186{188.

[130] Y. Lai, A. Motter, T. Nishikawa, K. Park, and L. Zhao, Complex networks:
Dynamics and security, Pramana 64 (2005), no. 4, 483{502.

[131] C. Landwehr, Formal methods for computer security, Computing Surveys 13
(1981), no. 3.

[132] , Computer security, IJIS, Springer-Verlag (2001), Published online 27
July 2001.

[133] K. Laudon and J. Laudon, Information Systems and the Internet, 4th ed.,
Dryden Press, 1998.

[134] B. Leiner, V. Cerf, D. Clark, R. Kahn, L. Kleinrock, D. Lynch, J. Postel,
L. Roberts, and S. Wol®, The past and future history of the Internet, Com-
munications of the ACM 40 (1997), no. 2, 102{108.

[135] M. Lejk and D. Deeks, Systems Analysis Techniques, 2nd ed., Addisson-
Wesley,Pearson Education Limited, 2002.

[136] F. Leymann, D. Roller, and M.-T. Schmidt, Web services and business process
management, IBM Systems Journal 41 (2002), no. 2, 1015{1019.

[137] I. Lim and I. Carastan, Information Security Management Handbook, 5th
ed., ch. System DevelopmentSecurity Methodology, pp. 1221{1234, Auerbach,
2004.

[138] A. Lindsay, D. Downs, and K. Lunn, Business processes|attempts to ¯nd a
de¯nition, Information and Software Technology (45) (2003), 1015{1019.

[139] A. Liska, The Practice of Network Security|Deployment Strategies for Pro-
duction Environment, Prentice Hall PTR, Pearson Education Inc., 2003.

[140] M. Lissack, Complexity: The science, its vocabulary and its relation to organ-
isations, Emergence - A Journal of Complexity Issues in Organisations and
Management 1 (1999), no. 1, 110{126.

[141] R. Lister, Mixed methods: Positivists are from Mars, constructuvusts are from
Venus, Inroads|The SIGCSE Bulletin 37 (2005), no. 4, 18{19.

[142] Q. Liu, R. Safavi-Naini, and N. Sheppard, Digital rights management for con-
tent distribution, ACSW Frontiers '03: Proceedings of the Australasian infor-
mation security workshop conference on ACSW frontiers 2003 (Darlinghurst,
Australia, Australia), Australian Computer Society, Inc., 2003, pp. 49{58.

[143] J. Lockwood, D. Moscola, J. Reddick, M. Kulig, and T. Brooks, Application
of hardware accelerated extensible network nodes for Internet worm and virus
protection, Active Networks, Lecture Notes in Computer Science, Springer
(2004), 44{57.

[144] H. Lucas, Information Systems Concepts for Management, 2nd, international
students edition ed., McGraw-Hill, 1984.

[145] V. Luoma, Computer forensics and electronic discovery: The new management
challenge, Computers & Security 25 (2006), 91{96.

[146] K. Lyytinen, Empirical research in Information Systems: On the relevance of
practice in thinkingof is research, MIS Quarterly 23 (1999)), no. 1, 25{28.

[147] J. Mahoney and J. Pandian, The resource-based view within the conversation
of strategic management, Strategic Management Journal 13 (1992), 363{380.

[148] L. May and T. Lane, A model for improving e-security in Australian univer-
sities, Journal of Theoretical and Applied Electronic Commerce Research 1
(2006), no. 2, 90{96.

[149] C. Mayers, Access infrastructure|Perimeter Security rethought, Information
Security Bulletin 9 (2004), 371{378.

[150] J. McCumber, Assessing and Managing Security Risk in IT Systems, Auer-
bach Publications, 2005.

[151] P. McDaniel and A. Rubin, Web security (editorial), Computer Networks 48
(2005), no. 5, 697{699.

[152] J. McLean, Security models and information °ow, Research in Security and
Privacy. IEEE, 1990.

[153] N. Mead and T. Stehney, Security Quality Requirements Engineering
(SQUARE) methodology, SESS '05: Proceedings of the 2005 workshop on Soft-
ware engineering for secure systems-building trustworthy applications (New
York, NY, USA), ACM Press, 2005, pp. 1{7.

[154] N. Melville, K. Kraemer, and V. Gurbaxani, Information technology and
organisational performance: An integrative model of it business value, MIS
Quarterly 28 (2004)), no. 2.

[155] N. Memon and P. Wong, Protecting digital media content, Communications
of the ACM 41 (1998), no. 7, 35{43.

[156] S. Mercado, R. Welford, and K. Prescot, European Business, 4th ed., Prentice
Hall, Financial Times, 2001.

[157] M. Mitchell, Complex systems: Network thinking, Arti¯cial Intelligence. Spe-
cial Review Issue 170 (2006), 1194{1212.

[158] J. Mo®ett, C. Halley, and B. Nuseibeh, Core security requirements artefacts,
ISSN 1744-1986 2004/23, Departmenet of Computing, Faculty of Mathematics
and Computing, The Open University, Walton Hall, Milton Keynes, MK7
6AA, UK, 2004.

[159] A. Moser, C. Kruegel, and E. Kirda, Exploring multiple execution paths for
malware analysis, IEEE Symposium on IEEE Symposium on Security and
Privacy (SP '07) (2007), 231{245.

[160] H. Mouratidis, Secure Information Systems engineering: A manifesto, Inter-
national Journal on Electronic Security and DIgital Forensics 1 (2007), no. 1,
27{41.

[161] H. Mouratidis, P. Giorgini, and G. Manson, Integrating security and systems
engineering: Towards the modelling of secure Information Systems, CAiSE,
LNCS 2681, 2003, pp. 63{78.

[162] T. Mowbray and R. Zahavi, The essential CORBA: System integration using
distributed objects, John Wiley and Object Management Group., 1995.

[163] M. zur Muehlen and M. Rosemann, Multi-paradigm process management, Pro-
ceedings of CAiSE'04 Workshops - 5th Workshop on Business Process Mod-
eling, Development and Support (BPMDS 2004) (Riga, Latvia), 2004.

[164] M. Myers, Qualitative research in Information Systems, MIS Quarterly 21
(1997 (updated 2002)), no. 2, 241{242.

[165] , Investigating Information Systems with ethnographic research, Com-
munications of the Association for Information Systems 2 (1999).

[166] F. Nabi, Secure business application logic for e-commerce systems, Computers
& Security 24 (2005), no. 3, 208{217.

[167] A. Narayanan and V. Shmatikov, How to break anonymity of the Net°ix
prize dataset, The University of Texas at Austin (2007), can be found at
http://www.cs.utexas.edu/~shmat/shmat net°ix-prelim.pdf.

[168] NCSL, National Conference of State Legislatures
can be found at http://www.ncsl.org/programs/lis/cip/cyberterrorism.htm.

[169] S. New, Supply chains: Construction and legitimation, Understanding Supply
Chains (S. New and R. Westbrook, eds.), Oxford University Press, 2004.

[170] E. Ngai and F. Wat, A literature review and classi¯cation of electronic com-
merce research, Information & Management 39 (2002), 415{429.

[171] NSTISSI, No. 4009, Tech. report, National Information Systems Security (IN-
FOSEC) Glossary, 1999.

[172] J. O'Connor and I. McDermot, The Art of Systems Thinking| essential skills
for creativity and problem solving, Thorsons, 1997.

[173] W. Orlikowski, The duality of technology: Rethinking the concept of technology
in organisations, Organisation Science 3 (1992), no. 3, 398{427, Focused Issue:
Management of Technology.

[174] W. Orlikowski and J. Baroudi, Studying information technology in organiza-
tions: Research approaches and assumptions, Information Systems Research
2 (1991), 1{28.

[175] M. Osborne, How to cheat at Managing Information Security, Syngress Pub-
lishing, Inc., 2006.

[176] A. Osterwalder and Y. Pigneur, An e-business model ontology for modeling e-
business, 15th Bled Electronic Commerce Conference e-Reality: Constructing
the e-Economy, June 2002, pp. 73{86.

[177] S. Pahnila, M. Siponen, and A. Mahmood, Employees' behavior towards IS
security policy compliance, Proceedings of the 40th Hawaii International Con-
ference on System Sciences (2007).

[178] G. Palmer, De-perimeterisation: Bene¯ts and limitations, Information Secu-
rity Technical Report 10 (2005), 189{203.

[179] P. Palvia, E. Mao, A. Salam, and K. Soliman, Management Information Sys-
tems research: Whats there in a methodology?, Communications of the AIS
11 (2003), no. 16.

[180] T. Parker, A Secure European System for Applications in a Multi-vendor En-
vironment (the SESAME project), (1993), 139{156.

[181] A. Pateli and G. Giaglis, A framework for undestanding and analysing
e-business models, 16th Bled Electronic Commerce Conference|
eTransformation (CD-ROM Proceedings), 2003.

[182] R. Paula, X. Ding, P. Dourish, K. Nies, B. Pillet, D. Redmiles, J. Ren, J. Rode,
and R. Filho, In the eye of the beholder: A visualization-based approach to In-
formation System security, International Journal of Human-Computer Studies
63 (2005), no. 2, 5{24.

[183] T. Peltier, Information Security Policies and Procedures. A Practitioner's Ref-
erence, 2nd edition ed., Auerbach publications, 2004.

[184] T. Peltier, J. Peltier, and J. Blackley, Information Security Fundamentals,
Auerbach Publications, CRC Press LLC, 2005.

[185] E. Penrose, Limits to the growth and size of ¯rms, The American Economic
Review. Papers and Proceedings of the Sixty-seventh Annual Meeting of the
American Economic Association 45 (1955), 531543.

[186] S. Petter and M. Gallivan, Toward a framework for classifying and guiding
mixed method research in Information Systems, Proceedings of the 37th In-
ternational Conference on System Sciences - IEEE, 2004.

[187] C. Poirier and M. Bauer, E-Supply Chain, Berrett-Koehler Publishers, Inc.,
2001.

[188] A. Pons and H. Aljifri, An active watermarking system, IACIS, Issues in In-
formation Systems (2002).

[189] , Data protection using watermarking in e-business, Journal of Data-
base Management 14 (2005), no. 4.

[190] M. Porter, Competitive advantage. creating and sustaining superior perfor-
mance, Free Press, 1998.

[191] , Strategy and the Internet, Harvard Business Review (2001).

[192] M. Porter and V. Millar, How information gives you a competitive advantage,
Harvard Business Review 63 (1985), 149{161.

[193] F. Pottier and V. Simonet, Information °ow inference for ML, ACM Trans-
actions on Programming Languages and Systems 25 (2003), no. 1, 117{158.

[194] M. Preda, M. Christodorescu, S. Jha, and S. Debray, A semantics-based ap-
proach to malware detection, POPL '07: Proceedings of the 34th annual
ACM SIGPLAN-SIGACT symposium on Principles of programming lan-
guages (New York, NY, USA), ACM, 2007, pp. 377{388.

[195] J. Rees, S. Bandyopadhyay, and E. Spa®ord, PFIRES: A Policy Framework
for Information Security, Communications of the ACM 46 (2003), no. 7, 101{
106.

[196] M. Reith, C. Carr, and G. Gunsch, An examination of digital forensic models,
International Journal of Digital Evidence 1 (Fall 2002), no. 3.

[197] A. Rudolf and R. Pirker, E-business testing: User perceptions and performance
issues, APAQS '00: Proceedings of the The First Asia-Paci¯c Conference
on Quality Software (APAQS'00) (Washington, DC, USA), IEEE Computer
Society, 2000, p. 315.

[198] J. Rust, Corporate management of computer forensic evidence, InfoSecCD '06:
Proceedings of the 3rd annual conference on Information security curriculum
development, 22{23 September 2006, pp. 175{178.

[199] A. Sabelfeld and A. Myers, Language-based information-°ow security, IEEE
Journal on Selected Areas in Communications 21 (2003), no. 1, 5{19.

[200] R. Sandhu, Good enough security|toward a pragmatic business-driven disci-
pline, IEEE Internet Computing (2003).

[201] SANS Institute, http://www.sans.org/.

[202] M. Saunders, P. Lewis, and A. Thornhill, Research methods for business stu-
dents, 2nd ed., Prentice Hall, 2000.

[203] R. Schifreen, Defeating the Hacker, John Wiley & Sons Ltd, 2006.

[204] B. Schneier, Applied Cryptography, John Wiley & Sons, 1996.

[205] , Secrets and Lies, Wiley Publishing, Inc., 2004.

[206] G. Schryen, The impact that placing email addresses on the Internet has on
the receipt of spam: An empirical analysis, Computers & Security 26 (2007),
361{372.

[207] M. Schumacher, E. Fernandez-Buglioni, D. Hybertson, F. Buschmann, and
P. Sommerlad, Security Patterns - Integrating Security and Systems Engi-
neering, John Willey & Sons, 2006.

[208] SearchSecurity.com, De¯nitions.
http://searchsecurity.techtarget.com/sDe¯nition/0,,sid14 gci771061,00.html.

[209] J. Sherwood, A. Clark, and D. Lynas, Enterprise Security Architecture: A
Business-Driven Approach, CMP Books, 2005.

[210] P. Simmonds, Users ¯ght back by breaking the boundaries, Network Security
(2005), no. 6, 4{6.

[211] J. Sinclaire, Current research in information security and privacy, Proceedings
of the 2005 Southern Association of Information Systems Conference, 2005.

[212] M. Siponen, An analysis of the traditional IS security approaches: implications
for research and practice, European Journal of Information Systems 14 (2005),
303{315.

[213] , Information security standards focus on the existence of process, not
its content, Communications of the ACM 49 (2006), no. 8, 97{100.

[214] , Secure-System design methods: Evolution and future directions, IT
Professional, IEEE 8 (2006), no. 3, 40{44.

[215] M. Siponen and H. Oinas-Kukkonen, A review of information security issues
and respective research contributions, ACM SIGMIS 38 (2007), no. 1, 60{80.

[216] R. Slade, Dictionary of Information Security, Syngress, 2006.

[217] J. Sluiter, Services Oriented Architecture security and deperimeterisation, In-
formation Security Bulletin 11 (2006), no. 1, 65{72.

[218] H. Smith and P. Fingar, Business Process Management: The Third Wave,
Meghen-Ki®er Press, 2003.

[219] S. Smith, R. Jamieson, and D. Winchester, An action research program to
improve Information Systems security compliance across government agencies,
Proceedings of the 40th Hawaii International Conference on System Sciences,
IEEE, 2007.

[220] B. von Solms and R. von Solms, The 10 deadly sins of information security
management, Computers & Security 23 (2004), 371{376.

[221] R. von Solms and S.(Basie) von Solms, Information security governance: Due
care, Computers & Security 25 (2006), 494{497.

[222] R. Stanton, Inside out security: De-perimeterisation, Network Security 2005
(2005), no. 4, 4{6.

[223] P. Stephenson, Ensuring consistent security implementation within a distrib-
uted and federated environment, Computer Fraud & Security 2006 (2006),
12{14.

[224] J. Sterman, Learning in and about complex systems, System Dynamics Review
10 (1994), no. 2{3, 291{330.

[225] G. Stoneburner, A. Goguen, and A. Feringa, Risk management guide for In-
formation Technology systems, NIST|National Institute of Standards and
Technology, October 2001.

[226] D. Straub and Welke R., Coping with systems risk: Security planning models
for management decision making, MIS Quarterly 22 (1998), no. 4, 441{469.

[227] S. Strogatz, Exploring complex networks, Nature 410 (2001), 268{276.

[228] X. Su, D. Bolzoni, and P. van Eck, Understanding and specifying information
security needs to support the delivery of high quality security services, Emerg-
ing Security Information, Systems, and Technologies, 2007. SecureWare 2007,
2007, pp. 107{114.

[229] F. Swiderski and W. Snyder, Threat Modeling, Microsoft Press, 2004.

[230] D. Tapscott D.and Ticoll, The Naked Corporation: How the Age of Trans-
parency Will Revolutionise Business, Dow Jones & Company, Inc., 2003.

[231] TechEncyclopedia, http://www.techweb.com/encyclopedia/de¯neterm.jhtml?term=cracker.

[232] O. Tettero, Intrinsic Information Security. Embedding Security Issues in the
Design Process of Telematics Systems, Telematics Institute Fundamental Re-
search Series, No. 006(TI/FRS/006), 2000.

[233] M. Theoharidou, S. Kokolakis, and E. Kiountouzis, The insider threat to In-
formation Systems and the e®ectiveness of ISO 17799, Computers & Security
24 (2005), 472{484.

[234] B. Thuraisingham, Directions for security and privacy for semantic e-business
applications, Communications of the ACM 48 (2005)), no. 12, 71{73.

[235] A. Toval, J. Nicols, B. Moros, and F. Garca, Requirements reuse for improv-
ing Information Systems security: A practitioner's approach, Requirements
Engineering 6 (2002), no. 4, 205{219.

[236] J. Tregear, Risk assessment, Information Security Technical Report 6 (2001),
no. 3, 19{27.

[237] T. Tsiakis and G. Stephanides, The concept of security and trust in electronic
payments, Computers & Security 24 (2005), no. 1, 10{15.

[238] , The economic approach of information security, Computers & Secu-
rity 24 (2005), 105{108.

[239] D. Verdon and G. McGraw, Risk analysis in software design, IEEE Security
& Privacy (2004), 79{84.

[240] P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna,
Cross-Site Scripting prevention with dynamic data tainting and static analysis,
In Proceedings of the Network and Distributed System Security Symposium
(NDSS), San Diego, CA, 2007.

[241] M. Wade and J. Hulland, Review:the resource-based view and Information
Systems research:review, extension, and suggestions for future research, MIS
Quarterly 28 (2004)), no. 1, 107{142.

[242] A. Wagner and C. Brooke, Wasting time: The mission impossible with respect
to technology-oriented security approaches, Electronic Journal of Business Re-
search Methods 5 (2007)), 117{124.

[243] J. Wainer, P. Barthelmess, and A. Kumar, W-RBAC|A worklfow security
model incorporating controlled overriding of constraints, International Journal
of Cooperative Information Systems 12 (2003), no. 4, 455{485.

[244] G. Walsham, Globalisation and IT: Agenda for research, Proceedings of the
International Conference on Home Oriented Informatics and Telematics, vol.
173, Kluwer, B.V. Deventer, The Netherlands, 2000, pp. 195 { 212.

[245] Z. Walter and G. Scott, Management issues of Internet/Web systems, Com-
munications of the ACM 49 (2006), no. 3, 87{91.

[246] C. Wang, A. Carzaniga, D. Evans, and A. Wolf, Security issues and require-
ments for Internet-scale publish-subscribe systems, Proceedings of the Thirty
Fifth Hawaii International Conference on System Sciences. (HICSS-35), Big
Island, Hawaii, 2002.

[247] H. Wang and C. Wang, Taxonomy of security considerations and software
quality, Communications of the ACM 46 (2003), no. 6, 75{78.

[248] L. Wang and Y. Zeng, The risk identi¯cation and assessment in e-buisness,
FSKD 2005, LNAI 3614 (L. Wang and Y. Jin, eds.), Springer-Verlag Berlin
Heidelberg, 2005, pp. 1142{1149.

[249] M. Wang and H. Wang, From process logic to business logic|A cognitive
approach to business process management, Information & Management 43
(2006), 179{193.

[250] W. Wang, A. Bailey, Z. Hidvegi, and A. Whinston, A framework for proac-
tive, automated and continuous e-commerce control and assurance, Goizueta
Business School Papers Series, GBS-DIA-2001-006 (2001).

[251] W. Wang, Z. Hidvegi, A. Bailey, and A. Whinston, E-process design and
assurance using model checking, Computer 33 (2000), no. 10, 48{53.

[252] , Model checking|a rigorous and e±cient tool for e-commerce internal
control and assurance, Knowledge Emory, Goizueta Business Library, GBS-
DIA-2001-007 (2001).

[253] W. Wang, Y. Yuan, and N. Archer, A contextual framework for combating
identity theft, IEEE Security and Privacy 4 (2006), no. 2, 30{38.

[254] X. Wang and D. Chen, Research on e-business management thought, Proceed-
ings of the ICEC'05, Xi'an, China (New York, NY, USA), ACM Press, August
2005, pp. 804{806.

[255] J. Wareham, J Zheng, and D. Straub, Critical themes in electronic commerce
research: a meta-analysis, Journal of Information Technology 20 (2005), 1{19.

[256] J. Warner and V. Atluri, Inter-instance authorisation constrsints for secure
work°ow management, SACMAT'06, ACM, 2006.

[257] G. Wasserman and Z. Su, Sound and precise analysis of web applications for
injection vulnerabilities, Proceedings of the PLDI'07, ACM, 11-13 June 2007.

[258] D. Watts and S. Strogatz, Collective dynamics of `small-world' networks, Na-
ture 393 (1998), 440{442.

[259] Webopedia, http://www.webopedia.com/TERM/C/crack.html.

[260] Webster, Merriam Webster dictionary, online, 2006, http://www.merriam-
webster.com/.

[261] B. Wernerfelt, The resource-based view of the ¯rm: Ten years after, Strategic
Management Journal 16 (1995), 171174.

[262] M. Whitman, Enemy at the gate: threats to information security, Communi-
cations of the ACM 46 (2003), no. 8, 91{95.

[263] , In defense of the realm: understanding the threats to information
security, International Journal of Information Management 24 (2004), no. 1,
43{57.

[264] J. Whitmore, A method for designing secure solutions, IBM Systems Journal
40 (2001), no. 3, 747{768.

[265] Wikipedia, The free encyclopedia.
http://en.wikipedia.org/wiki/Business process.

[266] N. Williams, E-business security issues for SMEs in a virtual hosting en-
vironment, ISICT '03: Proceedings of the 1st international symposium on
Information and communication technologies, Trinity College Dublin, 2003,
pp. 357{364.

[267] I. Woon and A. Kankanhalli, Investigation of IS professionals intention to
practise secure development of applications, International Journal of Human-
Computer Studies 65 (2007), no. 1, 29{41.

[268] R. K. Yin, Case Study Research, Design and Methods, 2nd ed., Sage Publica-
tions, 1994.

[269] L. Yu and X. He, An information °ow based security model for Linux clus-
ters, Proceedings of the 2005 High Availability and Performance Computing
Workshop, Santa Fe, New Mexico, October 2005, CD format.

[270] S. Zdancewic, Challenges for information-°ow security, Proceedings of the
First InternationalWorkshop on Programming Language Interference and De-
pendence (PLID), Verona, Italy, August 2004.

[271] K. Zhu, Information transparency of business-to-business electronic markets:
A game-theoretic analysis, Management Science 50 (2004), no. 5, 670{685.

[272] K. Zhu and K. Kraemer, Post-adoption variations in usage and value of e-
business by organizations: Cross-country evidence from the retail industry,
Information Systems Research 16 (2005), no. 1, 61{84.

[273] C. Zirpins, H. Weinreich, A. Bartelt, and W. Lamersdorf, Advanced concepts
for next generation portals, Proceedings of the 12th International Confer-
ence on Database and Expert Systems Applications, Munich, Germany, 2001,
pp. 501{506.

[274] A. Zuccato, Holistic security management framework applied in electronic
commerce, Computers & Security 26 (2007), 256{265.