AICPA, 2008, Trust services principles and criteria
Bodin, 2005, Evaluating information security investments using the analytical hierarchy process, Commun ACM, 48, 79, 10.1145/1042091.1042094
Bodin, 2008, Information security and risk management, Commun ACM, 51, 64, 10.1145/1330311.1330325
Bulgurcu, 2010, Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness, MIS Q, 34, 523, 10.2307/25750690
Bussey, 2011, Has time come for more CIOs to start reporting to the top?, Wall St J
Campbell, 2003, The economic cost of publicly announced information security breaches: empirical evidence from the stock market, J Comput Secur, 11, 431, 10.3233/JCS-2003-11308
Cavusoglu, 2004, A model for evaluating IT security investments, Commun ACM, 47, 87, 10.1145/1005817.1005828
Cavusoglu, 2004, The effect of internet security breach announcements on market value: capital market reactions for breached firms and internet security developers, Int J Electron Commer, 9, 69, 10.1080/10864415.2004.11044320
Chapin, 2005, How can security be measured?, Inf Syst Control J, 2
COSO, 2004
D'Arcy, 2009, User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach, Inf Syst Res, 20, 79, 10.1287/isre.1070.0160
Dhillon, 2007, Identifying governance dimensions to evaluate information systems security in organizations
Dittenhofer, 2010
Europe Research Services, 2008, Are CFOs from Mars and CIOs from Venus?
Gordon, 2002, The economics of security investment, ACM Trans Inf Syst Secur, 5, 438, 10.1145/581271.581274
Gordon, 2003, Information security expenditures and real options: a wait and see approach, Comput Secur J, XIX, 1
Gordon, 2010, Market value of voluntary disclosures concerning information security, MIS Q, 34, 567, 10.2307/25750692
Hawkey, 2008, Searching for the right fit: balancing IT security management model trade-offs, IEEE Internet Comput, 22, 10.1109/MIC.2008.61
Iheagwara, 2004, The effect of intrusion detection management methods on the return on investment, Comput Secur, 23, 213, 10.1016/j.cose.2003.09.006
IIA, 2005
IIA, 2009, Practice advisory 1110-1
IIA, 2011, International Standards for the Professional Practice of Internal Auditing
ITGI, 2007
Ito, 2010
Johnston, 2010, Fear appeals and information security behaviors: an empirical study, MIS Q, 34, 549, 10.2307/25750691
Kumar, 2008, Understanding the value of countermeasure portfolios in information security, J Manag Inf Syst, 25, 241, 10.2753/MIS0742-1222250210
Miles, 1994
Mishra, 2006, Information systems security governance research: a behavioral perspective in 1st Annual symposium on information assurance, 18
Phelps, 2008
Ransbotham, 2009, Choice and chance: a conceptual model of paths to information security compromise, Inf Syst Res, 20, 121, 10.1287/isre.1080.0174
Ratliff, 1996
Schaffhauser
Siponen, 2010, Neutralization: new insights into the problem of employee information systems security policy violations, MIS Q, 34, 487, 10.2307/25750688
Smith, 2010, Circuits of power: a study of mandated compliance to an information systems security de jure standard in a government organization, MIS Q, 34, 463, 10.2307/25750687
Spears, 2010, User participation in information systems security risk management, MIS Q, 34, 503, 10.2307/25750689
Strauss, 1990
Tucci
Wallace, 2011, Information security and Sarbanes–Oxley compliance: an exploratory study, J Inf Syst, 25, 185
Yin, 2003