Table Of ContentEnterprise Open Source Software Adoption Dilemma:
Influence of the Information Technology Risk Factors
D I S S E R T A T I O N
of the University of St. Gallen,
School of Management,
Economics, Law, Social Sciences
and International Affairs
to obtain the title of
Doctor of Philosophy in Management
submitted by
Mario Silić
from
Croatia, France and Bosnia and Herzegovina
Approved on the application of
Prof. Dr. Andrea Back
and
Prof. Dr. Iris Junglas
Dissertation no. 4424
Art Studio Azinovic, Zagreb, 2015
The University of St. Gallen, School of Management, Economics, Law, Social
Sciences and International Affairs hereby consents to the printing of the present
dissertation, without hereby expressing any opinion on the views herein
expressed.
St. Gallen, May 19, 2015
The President:
Prof. Dr. Thomas Bieger
5 Acknowledgements
Acknowledgements
I would like to express immense gratitude to Prof. Dr. Andrea Back, who kindly
agreed to lead me along the path of this thrilling experience, and for her invaluable
support in helping me in completing this thesis.
I am also grateful to my co-supervisor, Prof. Dr. Iris Junglas, for her willingness to
co-supervise my thesis, for all her availability, and for providing constructive
advice.
I thank my parents, Zdenka and Josip, for their continuous support and their
eternal “wish” that I complete this journey, my sister Marijana, my brother Dario,
and many others whose support has always been a motivation to me: Ivana,
Goran, Mladen, Marija, Ante, Ivanka, Anita, Darko.
Above all, I am indebted to my wife, Renata. Without her support and
understanding this work would not have become a reality. To my children, Mia and
Paula, who were the source of inspiration for everything I was doing.
This work is dedicated to them.
December, 2014 Mario Silić
Contributions 6
Contributions
Paper A
Silic, Mario and Back, Andrea. “Information Security – Critical Review and
Future Directions for Research”. Information Management & Computer Security,
22(3), 279-308.
Submitted 27.05.2013, first revision 23.08.2013, accepted 15.10.2013
Note: IMC&S is ranked C by ACPHIS (Australian Council of Professors and Heads of Information Systems) / H-index
(Scopus) is 28
Paper B
Silic, Mario and Back, Andrea. “Identification and Importance of the
Technological Risks of Open Source Software in the Enterprise Adoption
Context”., in: Thomas. O.; Teuteberg, F. (Hrsg.): Proceedings der 12.
Internationalen Tagung Wirtschaftsinfomratik (WI 2015), S. 1163-1176
Submitted 29.07.2014, accepted 17.09.2014
Note: Wirtschaftsinformatik conference is ranked ‘B’ by VHB-Jourqual
Paper C
Silic, Mario. “Dual-use open source security software in organizations–Dilemma:
Help or hinder?”. Computers & Security, 39, 386-395.
Submitted 15.03.2013, first revision 04.05.2013, second revision 06.07.2013, third revision
12.08.2013, accepted 09.09.2013
Note: C&S is ranked ‘A’ by ACPHIS and ‘B’ by VHB- Jourqual / 5-Year Impact Factor (IF) is 1.488 (Journal Citation
Reports) / H-index (Scopus) is 51
Paper D
Silic, Mario and Back, Andrea. “Risk factors influencing the open-source software
adoption decision making process in the enterprise context”. Decision Support
Systems, under peer-review
Submitted 08.09.2014
Note: DSS is ranked ‘B’ by VHB -Jourqual / 5-Year Impact Factor (IF) is 2.651 (Journal Citation Reports)
7 Abstract
Abstract
The main goal of this dissertation was to study Information Technology (IT) risk factors that
impact IT executives’ decision-making process to use Open Source Software (OSS) in the
enterprise context. Such risks might be related to ownership, operation, involvement,
influence, and adoption of IT software within an enterprise. Every enterprise endeavors to
avoid expensive failures and, at the same time, mitigate and reduce risks inherent to OSS
adoption during the risk identification phase. However, the current level of knowledge about
the complex interplay between OSS adoption and risk management is lacking a more holistic
view of which particular IT risks influence the IT decision-making process and what their
importance is.
To investigate this relationship, we used a multi-method research design approach to achieve
higher generalizability and accuracy of the findings.
This cumulative thesis comprises two parts. The first part covers the motivation, followed by
the research foundation, the results, the contribution and finishes with the thesis conclusion.
The second part shows the four research contributions that have been published in, or
submitted to, academic journals or conferences. The results of this thesis are three-fold: 1)
We provide a practical checklist that can be used by IT decision-makers during the risk
identification phase; 2) We found that enterprises are using vulnerable OSS libraries and
frameworks to build proprietary software, thereby increasing the IT risk; and 3) We propose
a Risk-Theoretic Open-Source Adoption Model that theorizes on the importance of IT risk
antecedents (Confidentiality, Integrity, Availability and Information Assurance).
Overall, this thesis offers new findings on the OSS phenomenoun by proposing practical
insights that can facilitate OSS adoption by reducing and mitigating IT risks, resulting in
better and more robust enterprise risk management.
Zusammenfassung 8
Zusammenfassung
Dieses Dissertationsprojekt untersucht den Einfluss von Informationstechnologie -(IT-)
Risiken auf den Entscheidungsfindungsprozess von Führungskräften zur Nutzung von Open
Source Software (OSS). Solche Risiken können sich auf die Verantwortlichkeit, den Betrieb,
den Einfluss oder auf die Adoption von IT in einer Organisation beziehen. Jedes
Unternehmen versucht teure Fehlentscheidungen zu vermeiden und gleichzeitig die Risiken
zu minimieren. Diesem Zusammenhang zwischen der Nutzung von OSS und dem
Risikomanagement fehlt ein ganzheitlicher Ansatz, insbesondere was den Einfluss von IT-
Sicherheitsrisiken auf den Entscheidungsprozess betrifft und welche Bedeutung dieser hat.
Um diesen Zusammenhang zu untersuchen, wurde in dieser Dissertation ein Multi-
Methodenansatz als Forschungsdesign gewählt. Damit sollen die Resultate generalisierbarer
und genauer werden. Die kumulative Dissertation beinhaltet zwei Teile. Der erste Teil
bezieht sich auf die Motivation, die theoretischen Grundlagen, die Resultate, die
Kontributionen und schließt mit einer Zusammenfassung ab. Der zweite Teil beinhaltet vier
Artikel, welche auf Konferenzen und in Journalen publiziert wurden, oder sich aktuell im
Review-Prozess befinden.
Drei Schlussfolgerungen können aus diesen Kontributionen gezogen werden. Als Erstes kann
eine Checkliste abgeleitet werden, welche von Praktikern und Entscheidungsträgern im
Risiko-Identifikationsprozess verwendet werden kann. Als Zweites wurde insbesondere die
Verwundbarkeit von Unternehmen in Bezug zur Nutzung von OSS Bibliotheken und
Modellen zur Erstellung von proprietären Software-Lösungen identifiziert. Als Drittes wurde
ein Adoptionsmodell entwickelt, welche Antezedenzien für IT-Sicherheitsrisiken
identifiziert. Diese beinhalten Vertraulichkeit, Integrität, Verfügbarkeit und
Informationssicherheit.
Zusammenfassend beschreibt diese Dissertation neue Erkenntnisse des OSS-Phänomens und
beleuchtet aus theoretischer, als auch praktischer Sicht die Reduktion von IT-
Sicherheitsrisiken im Entscheidungsfindungsprozess von Führungskräften und Managern.
Als Konsequenz sollen Unternehmen ihre Risiken besser identifizieren, bewerten und
evaluieren können.
9 Table of Contents
Table of Contents
ACKNOWLEDGEMENTS ............................................................................................... 5
CONTRIBUTIONS ......................................................................................................... 6
ABSTRACT .................................................................................................................. 7
ZUSAMMENFASSUNG .................................................................................................. 8
TABLE OF CONTENTS .................................................................................................. 9
LIST OF FIGURES ....................................................................................................... 12
LIST OF TABLES ........................................................................................................ 13
1. EXPOSITION ................................................................................................ 13
1.1. INTRODUCTION AND OVERVIEW .............................................................. 13
1.2. MOTIVATION ........................................................................................... 14
1.2.1. PRACTITIONER PERSPECTIVE .............................................................. 14
1.2.2. THEORETICAL PERSPECTIVE ............................................................... 18
1.3. RESEARCH FOUNDATION ......................................................................... 21
1.3.1. THESIS STRUCTURE ............................................................................ 21
1.3.2. RESEARCH GOAL ................................................................................ 22
1.3.3. THEORETICAL FOUNDATION ............................................................... 23
1.3.4. LITERATURE REVIEW .......................................................................... 27
1.4. SUMMARY OF THE RESULTS .................................................................... 32
1.5. CONTRIBUTION ....................................................................................... 34
1.5.1. PRACTITIONER CONTRIBUTIONS ......................................................... 35
1.5.2. THEORETICAL CONTRIBUTIONS .......................................................... 39
1.5.3. CRITICAL REFLECTION ....................................................................... 40
1.6. CONCLUSION ........................................................................................... 41
1.7. REFERENCES ........................................................................................... 41
PAPER A ................................................................................................................ 46
2. INFORMATION SECURITY – CRITICAL REVIEW AND FUTURE
DIRECTIONS FOR RESEARCH ........................................................................ 46
2.1. INTRODUCTION ........................................................................................ 47
2.2. RESEARCH ON INFORMATION SECURITY ................................................. 48
2.2.1. REVIEW METHOD ............................................................................... 48
2.2.2. RESEARCH SCOPE ............................................................................... 50
2.2.3. RESEARCH LIMITATIONS ..................................................................... 52
Table of Contents 10
2.2.4. DATABASE SELECTION AND KEYWORD SEARCH ................................ 52
2.3. RESEARCH FRAMEWORK ......................................................................... 56
2.3.1. THEORIES ............................................................................................ 57
2.3.2. RESEARCH METHODS ......................................................................... 58
2.3.3. RESEARCH TOPICS AND CLASSIFICATION SYSTEM .............................. 59
2.4. RESULTS ................................................................................................. 62
2.4.1. OVERVIEW OF INFOSEC RESEARCH .................................................... 62
2.4.2. SUBTHEMES IN INFOSEC RESEARCH ................................................... 66
2.4.3. KEY FINDINGS FOR EACH OF THE IDENTIFIED MAIN THEMES ............. 66
2.4.4. OVERVIEW OF THEORIES .................................................................... 80
2.4.5. OVERVIEW OF METHODS .................................................................... 81
2.5. SUMMARY AND DISCUSSION ................................................................... 81
2.6. CONCLUSION ........................................................................................... 85
2.7. REFERENCES ........................................................................................... 86
PAPER B ................................................................................................................ 95
3. IDENTIFICATION AND IMPORTANCE OF THE TECHNOLOGICAL
RISKS OF OPEN SOURCE SOFTWARE IN THE ENTERPRISE
ADOPTION CONTEXT ....................................................................................... 95
3.1. INTRODUCTION ........................................................................................ 96
3.2. RESEARCH METHODOLOGY ..................................................................... 99
3.2.1. LITERATURE REVIEW .......................................................................... 99
3.2.2. SURVEYS .......................................................................................... 102
3.3. RESULTS ............................................................................................... 103
3.3.1. IDENTIFICATION OF THE TECHNOLOGICAL RISKS OF OSS ................. 103
3.3.2. IMPORTANCE OF THE TECHNOLOGICAL RISKS OF OSS ..................... 104
3.4. DISCUSSION........................................................................................... 108
3.5. CONCLUSION ......................................................................................... 110
3.6. REFERENCES ......................................................................................... 111
PAPER C .............................................................................................................. 116
11
4. DUAL-USE OPEN SOURCE SECURITY SOFTWARE IN
ORGANIZATIONS - DILEMMA: HELP OR HINDER? ............................... 116
4.1. INTRODUCTION ...................................................................................... 117
4.2. LITERATURE REVIEW ............................................................................ 118
4.3. METHODOLOGY .................................................................................... 121
4.4. FINDINGS............................................................................................... 127
4.5. TRIANGULATION OF FINDINGS AND DISCUSSION ................................... 136
4.6. CONCLUSION ......................................................................................... 139
4.7. REFERENCES ......................................................................................... 140
PAPER D .............................................................................................................. 145
5. RISK FACTORS INFLUENCING THE OPEN-SOURCE SOFTWARE
ADOPTION DECISION MAKING PROCESS IN THE ENTERPRISE
CONTEXT ............................................................................................................ 145
5.1. INTRODUCTION ...................................................................................... 146
5.2. LITERATURE REVIEW ............................................................................ 149
5.3. RESEARCH MODEL AND HYPOTHESES ................................................... 157
5.4. RESEARCH METHODOLOGY ................................................................... 165
5.5. RESULTS ............................................................................................... 169
5.6. DISCUSSION........................................................................................... 179
5.7. CONCLUSION ......................................................................................... 185
APPENDIX A ....................................................................................................... 197
CURRICULUM VITAE .......................................................................................... 200
List of Figures 12
List of Figures
FIGURE 1 DISSERTATION STRUCTURE ....................................................................... 22
FIGURE 2. MULTI-METHOD RESEARCH DESIGN ......................................................... 35
FIGURE 3 FOUR-STEP SEARCH PROCESS (VOM BROCKE ET AL., 2009) ....................... 49
FIGURE 4 TIME DISTRIBUTION OF THE PAPER STOCK ................................................. 55
FIGURE 5 ISO/IEC 27002 (ADAPTED FROM ISO27001SECURITY.COM) ...................... 60
FIGURE 6 MAIN THEMES 5 YEARS DISTRIBUTION ...................................................... 65
FIGURE 7 OVERALL DISTRIBUTION OF PUBLICATIONS ............................................... 65
FIGURE 3 FACTORS AFFECTING PERCEIVED IT SECURITY RISK IN THE OSS CONTEXT
...................................................................................................................... 158
FIGURE 9 OSS ADOPTION RESEARCH MODEL ........................................................ 161
FIGURE 10 STRUCTURAL MODEL RESULTS ............................................................. 177
FIGURE 11 STRUCTURAL MODEL RESULTS WITHOUT PNU/PPU ............................ 179
Description:migrations from proprietary software (Microsoft) to OSS (Linux) in the cities of. Munich and Microsoft Excel). Consequently OSS tools, such as 'pdf viewers', could be considered as 'bad' OSS. It is clear that .. rationality (Carnap, 1950; Popper, 1950; Kuhn, 1962; Lakatos, 1978) as it recognizes
