Scientific Positioning and Research Approach

  • Denis Royer
Part of the Progress in IS book series (PROIS)


Researching information systems in organisations is a complex undertaking, involving people, organisational structures, and technologies. Furthermore, the research of IT security is, as initially stated, often times lacking adequate research designs when addressing research topics. Therefore, it is necessary to embed the design of viable IT (security) artefacts for solving relevant organisational problems in research frameworks, in order to address them in an adequate way.


  1. Akkermans, H. A., & Oorschot, K. E. (2005). A case study of balanced scorecard development using system dynamics. Journal of the Operational Research Society, 56(8), 931–941.CrossRefGoogle Scholar
  2. Akkermans, H. A., & van Oorschot, K. E. (2002). Developing a balanced scorecard with system dynamics. In Proceeding of the 2002 international system dynamics conference, Palermo, Italy.Google Scholar
  3. Altmeier, J. (2006). Return on security investment am beispiel der business-applikation SAP. HMD – Praxis der Wirtschaftsinformatik, 248, 68–76.Google Scholar
  4. Anthony, R. N. (1965). Planning and control systems; a framework for analysis [by] Robert N. Anthony. Boston: Division of Research, Graduate School of Business Administration, Harvard University.Google Scholar
  5. Axelrod, C. W. (2008). Accounting for value and uncertainty in security metrics. Information Systems Control Journal, 2008(6), 25–29.Google Scholar
  6. Bacon, C. J. (1992). The use of decision criteria in selecting information systems/technology investments. MIS Quarterly, 16(3), 335–353.CrossRefGoogle Scholar
  7. Baier, T. (2005). Persönliches digitales Identitätsmanagement. Universität Hamburg, Fachbereich Informatik, Verteilte Systeme und Informationssysteme. Available at: Accessed 2012-09-27.
  8. Balzert, H. (2001). Lehrbuch der Software-Technik – Software-Management, Software- Qualitätssicherung, Unternehmensmodellierung (2nd ed.). Lehrbücher der Informatik. Heidelberg et al.: Spektrum Akademischer Verlag.Google Scholar
  9. Bamberg, G., Coenenberg, A. G., & Krapp, M. (2008). Betriebswirtschaftliche entscheidungslehre (14th ed.). Vahlens Kurzlehrbücher. München: Vahlen.Google Scholar
  10. Banker, R. D., Chang, H., & Kao, Y.-C. (2010). Evaluating cross-organizational impacts of information technology an empirical analysis. European Journal of Information Systems, 19(2), 153–167.CrossRefGoogle Scholar
  11. Baschin, A. (2001). Die Balanced Scorecard für Ihren IT-Bereich: ein Leitfaden für Aufbau und Einführung. Frankfurt/Main: Campus-Verlag.Google Scholar
  12. Baschin, A., & Steffen, A. (2001). IT-controlling mit der balanced scorecard. Zeitschrift für Controlling u. Management, 45(6), 367–371.CrossRefGoogle Scholar
  13. Bauer, M., Meints, M., & Hansen, M. (Eds.) (2005). Deliverable D3.1: Structured overview on prototypes and concepts of identity management systems. FIDIS NoE. Available at: Accessed 2012-09-27.
  14. Becker, J. (2008). Ein Plädoyer für die gestaltungsorientierte Wirtschaftsinformatik. In R. Jung & T. Myrach (Eds.), Quo vadis Wirtschaftsinformatik? (pp. 3–21). Wiesbaden: Gabler.CrossRefGoogle Scholar
  15. Becker, J. (2010). Prozess der gestaltungsorientierten Wirtschaftsinformatik. In H. Österle, R. Winter & W. Brenner (Eds.), Gestaltungsorientierte Wirtschaftsinformatik: Ein Plädoyer für Rigor und Relevanz (pp. 13–17). Nürnberg: Infowerk ag.Google Scholar
  16. Becker, J., & Niehaves, B. (2007). Epistemological perspectives on IS research: A framework for analysing and systematizing epistemological assumptions. Information Systems Journal, 17(2), 197–214.CrossRefGoogle Scholar
  17. Bedner, M., & Ackermann, T. (2010). Schutzziele der IT-sicherheit. Datenschutz und Datensicherheit (DuD), 34(5), 323–328.CrossRefGoogle Scholar
  18. Benamati, J., & Lederer, A. L. (2001). How IT organizations handle rapid IT change: Five coping mechanisms. Information Technology and Management, 2(1), 95–112.CrossRefGoogle Scholar
  19. Benamati, J., Lederer, A. L., & Singh, M. (1997). Changing information technology and information technology management. Information Management, 31(5), 275–288.CrossRefGoogle Scholar
  20. Berghel, H. (2005). The two sides of ROI: Return on investment vs. risk of incarceration. Communications of the ACM, 48(4), 15–20.CrossRefGoogle Scholar
  21. Bernnat, R., Bauer, M., Zink, W., Bieber, N., & Jost, D. (2010). Die IT-sicherheitsbranche in Deutschland – Aktuelle lage und ordnungspolitische handlungsempfehlung. Bundesministerium für Wirtschaft und Technologie (BMWI). Available at:,property=pdf,bereich=bmwi,sprache=de,rwb=true.pdf. Accessed 2012-09-27.
  22. Blohm, H., & Lüder, K. (1995). Investition, schwachstellenanalyse des investitionsbereichs und investitionsrechnung (8th ed.). Munich: Vahlen.Google Scholar
  23. Bortz, J., & Döring, N. (2006). Forschungsmethoden und evaluation für human- und sozialwissenschaftler (4th ed.). Springer-Lehrbuch, Springer eBook Collection, Behavioral Science [Dig. Serial], Springer-11776 [Dig. Serial]. Berlin et al.: Springer.Google Scholar
  24. Boss, S. R., Kirsch, L. J., Angermeier, I., Shingler, R. A., & Boss, R. W. (2009). If someone is watching, I’ll do what I’m asked: Mandatoriness, control and information security. European Journal of Information Systems, 18(6), 151–164.CrossRefGoogle Scholar
  25. Brocke, J. v., Strauch, G., & Buddendick, C. (2007). Return on security investments – towards a methodological foundation of measurement systems. In Proceedings of the 13th Americas conference on information systems (AMCIS), Keystone, CO, USA. Association for Information Systems (AIS).Google Scholar
  26. Brugger, R. (2005). Der IT business case – Kosten erfassen und analysieren Nutzen erkennen und quantifizieren wirtschaftlichkeit nachweisen und realisieren., Springer eBook Collection, Computer Science [Dig. Serial], Springer-11774 [Dig. Serial]. Berlin et al.: Springer.Google Scholar
  27. Bundesamt für Sicherheit in der Informationstechnik. (Ed.) (2008a). BSI standard 100-1 information security management systems (ISMS) (1.5 ed.). Bonn: Bundesamt für Sicherheit in der Informationstechnik (BSI). Available at: Accessed 2012-09-27.
  28. Bundesamt für Sicherheit in der Informationstechnik. (Ed.) (2008b). BSI-standard 100-2: IT-Grundschutz methodology (1.5 ed.). Bonn: Bundesamt für Sicherheit in der Informationstechnik (BSI). Available at: Accessed 2012-09-27.
  29. Bundesamt für Sicherheit in der Informationstechnik. (Ed.) (2008c). BSI-standard 100-3: Risk analysis based on IT-Grundschutz (1.5 ed.). Bonn: Bundesamt für Sicherheit in der Informationstechnik (BSI). Available at: Accessed 2012-09-27.
  30. Bundesamt für Sicherheit in der Informationstechnik. (2009). IT-Grundschutzhandbuch: Handbuch für die sichere Anwendung der Informationstechnik (11th ed.). Bonn: Bundesanzeiger. Available at: Accessed 2012-09-27.
  31. Burghardt, M. (2007). Einführung in Projektmanagement – Definition, Planung, Kontrolle, Abschluss (5th ed.). Erlangen: Publicis Corporate Publishing.Google Scholar
  32. Burrell, G., & Morgan, G. (1979). Sociological paradigms and organisational analysis – elements of the sociology of corporate life. London et al: Ashgate.Google Scholar
  33. Cameron, K. (2002). The laws of identity. Technical report, Available at: Accessed 2012-09-27.
  34. Carr, N. G. (2003). IT doesn’t matter. Harvard business review, 81(5), 41–49.Google Scholar
  35. Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). A model for evaluating IT security investments. Communications of the ACM, 47(7), 87–92.CrossRefGoogle Scholar
  36. Chan, F. K., & Thong, J. Y. (2009). Acceptance of agile methodologies: A critical review and conceptual framework. Decision Support Systems (DSS), 46(4), 803–814.CrossRefGoogle Scholar
  37. Clauß, S., & Köhntopp, M. (2001). Identity managements and its support of multilateral security. Computer Networks, 37(2), 205–219.CrossRefGoogle Scholar
  38. CMMI Product Team. (2002). Capability maturity model integration (CMMI) – version 1.1. Pitsburgh: Carnegie Mellon University. Available at: Accessed 2012-09-27.
  39. Cobbold, I. C., & Lawrie, G. J. G. (2002a). Classification of balanced scorecards based on their intended use. In Proceedings of the 3rd international conference on performance measurement and management (PMA 2002). Boston, MA: Performance Measurement Association (PMA).Google Scholar
  40. Cobbold, I. C., & Lawrie, G.J. G. (2002b). The development of the balanced scorecard as a strategic management tool. In Proceedings of the 3rd international conference on performance measurement and management (PMA 2002). Boston, MA: Performance Measurement Association (PMA).Google Scholar
  41. Cole, M., & Avison, D. (2007). The potential of hermeneutics in information systems research. European Journal of Information Systems, 16(6), 820–833.CrossRefGoogle Scholar
  42. Cole, R., Purao, S., Rossi, M., & Sein, M. (2005). Being proactive: Where action research meets design research. In D. E. Avison & Galletta, D. F. (Eds.), ICIS – proceedings of the international conference on information systems, ICIS 2005, 11–14 Dec 2005, Las Vegas, NV, USA (pp. 325–336). Association for Information Systems.Google Scholar
  43. Damianides, M. (2005). Sarbanes–Oxley and IT governance: New guidance on it control and compliance. Information Systems Management, 22(1), 77–85.CrossRefGoogle Scholar
  44. David, J. S., Schuff, D., & St. Louis, R. (2002). Managing your total IT cost of ownership. Communications of the ACM, 45(1), 101–106.Google Scholar
  45. Davis, F. D. (1989). Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Quarterly, 13, 319–339.CrossRefGoogle Scholar
  46. Davis, H. Z., Apple, S., & Cohn, G. (2008). Free lunches and ROI: A modern fable. Management Accounting Quarterly, 9(2), 16–25.Google Scholar
  47. De Clercq, J. (2002). Single sign-on architectures. In InfraSec ’02: Proceedings of the international conference on infrastructure security (pp. 40–58). London: Springer.CrossRefGoogle Scholar
  48. Dhillon, G., & Backhouse, J. (2001). Current directions in IS security research: Towards socio-organizational perspectives. Information Systems Journal, 11(2), 127–153.CrossRefGoogle Scholar
  49. Dong, L., Neufeld, D. J., & Higgins, C. (2009). Top management support of enterprise systems implementations. Journal of Iinformation Technology, 24(1), 55–80.CrossRefGoogle Scholar
  50. Dörner, W. (2003). IT-investitionen – investitionstheoretische Behandlung von Unsicherheit (Schriftenreihe innovative betriebswirtschaftliche Forschung und Praxis, Vol. 145). Hamburg: Verlag Dr. Kovač.Google Scholar
  51. Downe-Wamboldt, B. (1992). Content analysis: Method, applications, and issues. Health Care for Women International, 13(3), 313–321.CrossRefGoogle Scholar
  52. Durand, A. (2003). Three phases of identity infrastructure adoption. Available at: Accessed 2012-09-27.
  53. Easterby-Smith, M., Thorpe, R., & Löwe, A. (2002). Management research (2nd ed.). London: Sage Publications Ltd.Google Scholar
  54. Economist Intelligence Unit (2006). Complying with rules for identity management. London et al: The Economist Intelligence Unit. Available at: Accessed 2012-09-27.
  55. Faisst, U., Prokein, O., & Wegmann, N. (2007). Modell zur dynamischen investitionsrechnung von IT-Sicherheitsmaßnahmen. Zeitschrift für Betriebswirtschaft, 77(5), 511–538.CrossRefGoogle Scholar
  56. Farahmand, F., Navathe, S. B., Sharp, G. P., & Enslow, P. H. (2005). A management perspective on risk of security threats to information systems. Information Technology and Management, 6(2–3), 203–225.CrossRefGoogle Scholar
  57. FIDIS IdMS Database (2009). FIDIS database on identity management systems. Available at: Accessed 2012-09-27.
  58. Flieder, K. (2008). Identity- und access-management mit EAI-Konzepten und -technologien. Datenschutz und Datensicherheit (DuD), 32(8), 532–536.CrossRefGoogle Scholar
  59. Flynn, M. J. (2007). Enterprise identity services. Available at: Accessed 2012-09-27.
  60. Franklin, C. J. (2002). The ABCs of ROI. Network Computing, 93–95.Google Scholar
  61. Gaedke, M., Meinecke, J., & Nussbaumer, M. (2005). A modeling approach to federated identity and access management. In WWW ’05: Special interest tracks and posters of the 14th international conference on World Wide Web (pp. 1156–1157). New York: ACM.CrossRefGoogle Scholar
  62. Georges, P. M. (2000). The management cockpit – the human interface for management software – reviewing 50 user sites over 10 years of experience. Wirtschaftsinformatik, 42(2), 131–136.CrossRefGoogle Scholar
  63. Gericke, W., Thorleuchter, D., Weck, G., Reiländer, F., & Loß, D. (2009). Vertrauliche verarbeitung staatlich eingestufter information – die informationstechnologie im Geheimschutz. Informatik Spektrum, 32(2), 102–109.CrossRefGoogle Scholar
  64. Geschka, H., & Hammer, R. (1997). Die Szenario Technik in der strategischen Unternehmensplanung. In D. Hahn & B. Taylor (Eds.), Strategische Unternehmensplanung – strategische Unternehmensführung (7th ed., pp. 464–489). Heidelberg: Physica.Google Scholar
  65. Ghasemzadeh, F., & Archer, N. P. (2000). Project portfolio selection through decision support. Decision Support Systems (DSS), 29, 73–88.CrossRefGoogle Scholar
  66. Gläser, J., & Laudel, G. (2006). Experteninterviews und qualitative Inhaltsanalyse als Instrumente rekonstruierender Untersuchungen (2nd ed.). Wiesbaden: VS, Verlag für Sozialwissenschaften.Google Scholar
  67. Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security, 5(4), 438–457.CrossRefGoogle Scholar
  68. Gorry, G. A., & Scott Morton, M. S. (1971). A framework for management information systems. Sloan Management Review, 13(1), 55–71.Google Scholar
  69. Greening, D. W., Barringer, B. R., & Macy, G. (1996). A qualitative study of managerial challenges facing small business geographic expansion. Journal of Business Venturing, 11(4), 233–256.CrossRefGoogle Scholar
  70. Gregor, S. (2006). The nature of theory in information systems. MIS Quarterly, 30(3), 491–506.Google Scholar
  71. Grob, H. L., Strauch, G., & Buddendick, C. (2008). Conceptual design of a method to support IS security investment decisions. In R. Kaschek, C. Kop, C. Steinberger & G. Fliedl (Eds.), Information systems and e-business technologies – 2nd international united information systems conference, UNISCON 2008, Klagenfurt, Austria, 22–25 Apr 2008 (Lecture notes in business information processing, Vol. 5, pp. 445–456). Berlin et al.: SpringerGoogle Scholar
  72. Groß, M. (2007). In zehn Schritten zum identity-management. Available at: Accessed 2012-09-27.
  73. Grover, V., Lyytinen, K., Sirnivasan, A., & Tan, N. C. (2008). Contributing to rigorous and forward thinking explanatory theory. Journal of the Association for Information Systems (JAIS), 9(2), 40–47.Google Scholar
  74. Guida, R., Stahl, R., Bunt, T., Secrest, G., & Moorcones, J. (2004). Deploying and using public key technology: Lessons learned in real life. IEEE Security and Privacy, 2(4), 67–71.CrossRefGoogle Scholar
  75. Hall, J. A., & Liedtka, S. L. (2007). The Sarbanes–Oxley act: Implications for large-scale IT outsourcing. Communications of the ACM, 50(3), 95–100.CrossRefGoogle Scholar
  76. Halperin, R., & Backhouse, J. (2008). A roadmap for research on identity in the information society. Identity in the Information Society (JIDIS), 1(1), 1–12.CrossRefGoogle Scholar
  77. Hansen, M., Krasemann, H., Krause, C., Rost, M., & Genghini, R. (2003). Identity management systems (IMS): Identification and comparison. Technical report, Independent Centre for Privacy Protection (ICPP), Kiel (Germany). Study made for the Institute for Prospective Technological Studies – Joint Research Centre Seville(Spain). Available online at Accessed 2012-09-27.
  78. Hansen, M., Berlich, P., Camenisch, J., Clauß, S., Pfitzmann, A., & Waidner, M. (2004). Privacy-enhancing identity management. Information Security Technical Report, 9(1), 35–44.CrossRefGoogle Scholar
  79. Hansen, M., Meints, M., & Rost, M. (2006). Initial scenarios for mobile identity management. In D. Royer (Ed.), Collection of topics and clusters of mobility and identity – towards a taxonomy of mobility and identity, number D11.1 (pp. 20–28). FIDIS NoE. Available at: Accessed 2012-09-27.
  80. Hatch, M. J. (1997). Organization theory – modern, symbolic, and postmodern perspectives. Oxford et al.: Oxford University Press.Google Scholar
  81. Helfert, M., Foley, O., Ge, M., & Cappiello, C. (2009). Analysing the effect of security on information quality dimensions. In S. Newell, E. A. Whitley, N. Pouloudi, J. Wareham & L. Mathiassen (Eds.), 17th European conference on information systems, Verona, Italy (pp. 2785–2797).Google Scholar
  82. Hensen, J. (2007). Online-Wörterbuch evaluation. Available at: Accessed 2012-09-27.
  83. Hevner, A. R., March, S. T., & Park, J. (2004). Design science in information systems research. MIS Quarterly, 28(1), 75–105.Google Scholar
  84. Hitt, L. M., & Brynjolfsson, E. (1996). Productivity, business profitability, and customer surplus – three different measures of technology value. MIS Quarterly, 20(2), 121–142.CrossRefGoogle Scholar
  85. Hoepman, J.-H., Joosten, R., & Siljee, J. (2009). Comparing identity management frameworks in a business context. In V. Matyas, S. Fischer-Huebner, D. Cvrcek & P. Svenda (Eds.), Proceedings of the IFIP/FIDIS summer school on “The future of identity in the information society” (pp. 184–196). Berlin et al.: Springer.Google Scholar
  86. Holten, R. (2007). Deriving an IS-theory from an epistemological position. In 18th Australasian conference on information systems, Toowoomba, 5–7 Dec 2007 (pp. 1–10). Toowoomba: University of Southern Queensland.Google Scholar
  87. Holten, R., Dreiling, A., & Becker, J. (2005). Ontology-driven method engineering for information systems development. In P. Green & M. Rosemann (Eds.), Business systems analysis with ontologies (pp. 174–217). Hershey: Idea Group Publishing.CrossRefGoogle Scholar
  88. Hommel, W. (2007). Architektur- und Werkzeugkonzepte für föderiertes Identitäts-Management. Ph.D. thesis, Fakultät für Mathematik, Informatik und Statistik der Ludwig-Maximilians-Universität München. Available at: Accessed 2012-09-27.
  89. Hommel, W., & Reiser, H. (2005). Federated identity management in business-to-business outsourcing. In B. Marques, T. Nebe & R. Oliveira (Eds.), Proocedings of the 12th annual workshop of HP OpenView University Association (HPOVUA 2005), Porto, Portugal (pp. 81–93).Google Scholar
  90. Hommel, W., Knittl, S., & Pluta, D. (2008). Strategy and tools for identity management and its process integration in the Munich scientific network. In 14th international conference of European University Information Systems (EUNIS 2008), Arhus, Denmark. Available at: Accessed 2012-09-27.
  91. Horváth, P. (2006). Controlling (Vahlens Handücher der Wirtschafts- und Sozialwissenschaften, 10th ed.). München: Vahlen.Google Scholar
  92. Hsieh, H.-F., & Shannon, S. E. (2005). Three approaches to qualitative content analysis. Qualitative Health Research, 15(9), 1277–1288.CrossRefGoogle Scholar
  93. Huberman, A. M., & Miles, M. B. (1983). Drawing valid meaning from qualitative data: Some techniques of data reduction and display. Quafity and Quantity, 17(4), 281–339.Google Scholar
  94. Hühnlein, D. (2008). Identitätsmanagement – Eine visualisierte Begriffsbestimmung. Datenschutz und Datensicherheit (DuD), 32(3), 161–163.CrossRefGoogle Scholar
  95. Jacobson, R. (1987). The validity of ROI as a measure of business performance. The American Economic Review, 77, 470–478.Google Scholar
  96. Jonen, A., & Lingnau, V. (2007). Bewertung von IT-Investitionen – Einbezug von Werttreibern und Risiken. Controlling & Management (ZfCM), 51(4), 246–250.CrossRefGoogle Scholar
  97. Jonen, A., Lingnau, V., Müller, J., & Müller, P. (2004). Balanced IT-Decision-Card, Ein Instrument für das Investitionscontrolling von IT-Projekten. Wirtschaftsinformatik, 46(3), 196–203.CrossRefGoogle Scholar
  98. Kaplan, R. S., & Norton, D. P. (1996). The balanced scorecard: Translating strategy into action. Boston: Random House.Google Scholar
  99. Kaplan, R. S., & Norton, D. P. (2004). Strategy maps – converting intangible assets into tangible outcomes. Boston: Harvard Business School Press.Google Scholar
  100. Keil, M., Lyytinen, K., Cule, P. E., & Schmidt, R. C. (1998). A framework identifying software project risks. Communications of the ACM, 41(11), 76–83.CrossRefGoogle Scholar
  101. Klecun, E., & Cornford, T. (2005). A critical approach to evaluation. European Journal of Information Systems (EJIS), 14(3), 229–243.CrossRefGoogle Scholar
  102. Klinger, K. (2008). Identitätsmanagement – Steuerung von Provisionierungsprozessen auf Basis personalwirtschaftlicher Ereignisse. Scholar
  103. Kohm, M., & Morawski, J. (2009). Koma-Script: Eine Sammlung von Klassen und Paketen für LaTeX2ε (3rd ed.). Berlin: Edition dante by Lehmanns Media.Google Scholar
  104. Koschinat, S., & Royer, D. (2010). Bewertung und Einordnung von Ansätzen zur ex-anten Evaluation von IT Sicherheitsinvestitionen. Working Report No. 1, Professur für M-Business, Uni Franfurt, Frankfurt. Available at: Accessed 2012-09-27.
  105. KPMG (2008). KPMG’s 2008 European identity and access management survey. KPMG Netherlands. Available at: Accessed 2012-09-27.
  106. KPMG (2009). KPMG’s 2009 European identity and access management survey. KPMG Netherlands. Available at: Accessed 2012-09-27.
  107. Krcmar, H. (1990). Informationsverarbeitungs-Controlling – Zielsetzung und Erfolgsfaktoren. IM Information Management, 5(3), 6–15.Google Scholar
  108. Kütz, M. (Ed.) (2003). Kennzahlen in der IT – Werkzeuge für Controlling und Management. Heidelberg: dpunkt.verlag.Google Scholar
  109. Laux, H. (2007). Entscheidungstheorie – und 12 Tabellen (Springer-Lehrbuch, 7th ed.). Berlin et al.: Springer.Google Scholar
  110. Lee, A. S. (1989). A scientific methodology for MIS case studies. MIS Quarterly, 13(1), 33–50.CrossRefGoogle Scholar
  111. Lee, A. S. (1991). Integrating positivist and interpretive approaches to organizational research. Organisational Science, 4(2), 342–365.CrossRefGoogle Scholar
  112. Lee, A. S. (1999). Rigor and relevance in MIS research: Beyond the approach of positivism alone. MIS Quarterly, 23(1), 29–33.CrossRefGoogle Scholar
  113. Liu, L., & Yetton, P. (2010). Sponsorship and IT vendor management of projects. Journal of Information Technology, 25, 56–64.CrossRefGoogle Scholar
  114. Locher, C. (2005). Methodologies for evaluating information security investments – what basel II can change in the financial industry. In Proceedings of the 13th European conference on information systems, information systems in a rapidly changing economy, ECIS 2005, Regensburg, Germany, 26–28 May 2005.Google Scholar
  115. Lopez, J., Oppliger, R., & Pernul, G. (2004). Authentication and authorization infrastructures (AAIs) – a comparative survey. Computers Security, 23, 578–590.CrossRefGoogle Scholar
  116. Lopez, J., Oppliger, R., & Pernul, G. (2005). Why have public key infrastructures failed so far? Internet Research, 15(5), 544–556.CrossRefGoogle Scholar
  117. Lorenz, J. (2005). Der RoI sagt nur die halbe Wahrheit. COMPUTERWOCHE. Available at: Accessed 2012-09-27.
  118. Magnusson, C., Molvidsson, J., & Zetterqvist, S. (2007). Value creation and return on security investmensts (ROSI). In H. Venter, L. Labuschagne, J. Eloff & R. von Solms (Eds.), IFIP SEC 2007: New approaches for security, privacy and trust in complex environments (Vol. 232, pp. 25–35). Berlin et al.: Springer.Google Scholar
  119. Mann, C. C. (2002). Homeland insecurity. The Atlantic Monthly. Available at: Accessed 2012-09-27.
  120. March, S. T., & Smith, G. F. (1995). Design and natural science research on information technology. Decision Support Systems (DSS), 15(4), 251–266.CrossRefGoogle Scholar
  121. Markus, M. L. (1983). Power, politics, and MIS implementation. Communications of the ACM, 26(6), 430–444.CrossRefGoogle Scholar
  122. Martin, L. (2007). Security is free. DMReview, 17(12), 16–17.Google Scholar
  123. Martinsons, M., Davidson, R., & Tse, D. (1999). The balanced scorecard: A foundation for the strategic management of information systems. Decision Support Systems (DSS), 25(1), 71–88.CrossRefGoogle Scholar
  124. Martucci, L. A. (2009). Identity and anonymity in Ad Hoc networks. Ph.D. thesis, Karlstad University.Google Scholar
  125. Mauterer, H., & Gemünden, H. G. (2002). Der Nutzen von ERP-Systemen – eine Analyse am Beispiel von SAP R/3 (DUV, Wirtschaftsinformatik, 1st ed.). Wiesbaden: Dt. Univ.-Verl.Google Scholar
  126. Mayring, P. (2008). Qualitative Inhaltsanalyse – Grundlagen und Techniken (Beltz Pädagogik, 10th ed.). Weinheim et al.: Beltz.Google Scholar
  127. Mayring, P., & Brunner, E. (2007). Qualitative inhaltsanalys. In R. Buber & H. H. Holzmüller (Eds.), Qualitative Marktforschung: Konzepte – Methoden – Analysen (pp. 669–680). Wiesbaden: Betriebswirtschaftlicher Verlag Dr. Th. Gabler/GWV Fachverlage GmbH.CrossRefGoogle Scholar
  128. Mayring, P., & Gläser-Zikuda, M. (2005). Die Praxis der qualitativen Inhaltsanalyse (UTB, Pädagogik, Psychologie, Vol. 8269). Weinheim et al.: Beltz.Google Scholar
  129. Meints, M., & Gasson, M. N. (2009). High-tech ID and emerging technologies. In K. Rannenberg, D. Royer & A. Deuker (Eds.), The future of identity in the information society – challenges and opportunities (pp. 129–189). Berlin et al.: Springer.Google Scholar
  130. Meints, M., & Royer, D. (2008). Der Lebenszyklus von Identitäten. Datenschutz und Datensicherheit (DuD), 32(3), 201.CrossRefGoogle Scholar
  131. Meints, M., & Zwingelberg, H. (Eds.) (2009). Deliverable D3.17: Identity management systems – recent developments. Frankfurt et al.: FIDIS NoE. Available at: Accessed 2012-09-27.
  132. Mercuri, R. T. (2003). Analyzing security costs. Communications of the ACM, 46(6), 15–18.CrossRefGoogle Scholar
  133. Meyer, M., Zarnekow, R., & Kolbe, L. M. (2003). IT-Governance: Begriff, Status quo und Bedeutung. Wirtschaftsinformatik, 45(4), 445–448.CrossRefGoogle Scholar
  134. Mezler-Andelberg, C. (2008). Identity Management - eine Einführung - Grundlagen, Technik, wirtschaftlicher Nutzen. Heidelberg: Dpunkt.verlag.Google Scholar
  135. Miles, M. B., & Huberman, A. M. (1994). Qualitative data analysis – an expanded sourcebook (2nd ed.). Thousand Oaks et al.: Sage.Google Scholar
  136. Milis, K., & Mercken, R. (2004). The use of the balanced scorecard for the evaluation of information and communication technology projects. International Journal of Project Management, 22(2), 87–97.CrossRefGoogle Scholar
  137. Moll, K.-R., Broy, M., Pizka, M., Seifert, T., Bergner, K., & Rausch, A. (2004). Erfolgreiches Management von Software-Projekten. Informatik Spektrum, 27(5), 419–432.CrossRefGoogle Scholar
  138. Mooraj, S., Oyon, D., & Hostettler, D. (1999). The balanced scorecard: A necessary good or an unnecessary evil? European Management Journal, 17(5), 481–491.CrossRefGoogle Scholar
  139. Mott, J. D., & Granata, G. (2006). The value of teaching and learning technology: Beyond ROI. EDUCAUSE Quarterly, 29(2), 48–54.Google Scholar
  140. Muntermann, J. (2007). Event-driven mobile financial information services. Germany: Deutscher Universitätsverlag.CrossRefGoogle Scholar
  141. Myers, M. D. (1997). Qualitative research in information systems. MIS Quarterly, 21(2), 241–242. Available at: Accessed 2012-09-27.
  142. Nabeth, T. (2009). Identity of identity. In K. Rannenberg, D. Royer & A. Deuker (Eds.), The future of identity in the information society – challenges and opportunities (pp. 19–69). Berlin et al.: Springer.Google Scholar
  143. Nabeth, T., & Hildebrandt, M. (Eds.) (2005). Deliverable D2.1: Inventory of topics and clusters. Frankfurt et al.: FIDIS NoE. Available at: Accessed 2012-09-27.
  144. Nabeth, T., Benoist, E., Anrig, B., Meints, M., Hansen, M., Gasson, M., & Warwick, K. (Eds.) (2005). Deliverable D2.3: Models. Frankfurt et al.: FIDIS NoE. Available at: Accessed 2012-09-27.
  145. Neubauer, T., Klemen, M., & Biffl, S. (2005). Business process-based valuation of IT-security. In K. Sullivan (Ed.), Proceedings of the seventh international workshop on economics-driven software engineering research (pp. 1–5). St. Louis: ACM Press.CrossRefGoogle Scholar
  146. Nowey, T., Federrath, H., Klein, C., & Plößl, K. (2005). Ansätze zur Evaluierung von Sicherheitsinvestitionen. In H. Federrath (Ed.), Sicherheit 2005: Sicherheit – Schutz und Zuverlässigkeit, Beiträge der 2. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.v. (GI), Regensburg, 5–8 Apr 2005 (Lecture notes on informatics (LNI), Vol. 62, pp. 15–26). Gesellschaft für Informatik (GI).Google Scholar
  147. Nunamaker, J. F. J., Chen, M., & Purdin, T. D. (1991). Systems development in information systems research. Journal of Management Information Systems, 7(3), 89–106.Google Scholar
  148. Okujava, S., & Remus, U. (2006). Wirtschaftlichkeit von Unternehmensportalen. IT – Information Technology, 48(2), 99–111.CrossRefGoogle Scholar
  149. Olivier, M. S. (2009). Information technology research – a practical guide for computer science and informatics (2nd ed.). Pretoria: Van Schaik.Google Scholar
  150. Österle, H., Becker, J., Frank, U., Hess, T., Karagiannis, D., Krcmar, H., Loos, P., Mertens, P., Oberweis, A., & Sinz, E. J. (2010). Memorandum zur gestaltungsorientierten Wirtschaftsinformatik. In H. Österle, R. Winter & W. Brenner (Eds.), Gestaltungsorientierte Wirtschaftsinformatik: Ein Plädoyer für Rigor und Relevanz (pp. 1–6). Nürnberg: Infowerk ag. Also available at: Accessed 2012-09-27.
  151. Pashalidis, A., & Mitchell, C. J. (2003). A taxonomy of single sign-on systems. In R. Safavi-Naini & J. Seberry (Eds.), Information security and privacy, 8th Australasian conference, ACISP 2003, Proceedings, Wollongong, Australia, 9–11 July 2003 (Lecture notes in computer science, Vol. 2727, pp. 249–264). Berlin/New York: Springer.Google Scholar
  152. Peffers, K., Tuunanen, T., Rothenberger, M., & Chatterjee, S. (2008). A design science research methodology for information systems research. Journal of Management Information Systems (JMIS), 24(3), 45–77. Available at: Accessed 2012-09-27.Google Scholar
  153. Perkins, E. L., & Allan, A. (2005). Consider identity and access management as a process, not a technology. Technical report G00129998, Gartner research.Google Scholar
  154. Perkins, E., & Carpenter, P. (2009). The Gartner IAM program maturity model. Available at: Accessed 2012-09-27.
  155. Pfadenhauer, M. (2005). Auf gleicher Augenhöhe reden: Das Experteninterview – ein Gespräch zwischen Experten und Quasi-Experten. In A. Bogner, B. Littig & W. Menz (Eds.), Das Experteninterview – Theorie, Methode, Anwendung (2nd ed., pp. 113–130). Wiesbaden: Verlag für Sozialwissenschaften.Google Scholar
  156. Pfitzinger, E. (2009). Projekt DIN EN ISO 9001:2008 (2nd ed.). Berlin et al.: DIN Deutsches Institut für Normierung e.V. Beuth Verlag GmbH.Google Scholar
  157. Pfitzmann, B. (2004). Privacy in enterprise identity federation – policies for liberty 2 single sign on. Information Security Technical Report, 9(1), 45–58.CrossRefGoogle Scholar
  158. Pisello, T. (2001). Return on investment for information technology providers. New Canaan: Information Economics Press.Google Scholar
  159. Pohlmann, N. (2006). Wie wirtschaftlich sind IT-Sicherheitsmaßnahmen? HMD - Praxis Wirtschaftsinformatik, 248, 26–34.Google Scholar
  160. Poon, P., & Wagner, C. (2001). Critical success factors revisited: Success and failure cases of information systems for senior executives. Decision Support Systems (DSS), 30, 393–418.CrossRefGoogle Scholar
  161. Potthof, I. (1998). Kosten und Nutzen der Informationsverarbeitung: Analyse und Beurteilung von Investitionsentscheidungen. Wiesbaden: DUV/Gabler.CrossRefGoogle Scholar
  162. Power, D. J. (2001). Supporting decision-makers: An expanded framework. Available at: Accessed 2012-09-27.
  163. Power, D. J. (2004). Specifying an expanded framework for classifying and describing decision support systems. Communications of the Association for Information Systems (CAIS), 13(13), 158–166.Google Scholar
  164. Power, D. J. (2009). A brief history of decision support systems. Available at: Accessed 2012-09-27.
  165. PRINCE2 Project (2010). PRINCE2 – PRojects IN Controlled Environments (2nd ed.). Available at: Accessed 2012-09-27.
  166. Purser, S. A. (2004). Improving the ROI of the security management process. Computers & Security, 23(6), 542–546.CrossRefGoogle Scholar
  167. Rannenberg, K. (2000). Mehrseitige Sicherheit – Schutz für Unternehmen und ihre Partner im Internet. Wirtschaftsinformatik, 42(6), 489–498.CrossRefGoogle Scholar
  168. Rannenberg, K., Royer, D., & Deuker, A. (2009). The future of identity in the information society: Challenges and opportunities. Heidelberg et al.: Springer.CrossRefGoogle Scholar
  169. Ricoeur, P. (1980). Oneself as another. Chicago, IL: The University of Chicago Press.Google Scholar
  170. Riepl, L. (1998). TCO versus ROI. Information Management, 13(2), 7–12.Google Scholar
  171. Rosenquist, M. (2007). Measuring the return on IT security investments (Intel Whitepaper). Technical report, Intel Corporation.Google Scholar
  172. Rossnagel, H., & Royer, D. (2005). Investing in security solutions – can qualified electronic signatures be profitable for mobile operators. In Association for Information Systems (AIS) (Ed.), Proceedings of the 11th Americas conference on information systems (AMCIS), Omaha, Nebraska (pp. 3248–3257).Google Scholar
  173. Roussos, G., Peterson, D., & Patel, U. (2003). Mobile identity management: An enacted view. International Journal of Electronic Commerce, 8(1), 81–100.Google Scholar
  174. Royer, D. (2008a). Assessing the value of enterprise identity management (EIdM) – towards a generic evaluation approach. In E. R. Weippl, G. Quirchmyr & J. Slya (Eds.), Proceedings of the 3rd international conference on availability, reliability and security (ARES 2008 – the international dependability conference) (pp. 779–786). Barcelona: IEEE Press.CrossRefGoogle Scholar
  175. Royer, D. (2008b). Enterprise identity management – What’s in it for organisations? In S. Fischer-Huebner, P. Duquenoy, A. Zuccato & L. Martucci (Eds.), Proceedings of the IFIP/FIDIS summer school on “The future of identity in the information society” (Lecture notes on informatics (LNI), pp. 403–416). Berlin et al: Springer.Google Scholar
  176. Royer, D. (2008c). Ganzheitliche Bewertung von Enterprise Identity Management Systemen – Der Ansatz der Balanced Scorecard als taktisches Entscheidungsunterstützungsinstrument. In A. Alkassar & J. Siekmann (Eds.), Sicherheit 2008 – 4. Jahrestagung Fachbereich Sicherheit der Gesellschaft für Informatik, Saarbrücken, Germany (pp. 449–460). Gesellschaft für Informatik (GI).Google Scholar
  177. Royer, D. (2010). Supporting decision making for enterprise identity management – an explanatory model for describing the relevant impacts. In P. M. Alexander, M. Turpin & J. P. van Deventer (Eds.), 18th European conference on information systems 2010 (ECIS 2010), Pretoria, Republic of South Africa. Association for Information Systems (AIS).Google Scholar
  178. Royer, D., & Meints, M. (2008). Planung und Bewertung von Enterprise Identity Managementsystemen. Datenschutz und Datensicherheit (DuD), 32(3), 189–193.CrossRefGoogle Scholar
  179. Royer, D., & Meints, M. (2009). Enterprise identity management – towards a decision support framework based on the balanced scorecard approach. Business & Information Systems Engineering (BISE), 1(3), 245–253. Also available in German in: Wirtschaftsinformatik (WI), 51(3), 284–294.CrossRefGoogle Scholar
  180. Royer, D., & Rannenberg, K. (2006). Mobilität, mobile Technologie und Identität. Datenschutz und Datensicherheit (DuD), 30(9), 571–575.CrossRefGoogle Scholar
  181. Roztocki, N., & Weistroffer, H. R. (2007). Identifying success factors for information technology investments: contribution of activity based costing. In H. Österle, J. Schelp & R. Winter (Eds.), 15th European conference on information systems 2007 (ECIS 2007), St. Gallen, Switzerland (pp. 1031–1040). AIS.Google Scholar
  182. Ryan, J. J. C. H., & Ryan, D. J. (2006). Expected benefits of information security investments. Computers und Security, 25(8), 579–588.CrossRefGoogle Scholar
  183. Ryan, S. D., Harrison, D. A., & Schkade, L. L. (2002). Information-technology investment decisions: When do costs and benefits in the social subsystem matter? Journal of Management Information Systems, 19, 85–127.CrossRefGoogle Scholar
  184. Satchell, C., Shanks, G., Howard, S., & Murphy, J. (2006). Knowing me, knowing you: End user perceptions of identity management systems. In J. Ljungberg & M. Andersson (Eds.), 14th European conference on information systems 2006 (ECIS 2006), Goteborg, Sweden (pp. 795–806). Association for Information Systems (AIS).Google Scholar
  185. Schienmann, B. (2002). Kontinuierliches Anforderungsmanagement – Prozesse, Techniken, Werkzeuge. München et al.: Addison-Wesley.Google Scholar
  186. Schmeh, K., & Uebelacker, H. (2004). Sicherheit, die sich rechnet – Return-on-Investment in der IT-Security. Available at: Accessed 2012-09-27.
  187. Schröder, H., & Kesten, R. (2006). Ein Vorgehensmodell zur Nutzenbewertung von IT-Investitionen. Information Management & Consulting, 21(4), 63–68.Google Scholar
  188. Schumann, M. (1993). Wirtschaftlichkeitsbeurteilung für IV-Systeme. Wirtschaftsinformatik (WI), 35(2), 167–178.Google Scholar
  189. Schwaber, K., & Sutherland, J. (2010). SCRUM Guide. Available at: Accessed 2012-09-27.
  190. Sharp, H., Finkelstein, A., & Galal, G. (1999). Stakeholder identification in the requirements engineering process. In DEXA ’99: Proceedings of the 10th international workshop on database expert systems applications, Washington, DC, USA (p. 387). IEEE Computer Society.Google Scholar
  191. Shim, J. P., Warkentin, M., Courtney, J. F., Power, D. J., Sharda, R., & Carlsson, C. (2002). Past, present, and future of decision support technology. Decision Support Systems (DSS), 33(2), 111–126.CrossRefGoogle Scholar
  192. Simon, H. A. (1960). The new science of management decision. New York: Harper.CrossRefGoogle Scholar
  193. Simon, H. (1996). The sciences of the artificial (3rd ed.). Cambridge: MIT Press.Google Scholar
  194. Siponen, M. T., & Oinas-Kukkonen, H. (2007). A review of information security issues and respective research contributions. The DATA BASE for Advances in Information Systems, 38(1), 60–80.CrossRefGoogle Scholar
  195. Siponen, M. T., & Willison, R. (2010). A critical assessment of IS security research between 1990–2004. In H. Österle, J. Schelp & R. Winter (Eds.), 15th European conference on information systems 2007 (ECIS 2007), St. Gallen, Switzerland (pp. 1551–1559). Association for Information Systems (AIS).Google Scholar
  196. Small, M. (2004). Business and technical motivation for identity management. Information Security Technical Report, 9(1), 6–21.CrossRefGoogle Scholar
  197. Solheim, J. A., & Rowland, J. H. (1993). An empirical study of testing and integration strategies using artificial software systems. IEEE Transactions on Software Engineering, 19(10), 941–949.CrossRefGoogle Scholar
  198. Sommerville, I. (2006). Software engineering (8th ed.). Redwood City: Addison Wesley.Google Scholar
  199. Sommerville, I., & Sawyer, P. (1997). Requirements engineering – a good practice guide. Chichester et al.: Wiley.Google Scholar
  200. Sonnenreich, W., Albanese, J., & Stout, B. (2006). Return on security investment (ROSI) – a practical quantitative model. Journal of Research and Practice in Information Technology, 38(1), 45–56.Google Scholar
  201. Sprague, R. H., Jr. (1980). A framework for the development of decision support systems. MIS Quarterly, 4(4), 1–26.CrossRefGoogle Scholar
  202. Stefanou, C. J. (2002). A framework for the ex-ante evaluation of ERP software. European Journal of Information Systems, 10(4), 204–215.CrossRefGoogle Scholar
  203. Tsolkas, A., & Schmidt, K. (2010). Rollen- und Berechtigungskonzepte (\(<\)kes\(>\)). Wiesbaden: Vieweg + Teubner Verlag.Google Scholar
  204. Turban, E., & Aronson, J. E. (1998). Decision support and business intelligence systems (5th ed.). Upper Saddle River: Prentice-Hall, Inc.Google Scholar
  205. Uwizeyemungu, S., & Raymond, L. (2009). Exploring an alternative method of evaluating the effects of ERP: A multiple case study. Journal of Information Technology (JIT), 24(3), 251–268.CrossRefGoogle Scholar
  206. V-Modell Project (2006). The V-modell XT – release 1.3. Koordinierungs- und Beratungsstelle der Bundesregierung für Informationstechnik in der Bundesverwaltung (KBSt), Berlin. Available at: Accessed 2012-09-27.
  207. Vaishnavi, V. K., & Kuechler, W. (2008). Design science research methods and patterns – innovating information and communication technology. Boca Raton: Auerbach Publications.Google Scholar
  208. Walsham, G. (2006). Doing interpretive research. European Journal of Information Systems, 15(3), 320–330.CrossRefGoogle Scholar
  209. Walter, S. G., & Spitta, T. (2004). Approaches to the ex-ante evaluation of investments into information systems. Wirtschaftsinformatik, 46(3), 171–180.CrossRefGoogle Scholar
  210. Wan, Z., Fang, Y., & Wade, M. (2007). A ten-year Odyssey of the “IS productivity paradox” - a citation analysis (1996–2006). In Association for Information Systems (AIS) (Ed.), Proceedings of the 13th Americas conference on information systems (AMCIS), Keystone, Colorado.Google Scholar
  211. Ward, J., De Hertogh, S., & Viaene, S. (2007). Managing benefits from IS/IT investments: An empirical investigation into current practice. In HICSS – 40th Hawaii international international conference on systems science (HICSS-40 2007), Waikoloa, Big Island, HI, USA, 3–6 Jan 2007 (p. 206). IEEE Computer Society.Google Scholar
  212. Weber, R. (2004). The rhetoric of positivism versus interpretivism: A personal view. MIS Quarterly, 28(1), iii–xii.Google Scholar
  213. Windley, P. J. (2005). Digital identity. Sebastopol et al.: O’Reilly.Google Scholar
  214. Winter, R. (2008). Design science research in Europe. European Journal of Information Systems (EJIS), 17(5), 470–475.CrossRefGoogle Scholar
  215. Witty, R. J., Allan, A., Enck, J., & Wagner, R. (2003). Identity and access management defined. Research Study SPA-21-3430, Gartner.Google Scholar
  216. Yayla, A. A., & Hu, Q. (2010). The impact of information security events on the stock value of firms: The effect of contingency factors. Journal of Information Technology (AOP), 25, 1–18. Available at: Accessed 2012-09-27.
  217. Yin, R. K. (2003). Case study research – design and methods (Applied social research methods series, 3rd ed., Vol. 5). Sage, Thousand Oaks, et al.,Google Scholar
  218. Yue, W. T., Cakanyildirim, M., Ryu, Y. U., & Dengpan, L. (2007). Network externalities, layered protection and IT security risk management. Decision Support Systems (DSS), 44(1), 1–16.CrossRefGoogle Scholar
  219. Zangemeister, C. (1976). Nutzwertanalyse in der Systemtechnik – Methodik zur multidimensionalen Bewertung und Auswahl von Projektalternativen (4th ed.). Hamburg: Zangemeister.Google Scholar
  220. Zeitler, N. (2009). Identity and access management zu teuer und komplex. Available at: Accessed 2012-09-27.

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Denis Royer
    • 1
  1. 1.Faculty of Economics and Business Administration Chair for Mobile Business & Multilateral SecurityGoethe University Frankfurt am MainFrankfurtGermany

Personalised recommendations