This paper examines user participation in IS
security risk management and its influence in the context of
regulatory compliance via a multi-method study at the organizational
level. First, 11 informants across 5 organizations were interviewed
to gain an understanding of the types of activities and security
controls in which users participated as part of Sarbanes-Oxley
compliance, along with associated outcomes. A research model was
developed based on the findings of the qualitative study and extant
user participation theories in the systems development literature.
Analysis of the data collected in a questionnaire survey of 228
members of ISACA, a professional association specialized in IT
governance, audit, and security, supported the research model. The
findings of the two studies converged and indicated that user
participation contributed to improved security control performance
through greater awareness, greater alignment between IS security
risk management and the business environment, and improved control
development. While the IS security literature often portrays users
as the weak link in security, the current study suggests that users
may be an important resource to IS security by providing needed
business knowledge that contributes to more effective security
measures. User participation is also a means to engage users in
protecting sensitive information in their business processes.
Keywords: Information security, user participation,
security risk management, Sarbanes-Oxley Act