FROM THE EDITORS

As the use of the Internet has grown exponentially through the 1990s and into the 21st century, concerns associated with security have escalated, new ethical issues have emerged, and new laws have been enacted in response. The theme of this issue of Information Systems Management is "security, Ethics,

Information and system security has become a salient organizational issue. Security threats are especially heightened when information and systems can be accessed via the Internet. It is critical that the quality and integrity of organizational information and systems be maintained. security remains both an internal and external issue, presenting a challenge to the IS staff responsible for implementing proper controls and oversight. In addition, the term "information assurance" is being used to emphasize a broader business and a preventative focus.

The corporate scandals of the past few years have resuscitated the ancient and timeless issue of ethics; in these instances, the role of ethics in management and decision making had arguably been subordinated to speed and financial gain. Information technology (IT) also raises ethical issues in a new context. For example, an unauthorized perusal through an employee's file cabinet or desk would be considered unethical, as would reading another employee's mail without permission. The challenge for organizations and individuals is how to transfer ethical principles to these new electronic contexts.

In contrast to the rapid pace of technological change, laws are introduced much more slowly, placing the legal system in a catch-up position. Cyberlaw is not really new law, but new applications of existing laws in a new environment. Intellectual property rights, copyright, and patent and trademark protections are also not new, but the growth of the Internet has created issues heretofore nonexistent. A law of contracts existed in the ancient world, and modern contract law comes from centuries of development and legislation; E-contracts are still contracts, but with new issues such as what constitutes a written contract and digital signatures. Tort law is also old, but the Internet has added new issues to traditional areas such as privacy, defamation, and product and service liability. IT and the Internet have therefore increased the importance for the recognition and understanding of legal issues by IS managers and professionals.

The first article, "Information Security Threats and Practices in Small Businesses," by Shannon Keller, Anne Powell, Ben Horstmann, Chad Predmore, and Matt Crawford, examines how a sample of small businesses, defined as those with fewer than 500 employees, are managing information security and associated risks. The authors compare their findings to published best practices and highlight areas of concern.

Effective information assurance (IA) is critical to organizations, as it is the key to reliable management decision making, customer trust, business continuity, and good governance. Nonetheless, making the case for IA investments can be difficult because the scope of benefits can be very broad. In the second article, "A Model of Information Assurance Benefits," Jean-Nol Ezingeard, Elspeth McFadzean, and David Birchall present a framework of the operational, tactical, strategic, and organizational benefits of superior information assurance, based on interviews with company executives, senior IA managers, and external stakeholders.

The security theme is also addressed in the third article, "Accountability in EDI Systems to Prevent Employee Fraud," by Alan Smith. This author focuses on controls necessary to prevent, detect, and recover from fraudulent attempts against EDI systems, especially those attempted by employees. Effective security requires both traditional and nontraditional internal and external controls against fraudulent activities.

The fourth article, "The Ethical and Legal Concerns of Spyware," by myself, Burke Ward, and Georgina Roselli, focuses on the ethical and legal issues related to stealth invaders into computing resources, in the form of spyware. Internet users are threatened by adware cookies, adware, Trojan horses, and system monitors, which have the capability to gather users' personal information for target marketing and other purposes, but may also result in the theft of information and a disruption of computer operations. The ethical and legal controversy within the United States is examined, and approaches by individual users, organizations, and governments to battle spyware are discussed.

In "The Importance of Law for E-Commerce Strategies," Kathleen and Peter Mykytyn discuss how a lack of awareness of legal environment issues can lead to missteps as well as missed opportunities by IS managers and researchers. The authors examine three areas in which U.S. law is having a significant impact today on E-commerce: (1) intellectual property, (2) jurisdiction, and (3) defamation. Case examples are discussed and suggestions for additional research are offered.

The increasing prevalence of computers within society has been accompanied by the rise in E-crime, and the processes and techniques employed by the field of computer forensics offer the potential for extracting and presenting electronic evidence in a court of law. In the final themed article in this issue, "Identification of Legal Issues for Computer Forensics," Angela Brungs and Rodger Jamieson identify and classify legal issues considered of high importance by Australian experts in the computer forensics field. By comparing issue rankings across three different stakeholder groups, their findings highlight the importance of recognizing differences in perspectives among law enforcement, government regulators, and private industry consultants.

We hope that you find the security, ethical, and legal issues raised in this issue to be intriguing, thought-provoking, and informative for managerial practices and research endeavors alike.

Janice C. Sipior

Guest Editor

With this issue we are introducing a new initiative for the ISM journal: the addition of a Guest Editor. Janice C. Sipior is well known for her own research on security, ethical, and legal issues, including several articles published previously in this journal, and we appreciate her taking on the first guest editor role.

In addition to the set of six articles introduced above by Dr. Sipior, this issue also includes two non-themed articles. In "Post-Implementation Usability of ERP Training Manuals: The User's Perspective ,"Judy Scott demonstrates how usability guidelines for documentation can be derived from analyzing user responses to open-ended questions about an organization's system manuals post-implementation. In the final article of this issue,"IT-Supported Competence Management: A case Study at Ericsson," Eli Hustad and Bjrn Erik Munkvold present the potential benefits and challenges associated with implementing a competence management system in a global telecommunications firm that already has a culture of knowledge sharing.

This issue concludes -with a column by Bill King on the growing complexity of outsourcing options, and the "BookISMs" column by Paul Gray with reviews of several books on security and privacy issues.

As always, we invite our readers to consider submitting an article to ISM. The selected themes for future issues are ubiquitous computing (including mobile technologies), business intelligence, and E-business. Please check the journal's Web site (www.ism-journal. com) for issue deadlines and preparation guidelines.

Carol V Brown

Editor-in-Chief