A Preliminary Investigation of the Impact of the Sarbanes-Oxley Act on Information Security

This paper examines the information security implications of the Sarbanes-Oxley (SOX) Act of 2002. It is well-established in the information systems field that managers do not rank security as a high priority, an attitude that is believed to result in low levels of information system protection. We consider whether information security benefits are likely to result from compliance efforts associated with SOX. A qualitative analysis consisting of semi-structured interviews, participant observation, and document analysis was conducted to address this question. Based on the results of this investigation, a framework was developed which integrates several factors associated with SOX compliance and demonstrates that firms are likely to reap information security benefits as a result of SOX compliance efforts.