Sample Referee Review
The review below is not intended as the best review. It is one which I did for a journal quite some ago. It does not necessarily follow the refereeing suggestions made in the Paper Refereeing Page (I made this review before those guidelines were developed). Hopefully, however, it illustrates some of the components you should keep in mind when reviewing your papers.
Reviewer's Comments:Some Effects of Information Security Practices on Organizational Structure and Processes
The manuscript addresses a growing area of interest to academicians, that of information security, and many of the issues raised and points made are worthy of publication (see later comments). However, I am recommending that the article be rejected for the following reasons:
1. I do not believe the paper is sufficiently motivated. It is unclear why the author chose to focus on two loosely related areas of information security (Disaster recovery and Network/microcomputer security), or what from what perspective (managerial or organizational) they are to be considered. The introduction provides little insight into the paper's intent, other than stating that it is "neither comprehensive nor all inclusive" (which makes no sense), and that its purpose is to ask questions (which it seldom does). If the author does intend an exploratory investigation of information security issues, then he needs to define all of the parameters involved and consider all areas specified in a clearly laid-out, methodical manner.
2. The scope of the paper is too broad to be adequately covered in a single journal article. In accordance with the above comment, the manuscript discusses two distinct security areas, both of which have relatively large subsets of underlying issues. Attempting to incorporate both areas necessitates superficial coverage of each and disrupts the paper's continuity of coverage of either.
3. The paper is lacking the theoretical and conceptual foundations necessary to support the arguments made. Many of the topics chosen for coverage in the literature review are germane to broader areas of organizational structure and behavior, and are only tangentially related information security. For some of the areas considered (e.g., technology as an agent of social change, 'de-skilling' of workers through automation, massaging formats), I have difficulty finding any common threads. Those areas which might serve as a conceptual basis for security planning and implementation (e.g., organizational structure and policy application, standardization, risk environments) tend to be insufficiently developed and integrated. A number of the previous studies cited (e.g., Huber, Pfeifer, Markus & Robey, Daft & Lengel, Robey, Mintzberg) did not consider any issues of security, and relating their focus to include security issues may be an overextension. On the other hand, there are a number of studies (e.g., Hoffer and Straub, 1989, SMR; Straub, 1990, ISR; Wong, 1985; Comp. & Security) which are quite applicable but were overlooked.
4. The paper is in need of substantial reorganization and refinement. This point by itself would not indicate rejection, although would probably suggest substantial revision and resubmission. The paper simply does not 'flow' as well as it might, although some individual sections indicate that the author is capable of producing cohesive discussions. I was also distracted by the frequent use of idiomatic expressions (e.g., "nose under tent"; I have asked a number of other individuals what that means, and we are all clueless).
On a more positive note, I do believe that there are components of the manuscript which have merit, and could be developed (albeit with some effort) into an interesting, publishable paper. As noted previously, either Disaster Recovery or Microcomputer Security are viable areas of interest. For JOC, either of these considered from an organizational perspective could be of interest, and I would encourage the author in such an undertaking, keeping in mind the comments made above.
This page was last updated on 01/20/04