This paper seeks to empirically examine the existence and implementation of information security governance (ISG) in Saudi organizations.
Abstract
Purpose
This paper seeks to empirically examine the existence and implementation of information security governance (ISG) in Saudi organizations.
Design/methodology/approach
An empirical survey, using a self‐administered questionnaire, is conducted to explore and evaluate the current status and the main features of ISG in the Saudi environment. The questionnaire is developed based on ISG guidelines for boards of directors and executive management issued by the Information Technology (IT) Governance Institute and other related materials available in the literature. A total of 167 valid questionnaires are collected and processed using the Statistical Package for Social Sciences, version 16.
Findings
The results of the study reveal that although the majority of Saudi organizations recognize the importance of ISG as an integrant factor for the success of IT and corporate governance, most of them have no clear information security strategies or written information security policy statements. The majority of Saudi organizations have no disaster recovery plans to deal with information security incidents and emergencies; information security roles and responsibilities are not clearly defined and communicated. The results also show that alignment between ISG and the organization's overall business strategy is relatively poor and not adequately implemented. The results also show that risk assessment procedures are not adequately and effectively implemented, ISG is not a regular item in the board's agenda, and there are no properly functioning ISG processes or performance‐measuring systems in the majority of Saudi organizations. Accordingly, appropriate actions should be taken to improve implementing and measuring the ISG performance in Saudi organizations.
Originality/value
From a practical standpoint, managers and practitioners alike stand to gain from the findings of this study. The results of the paper enable them to better understand and evaluate ISG and to champion IT development for business success in Saudi organizations.
Details
Keywords
Saurabh Kumar, Baidyanath Biswas, Manjot Singh Bhatia and Manoj Dora
The present study aims to identify and investigate the antecedents of enhanced level of cyber-security at the organisational level from both the technical and the human resource…
Abstract
Purpose
The present study aims to identify and investigate the antecedents of enhanced level of cyber-security at the organisational level from both the technical and the human resource perspective using human–organisation–technology (HOT) theory.
Design/methodology/approach
The study has been conducted on 151 professionals who have expertise in dealing with cyber-security in organisations in sectors such as retail, education, healthcare, etc. in India. The analysis of the data is carried out using partial least squares based structural equation modelling technique (PLS-SEM).
Findings
The results from the study suggest that “legal consequences” and “technical measures” adopted for securing cyber-security in organisations are the most important antecedents for enhanced cyber-security levels in the organisations. The other significant antecedents for enhanced cyber-security in organisations include “role of senior management” and “proactive information security”.
Research limitations/implications
This empirical study has significant implications for organisations as they can take pre-emptive measures by focussing on important antecedents and work towards enhancing the level of cyber-security.
Originality/value
The originality of this research is combining both technical and human resource perspective in identifying the determinants of enhanced level of cyber-security in the organisations.
Details
Keywords
R. von Solms, S.H. von Solms and W.J. Caelli
Information Security Management consists of various facets, forexample Information Security Policy, Risk Analysis, Risk Management,Contingency Planning and Disaster Recovery which…
Abstract
Information Security Management consists of various facets, for example Information Security Policy, Risk Analysis, Risk Management, Contingency Planning and Disaster Recovery which are all interrelated in some way. These interrelationships often cause uncertainty and confusion among top management. Proposes a model for Information Security Management, called an Information Security Management Model (ISM⊃2) and puts all the various facts in context. The model consists of five different levels defined on a security axis. ISM⊃2 introduces the idea of international security criteria or international security standards (baselines). The rationale behind these baselines is to enable information security evaluation according to internationally‐accepted criteria.
Details
Keywords
Cindy Zhiling Tu, Yufei Yuan, Norm Archer and Catherine E. Connelly
Effective information security management is a strategic issue for organizations to safeguard their information resources. Strategic value alignment is a proactive approach to…
Abstract
Purpose
Effective information security management is a strategic issue for organizations to safeguard their information resources. Strategic value alignment is a proactive approach to manage value conflict in information security management. Applying a critical success factor (CSF) analysis approach, this paper aims to propose a CSF model based on a strategic alignment approach and test a model of the main factors that contributes to the success of information security management.
Design/methodology/approach
A theoretical model was proposed and empirically tested with data collected from a survey of managers who were involved in decision-making regarding their companies’ information security (N = 219). The research model was validated using partial least squares structural equation modeling approach.
Findings
Overall, the model was successful in capturing the main antecedents of information security management performance. The results suggest that with business alignment, top management support and organizational awareness of security risks and controls, effective information security controls can be developed, resulting in successful information security management.
Originality/value
Findings from this study provide several important contributions to both theory and practice. The theoretical model identifies and verifies key factors that impact the success of information security management at the organizational level from a strategic management perspective. It provides practical guidelines for organizations to make more effective information security management.
Details
Keywords
Cornelius Johannes Kruger and Mavis Noxolo Mama
Identity management (IdM) not only improves the process of creating and maintaining digital identities across business systems; it can, if implemented successfully, contribute to…
Abstract
Purpose
Identity management (IdM) not only improves the process of creating and maintaining digital identities across business systems; it can, if implemented successfully, contribute to the strengthening and positioning of the business for success. In order to have a successful IdM implementation, an organisation must step back to determine a course of action that solves enterprise‐wide issues. Short‐sighted actions can lead to confusion, unnecessary expenses and the delay of beneficial results. The purpose of this paper is to deliver guidelines for the application of strategic management principles regarding IdM implementation, and propose a holistic model incorporating business strategy formulation with IdM strategy formulation.
Design/methodology/approach
A total of ten senior managers involved in IdM implementation projects were interviewed. Face‐to face interviews were conducted, with 30 minutes allocated per participant, and an assistant present to administer the proceedings. Primary data was collected using a semi‐structured questionnaire. Part A of the questionnaire collected the respondent's details and provided definitions of IdM to clarify the concept. Part B consisted of descriptive questions which dealt with the following three categories: IdM as part of the business strategy, IdM challenges in the company, IdM implementation approach used by the company and strategic framework used.
Findings
Findings indicate that IdM is seen as part of strategy and as such IdM implementations consist of a strategic thinking process accompanied by an incremental tactical implementation. Challenges facing IdM centred not on technological issues, but on implementing IdM as a competitive tool. Unfortunately, lack of commitment and external environment analysis; relegate IdM planning to remain on a tactical, rather than a strategic level.
Originality/value
A strategic planning process is presented in this article to model the interdependence between IdM implementation planning and strategic management (business strategy formulation). This model enables the organisation to develop and communicate its vision for IdM, to link IdM and business plans, and to gain the support of the whole enterprise in this endeavour. By leveraging the proposed model, organisations can gain a bird's eye view of IdM as an integral part of the business strategy, and ensure an IdM implementation that has enterprise‐wide support and benefits.
Details
Keywords
Shuchih Ernest Chang and Chin‐Shien Lin
This paper aims to examine the influence of organization culture on the effectiveness of implementing information security management (ISM).
Abstract
Purpose
This paper aims to examine the influence of organization culture on the effectiveness of implementing information security management (ISM).
Design/methodology/approach
Based on a literature review, a model of the relationship between organizational culture and ISM was formulated, and both organizational culture characteristics and ISM effectiveness were measured empirically to investigate how various organizational culture traits influenced ISM principles, by administrating questionnaires to respondents in organizations with significant use of information systems.
Findings
Four regression models were derived to quantify the impacts of organizational culture traits on the effectiveness of implementing ISM. Whilst the control‐oriented organizational culture traits, effectiveness and consistency, have strong effect on the ISM principles of confidentiality, integrity, availability and accountability, the flexibility‐oriented organizational culture traits, cooperativeness and innovativeness, are not significantly associated with the ISM principles with one exception that cooperativeness is negatively related to confidentiality.
Research limitations/implications
The sample is limited to the organizational factors in Taiwan. It is suggested to replicate this study in other countries to reconfirm the result before adopting its general implications. Owing to the highly intrusive nature of ISM surveys, a cautious approach with rapport and trust is a key success factor in conducting empirical studies on ISM.
Practical implications
A culture conducive to information security practice is extremely important for organizations since the human dimension of information security cannot totally be solved by technical and management measures. For understanding and improving the organization behavior with regard to information security, enterprises may look into organizational culture and examine how it affects the effectiveness of implementing ISM.
Originality/value
A research model was proposed to study the impacts of organizational factors on ISM, after a broad survey on related researches. The validated model and its corresponding study results can be referenced by enterprise managers and decision makers to make favorable tactics for achieving their goals of ISM – mitigating information security risks.
Details
Keywords
Arthur Jung‐Ting Chang and Quey‐Jen Yeh
Modernized information systems (IS) have brought enterprises not only enormous benefits, but also linked information threats. Most enterprises solve their IS security‐related…
Abstract
Purpose
Modernized information systems (IS) have brought enterprises not only enormous benefits, but also linked information threats. Most enterprises solve their IS security‐related problems using technical means alone, and focus on technical rather than managerial controls, which may imply potential crises. This study examines whether the security preparation of firms matches the severity of IS threats they perceive in developing countries, especially in issues concerning “people” and “administration”. Additionally, this study discusses appropriate threat mitigation strategies for the four sectors as well.
Design/methodology/approach
Using an empirical study, this study explores the past and current concerns of IS threats of firms in different industries, and the countermeasures prepared by them to protect themselves from such threats. The empirical data was provided by 109 Taiwanese enterprises from four sectors.
Findings
The analytical results revealed the differences in both the IS threats concerned and the security scopes prepared among the four sectors. Moreover, the preparation scopes were not commensurate with the perceived severity of threats. All four industries rated the network as posing the strongest threat, following regulation and personnel issues, while among the countermeasures in use, these three issues have larger application deficiencies.
Originality/value
This study concludes that the firms do not well prepare themselves against IS threats entailed to non‐technical administration issues and discusses appropriate threat mitigation strategies for the four sectors. Specifically, firms should be aware of IS threats to their business and prepare suitable security protections.
Details
Keywords
H. van de Haar and R. von Solms
Top management is responsible for the wellbeing of theorganization. Most organizations nowadays are dependent totally on theavailability and effectiveness of their information…
Abstract
Top management is responsible for the wellbeing of the organization. Most organizations nowadays are dependent totally on the availability and effectiveness of their information service resources. For this reason it is imperative that top management gets involved and stays involved in the protection of the information service assets of the organization. This can only be accomplished through a process of continuous information security evaluation and reporting. An information security evaluation and reporting tool, representing the information security status in a concise, clear manner, will help a great deal in ensuring top management involvement. Suggests implementation of an information security management model by means of an evaluation tool. This tool will provide top management with information security status reporting in a clear, non‐technical format.
Details
Keywords
The purpose of this study is to develop theoretically grounded and empirically derived organizational security governance (OSG) objectives. Developing organizational security…
Abstract
Purpose
The purpose of this study is to develop theoretically grounded and empirically derived organizational security governance (OSG) objectives. Developing organizational security governance (OSG) objectives pose significant challenges for organizations considering the ever-increasing vulnerability from lack of or misuse of appropriate controls. In recent years, there have been several cases of colossal losses to businesses due to inadequate security governance measure. In many cases, organizations do not even know as to what their ISG objectives might be. Following an extensive empirical study, this paper proposes 6 fundamental and 17 means objectives for designing security governance. The objectives were developed from individual values of information technology and security executives across a wide range of firms. The study comprised 52 interview respondents across 9 firms, which resulted in 23 OSG objectives. Theoretically, the study was grounded in Catton’s (1959) value theory and Keeney’s (1992) value-focused thinking. The objectives provide a useful basis for strategic planning for information security governance.
Design/methodology/approach
This research is grounded in value-focused thinking methodology. Step 1: develop a comprehensive list of personal values underlying the problem being explored. The researcher undertakes extensive interviews, using relevant probes, to elicit underlying values of respondents. Step 2: change the values enlisted to a common form and convert them into objectives. The data collected in Step 1 is collated and presented in a common form, which enables cross-comparison and easy interpretation. Step 3: classify the objectives as means and fundamental for the decision context. Objectives are clustered into groups and then classified into fundamental and means.
Findings
This study uses a value-focused approach to develop OSG objectives. Incorporating individual values in developing governance objectives would facilitate alignment of individual and organizational values about OSG. This study proposes 6 fundamental and 17 means objectives for OSG. The study provides a comprehensive list of OSG that is rooted in values of stakeholders in an organization.
Originality/value
The main contributions study can be classified in two categories. First, it represents a collective set of OSG objectives which touch upon technical, formal, informal, moral and ethical dimensions of governance. This is a unique, synthesized and cohesive framework for OSG, which incorporates several aspects of OSG into one platform, thus allowing the development of a comprehensive security management program. Second, some of the objectives developed in this research (“establish corporate control strategy”, “establish punitive structure”, “establish clear control development process”, “ensure formal control assessment functionality” and “maximize group cohesiveness”) have not been emphasized enough in security governance literature.
Details
Keywords
The frequent and increasingly potent cyber-attacks because of lack of an optimal mix of technical as well as non-technical IT controls has led to increased adoption of security…
Abstract
Purpose
The frequent and increasingly potent cyber-attacks because of lack of an optimal mix of technical as well as non-technical IT controls has led to increased adoption of security governance controls by organizations. The purpose of this paper, thus, is to construct and empirically validate an information security governance (ISG) process model through the plan–do–check–act (PDCA) cycle model of Deming.
Design/methodology/approach
This descriptive research using an interpretive paradigm follows a qualitative methodology using expert interviews of five respondents working in the ISG domain in United Arab Emirates (UAE) to validate the theoretical model.
Findings
The findings of this paper suggest the primacy of the PDCA Deming cycle for initiating ISG through a risk-based approach assisted by industry-wide best practices in ISG. Regarding selection of ISG frameworks, respondents preferred to have ISO 27K supported by NIST as the core framework with other relevant ISG frameworks/standards forming the peripheral layer. The implementation focus of the ISG model is on mapping ISO 27K/NIST IT controls relevant IT controls selected from ISG frameworks from a horizontal and vertical perspective. Respondents asserted the automation of measurement and control mechanism through automation to assist in the feedback loop of the PDCA cycle.
Originality/value
The validated model helps academics and practitioners gain insight into the methodology of the phased implementation of an information systems governance process through the PDCA model, as well as the positioning of ITG and ITG frameworks in ISG. Practitioners can glean valuable insights from the empirical section of the research where experts detail the success factors, the sequential steps and justification of these factors in the ISG implementation process.