Search results

1 – 10 of 369
Per page
102050
Citations:
Loading...
Access Restricted. View access options
Article
Publication date: 12 October 2010

Ahmad Abu‐Musa

This paper seeks to empirically examine the existence and implementation of information security governance (ISG) in Saudi organizations.

4264

Abstract

Purpose

This paper seeks to empirically examine the existence and implementation of information security governance (ISG) in Saudi organizations.

Design/methodology/approach

An empirical survey, using a self‐administered questionnaire, is conducted to explore and evaluate the current status and the main features of ISG in the Saudi environment. The questionnaire is developed based on ISG guidelines for boards of directors and executive management issued by the Information Technology (IT) Governance Institute and other related materials available in the literature. A total of 167 valid questionnaires are collected and processed using the Statistical Package for Social Sciences, version 16.

Findings

The results of the study reveal that although the majority of Saudi organizations recognize the importance of ISG as an integrant factor for the success of IT and corporate governance, most of them have no clear information security strategies or written information security policy statements. The majority of Saudi organizations have no disaster recovery plans to deal with information security incidents and emergencies; information security roles and responsibilities are not clearly defined and communicated. The results also show that alignment between ISG and the organization's overall business strategy is relatively poor and not adequately implemented. The results also show that risk assessment procedures are not adequately and effectively implemented, ISG is not a regular item in the board's agenda, and there are no properly functioning ISG processes or performance‐measuring systems in the majority of Saudi organizations. Accordingly, appropriate actions should be taken to improve implementing and measuring the ISG performance in Saudi organizations.

Originality/value

From a practical standpoint, managers and practitioners alike stand to gain from the findings of this study. The results of the paper enable them to better understand and evaluate ISG and to champion IT development for business success in Saudi organizations.

Details

Information Management & Computer Security, vol. 18 no. 4
Type: Research Article
ISSN: 0968-5227

Keywords

Access Restricted. View access options
Article
Publication date: 14 October 2020

Saurabh Kumar, Baidyanath Biswas, Manjot Singh Bhatia and Manoj Dora

The present study aims to identify and investigate the antecedents of enhanced level of cyber-security at the organisational level from both the technical and the human resource…

1953

Abstract

Purpose

The present study aims to identify and investigate the antecedents of enhanced level of cyber-security at the organisational level from both the technical and the human resource perspective using human–organisation–technology (HOT) theory.

Design/methodology/approach

The study has been conducted on 151 professionals who have expertise in dealing with cyber-security in organisations in sectors such as retail, education, healthcare, etc. in India. The analysis of the data is carried out using partial least squares based structural equation modelling technique (PLS-SEM).

Findings

The results from the study suggest that “legal consequences” and “technical measures” adopted for securing cyber-security in organisations are the most important antecedents for enhanced cyber-security levels in the organisations. The other significant antecedents for enhanced cyber-security in organisations include “role of senior management” and “proactive information security”.

Research limitations/implications

This empirical study has significant implications for organisations as they can take pre-emptive measures by focussing on important antecedents and work towards enhancing the level of cyber-security.

Originality/value

The originality of this research is combining both technical and human resource perspective in identifying the determinants of enhanced level of cyber-security in the organisations.

Details

Journal of Enterprise Information Management, vol. 34 no. 6
Type: Research Article
ISSN: 1741-0398

Keywords

Access Restricted. View access options
Article
Publication date: 1 March 1993

R. von Solms, S.H. von Solms and W.J. Caelli

Information Security Management consists of various facets, forexample Information Security Policy, Risk Analysis, Risk Management,Contingency Planning and Disaster Recovery which…

1253

Abstract

Information Security Management consists of various facets, for example Information Security Policy, Risk Analysis, Risk Management, Contingency Planning and Disaster Recovery which are all interrelated in some way. These interrelationships often cause uncertainty and confusion among top management. Proposes a model for Information Security Management, called an Information Security Management Model (ISM⊃2) and puts all the various facts in context. The model consists of five different levels defined on a security axis. ISM⊃2 introduces the idea of international security criteria or international security standards (baselines). The rationale behind these baselines is to enable information security evaluation according to internationally‐accepted criteria.

Details

Information Management & Computer Security, vol. 1 no. 3
Type: Research Article
ISSN: 0968-5227

Keywords

Access Restricted. View access options
Article
Publication date: 11 June 2018

Cindy Zhiling Tu, Yufei Yuan, Norm Archer and Catherine E. Connelly

Effective information security management is a strategic issue for organizations to safeguard their information resources. Strategic value alignment is a proactive approach to…

1961

Abstract

Purpose

Effective information security management is a strategic issue for organizations to safeguard their information resources. Strategic value alignment is a proactive approach to manage value conflict in information security management. Applying a critical success factor (CSF) analysis approach, this paper aims to propose a CSF model based on a strategic alignment approach and test a model of the main factors that contributes to the success of information security management.

Design/methodology/approach

A theoretical model was proposed and empirically tested with data collected from a survey of managers who were involved in decision-making regarding their companies’ information security (N = 219). The research model was validated using partial least squares structural equation modeling approach.

Findings

Overall, the model was successful in capturing the main antecedents of information security management performance. The results suggest that with business alignment, top management support and organizational awareness of security risks and controls, effective information security controls can be developed, resulting in successful information security management.

Originality/value

Findings from this study provide several important contributions to both theory and practice. The theoretical model identifies and verifies key factors that impact the success of information security management at the organizational level from a strategic management perspective. It provides practical guidelines for organizations to make more effective information security management.

Access Restricted. View access options
Article
Publication date: 13 July 2012

Cornelius Johannes Kruger and Mavis Noxolo Mama

Identity management (IdM) not only improves the process of creating and maintaining digital identities across business systems; it can, if implemented successfully, contribute to…

4931

Abstract

Purpose

Identity management (IdM) not only improves the process of creating and maintaining digital identities across business systems; it can, if implemented successfully, contribute to the strengthening and positioning of the business for success. In order to have a successful IdM implementation, an organisation must step back to determine a course of action that solves enterprise‐wide issues. Short‐sighted actions can lead to confusion, unnecessary expenses and the delay of beneficial results. The purpose of this paper is to deliver guidelines for the application of strategic management principles regarding IdM implementation, and propose a holistic model incorporating business strategy formulation with IdM strategy formulation.

Design/methodology/approach

A total of ten senior managers involved in IdM implementation projects were interviewed. Face‐to face interviews were conducted, with 30 minutes allocated per participant, and an assistant present to administer the proceedings. Primary data was collected using a semi‐structured questionnaire. Part A of the questionnaire collected the respondent's details and provided definitions of IdM to clarify the concept. Part B consisted of descriptive questions which dealt with the following three categories: IdM as part of the business strategy, IdM challenges in the company, IdM implementation approach used by the company and strategic framework used.

Findings

Findings indicate that IdM is seen as part of strategy and as such IdM implementations consist of a strategic thinking process accompanied by an incremental tactical implementation. Challenges facing IdM centred not on technological issues, but on implementing IdM as a competitive tool. Unfortunately, lack of commitment and external environment analysis; relegate IdM planning to remain on a tactical, rather than a strategic level.

Originality/value

A strategic planning process is presented in this article to model the interdependence between IdM implementation planning and strategic management (business strategy formulation). This model enables the organisation to develop and communicate its vision for IdM, to link IdM and business plans, and to gain the support of the whole enterprise in this endeavour. By leveraging the proposed model, organisations can gain a bird's eye view of IdM as an integral part of the business strategy, and ensure an IdM implementation that has enterprise‐wide support and benefits.

Access Restricted. View access options
Article
Publication date: 3 April 2007

Shuchih Ernest Chang and Chin‐Shien Lin

This paper aims to examine the influence of organization culture on the effectiveness of implementing information security management (ISM).

9065

Abstract

Purpose

This paper aims to examine the influence of organization culture on the effectiveness of implementing information security management (ISM).

Design/methodology/approach

Based on a literature review, a model of the relationship between organizational culture and ISM was formulated, and both organizational culture characteristics and ISM effectiveness were measured empirically to investigate how various organizational culture traits influenced ISM principles, by administrating questionnaires to respondents in organizations with significant use of information systems.

Findings

Four regression models were derived to quantify the impacts of organizational culture traits on the effectiveness of implementing ISM. Whilst the control‐oriented organizational culture traits, effectiveness and consistency, have strong effect on the ISM principles of confidentiality, integrity, availability and accountability, the flexibility‐oriented organizational culture traits, cooperativeness and innovativeness, are not significantly associated with the ISM principles with one exception that cooperativeness is negatively related to confidentiality.

Research limitations/implications

The sample is limited to the organizational factors in Taiwan. It is suggested to replicate this study in other countries to reconfirm the result before adopting its general implications. Owing to the highly intrusive nature of ISM surveys, a cautious approach with rapport and trust is a key success factor in conducting empirical studies on ISM.

Practical implications

A culture conducive to information security practice is extremely important for organizations since the human dimension of information security cannot totally be solved by technical and management measures. For understanding and improving the organization behavior with regard to information security, enterprises may look into organizational culture and examine how it affects the effectiveness of implementing ISM.

Originality/value

A research model was proposed to study the impacts of organizational factors on ISM, after a broad survey on related researches. The validated model and its corresponding study results can be referenced by enterprise managers and decision makers to make favorable tactics for achieving their goals of ISM – mitigating information security risks.

Details

Industrial Management & Data Systems, vol. 107 no. 3
Type: Research Article
ISSN: 0263-5577

Keywords

Access Restricted. View access options
Article
Publication date: 1 August 2006

Arthur Jung‐Ting Chang and Quey‐Jen Yeh

Modernized information systems (IS) have brought enterprises not only enormous benefits, but also linked information threats. Most enterprises solve their IS security‐related…

2447

Abstract

Purpose

Modernized information systems (IS) have brought enterprises not only enormous benefits, but also linked information threats. Most enterprises solve their IS security‐related problems using technical means alone, and focus on technical rather than managerial controls, which may imply potential crises. This study examines whether the security preparation of firms matches the severity of IS threats they perceive in developing countries, especially in issues concerning “people” and “administration”. Additionally, this study discusses appropriate threat mitigation strategies for the four sectors as well.

Design/methodology/approach

Using an empirical study, this study explores the past and current concerns of IS threats of firms in different industries, and the countermeasures prepared by them to protect themselves from such threats. The empirical data was provided by 109 Taiwanese enterprises from four sectors.

Findings

The analytical results revealed the differences in both the IS threats concerned and the security scopes prepared among the four sectors. Moreover, the preparation scopes were not commensurate with the perceived severity of threats. All four industries rated the network as posing the strongest threat, following regulation and personnel issues, while among the countermeasures in use, these three issues have larger application deficiencies.

Originality/value

This study concludes that the firms do not well prepare themselves against IS threats entailed to non‐technical administration issues and discusses appropriate threat mitigation strategies for the four sectors. Specifically, firms should be aware of IS threats to their business and prepare suitable security protections.

Details

Information Management & Computer Security, vol. 14 no. 4
Type: Research Article
ISSN: 0968-5227

Keywords

Access Restricted. View access options
Article
Publication date: 1 January 1993

H. van de Haar and R. von Solms

Top management is responsible for the wellbeing of theorganization. Most organizations nowadays are dependent totally on theavailability and effectiveness of their information…

1569

Abstract

Top management is responsible for the wellbeing of the organization. Most organizations nowadays are dependent totally on the availability and effectiveness of their information service resources. For this reason it is imperative that top management gets involved and stays involved in the protection of the information service assets of the organization. This can only be accomplished through a process of continuous information security evaluation and reporting. An information security evaluation and reporting tool, representing the information security status in a concise, clear manner, will help a great deal in ensuring top management involvement. Suggests implementation of an information security management model by means of an evaluation tool. This tool will provide top management with information security status reporting in a clear, non‐technical format.

Details

Information Management & Computer Security, vol. 1 no. 1
Type: Research Article
ISSN: 0968-5227

Keywords

Access Restricted. View access options
Article
Publication date: 8 June 2015

Sushma Mishra

The purpose of this study is to develop theoretically grounded and empirically derived organizational security governance (OSG) objectives. Developing organizational security…

2173

Abstract

Purpose

The purpose of this study is to develop theoretically grounded and empirically derived organizational security governance (OSG) objectives. Developing organizational security governance (OSG) objectives pose significant challenges for organizations considering the ever-increasing vulnerability from lack of or misuse of appropriate controls. In recent years, there have been several cases of colossal losses to businesses due to inadequate security governance measure. In many cases, organizations do not even know as to what their ISG objectives might be. Following an extensive empirical study, this paper proposes 6 fundamental and 17 means objectives for designing security governance. The objectives were developed from individual values of information technology and security executives across a wide range of firms. The study comprised 52 interview respondents across 9 firms, which resulted in 23 OSG objectives. Theoretically, the study was grounded in Catton’s (1959) value theory and Keeney’s (1992) value-focused thinking. The objectives provide a useful basis for strategic planning for information security governance.

Design/methodology/approach

This research is grounded in value-focused thinking methodology. Step 1: develop a comprehensive list of personal values underlying the problem being explored. The researcher undertakes extensive interviews, using relevant probes, to elicit underlying values of respondents. Step 2: change the values enlisted to a common form and convert them into objectives. The data collected in Step 1 is collated and presented in a common form, which enables cross-comparison and easy interpretation. Step 3: classify the objectives as means and fundamental for the decision context. Objectives are clustered into groups and then classified into fundamental and means.

Findings

This study uses a value-focused approach to develop OSG objectives. Incorporating individual values in developing governance objectives would facilitate alignment of individual and organizational values about OSG. This study proposes 6 fundamental and 17 means objectives for OSG. The study provides a comprehensive list of OSG that is rooted in values of stakeholders in an organization.

Originality/value

The main contributions study can be classified in two categories. First, it represents a collective set of OSG objectives which touch upon technical, formal, informal, moral and ethical dimensions of governance. This is a unique, synthesized and cohesive framework for OSG, which incorporates several aspects of OSG into one platform, thus allowing the development of a comprehensive security management program. Second, some of the objectives developed in this research (“establish corporate control strategy”, “establish punitive structure”, “establish clear control development process”, “ensure formal control assessment functionality” and “maximize group cohesiveness”) have not been emphasized enough in security governance literature.

Details

Information & Computer Security, vol. 23 no. 2
Type: Research Article
ISSN: 2056-4961

Keywords

Access Restricted. View access options
Article
Publication date: 12 March 2018

Mathew Nicho

The frequent and increasingly potent cyber-attacks because of lack of an optimal mix of technical as well as non-technical IT controls has led to increased adoption of security…

2656

Abstract

Purpose

The frequent and increasingly potent cyber-attacks because of lack of an optimal mix of technical as well as non-technical IT controls has led to increased adoption of security governance controls by organizations. The purpose of this paper, thus, is to construct and empirically validate an information security governance (ISG) process model through the plan–do–check–act (PDCA) cycle model of Deming.

Design/methodology/approach

This descriptive research using an interpretive paradigm follows a qualitative methodology using expert interviews of five respondents working in the ISG domain in United Arab Emirates (UAE) to validate the theoretical model.

Findings

The findings of this paper suggest the primacy of the PDCA Deming cycle for initiating ISG through a risk-based approach assisted by industry-wide best practices in ISG. Regarding selection of ISG frameworks, respondents preferred to have ISO 27K supported by NIST as the core framework with other relevant ISG frameworks/standards forming the peripheral layer. The implementation focus of the ISG model is on mapping ISO 27K/NIST IT controls relevant IT controls selected from ISG frameworks from a horizontal and vertical perspective. Respondents asserted the automation of measurement and control mechanism through automation to assist in the feedback loop of the PDCA cycle.

Originality/value

The validated model helps academics and practitioners gain insight into the methodology of the phased implementation of an information systems governance process through the PDCA model, as well as the positioning of ITG and ITG frameworks in ISG. Practitioners can glean valuable insights from the empirical section of the research where experts detail the success factors, the sequential steps and justification of these factors in the ISG implementation process.

Details

Information & Computer Security, vol. 26 no. 1
Type: Research Article
ISSN: 2056-4961

Keywords

1 – 10 of 369
Per page
102050