Organizational objectives for information security governance: a value focused assessment

Purpose – The purpose of this study is to develop theoretically grounded and empirically derived organizational security governance (OSG) objectives. Developing organizational security governance (OSG) objectives pose significant challenges for organizations considering the ever-increasing vulnerability from lack of or misuse of appropriate controls. In recent years, there have been several cases of colossal losses to businesses due to inadequate security governance measure. In many cases, organizations do not even know as to what their ISG objectives might be. Following an extensive empirical study, this paper proposes 6 fundamental and 17 means objectives for designing security governance. The objectives were developed from individual values of information technology and security executives across a wide range of firms. The study comprised 52 interview respondents across 9 firms, which resulted in 23 OSG objectives. Theoretically, the study was grounded in Catton’s (1959) value theory and Keeney’s (1992) value-focused thinking. The objectives provide a useful basis for strategic planning for information security governance. Design/methodology/approach – This research is grounded in value-focused thinking methodology. Step 1: develop a comprehensive list of personal values underlying the problem being explored. The researcher undertakes extensive interviews, using relevant probes, to elicit underlying values of respondents. Step 2: change the values enlisted to a common form and convert them into objectives. The data collected in Step 1 is collated and presented in a common form, which enables cross-comparison and easy interpretation. Step 3: classify the objectives as means and fundamental for the decision context. Objectives are clustered into groups and then classified into fundamental and means. Findings – This study uses a value-focused approach to develop OSG objectives. Incorporating individual values in developing governance objectives would facilitate alignment of individual and organizational values about OSG. This study proposes 6 fundamental and 17 means objectives for OSG. The study provides a comprehensive list of OSG that is rooted in values of stakeholders in an organization. Originality/value – The main contributions study can be classified in two categories. First, it represents a collective set of OSG objectives which touch upon technical, formal, informal, moral and ethical dimensions of governance. This is a unique, synthesized and cohesive framework for OSG, which incorporates several aspects of OSG into one platform, thus allowing the development of a comprehensive security management program. Second, some of the objectives developed in this research (“establish corporate control strategy”, “establish punitive structure”, “establish clear control development process”, “ensure formal control assessment functionality” and “maximize group cohesiveness”) have not been emphasized enough in security governance literature.

Download Full-text

Information security governance for e-services in southern African developing countries e-Government projects

Journal of Science and Technology Policy Management ◽

10.1108/jstpm-04-2014-0014 ◽

2016 ◽

Vol 7 (1) ◽

pp. 26-42 ◽

Cited By ~ 4

Author(s):

Avinash Ramtohul ◽

K.M.S. Soyjaudah

Keyword(s):

Information Security ◽

Emerging Economies ◽

Security Policy ◽

Software Integration ◽

Security Measures ◽

Content Type ◽

Security Governance ◽

Single Sign On ◽

Information Security Governance ◽

The Government

Purpose – Highly sensitive information pertaining to citizens and government transactions is processed in an electronic format, making information security a critical part of e-Government applications and architectures. Information security measures should ideally span from authentication to authorisation and from logical/physical access control to auditing of electronic transactions and log books. The lack of such measures compromises confidentiality, integrity and availability of information. Today, most e-Government projects in developing countries in Southern Africa Developing Community (SADC) face challenges in two main areas, namely, information security and application software integration. This paper aims to discuss and analyse the information security requirements for e-Government projects and proposes an information security governance model for service-based architectures (SBAs). Design/methodology/approach – The current state of information security in emerging economies in SADC countries was researched. The main problems identified were the lack of software integration and information security governance, policy and administration. The design consists of three basic layers: information security governance defined at the strategic level of the government; information security policy/management defined at the management/operational level; and information security measures, implemented at the technical level. This section also proposes a policy for implementing public key infrastructures to protect information, transactions and e-services. A Token-Ring-based mechanism for implementing Single-Sign-On has also been developed as part of this study. Findings – The main problems identified were the lack of software integration and information security governance, policy and administration. These challenges are causing e-government projects to stagnate. Practical implications – The proposed approach for implementing information security in e-Government systems will ensure a holistic approach to ensuring confidentiality, integrity and non-repudiation, allowing e-Government maturity to progress from “interaction” to “online transaction” stage in emerging economies. Originality/value – Research has not focused on developing a solution for emerging economies which are facing difficulties in integration software applications to deploy end-to-end e-services and to produce an underlying identity management architecture and information security governance to secure the e-services developed and deployed using an SBA. The work produced in this paper is specific to SBAs in e-government environments where legacy systems already exist. The work includes: information security governance defined at the strategic level of the government; information security policy/management defined at the management/operational level; and information security measures implemented at the technical level. This section also proposes a policy for implementing public key infrastructures to protect information, transactions and e-services. A Token-Ring-based mechanism for implementing Single-Sign-On has also been developed as part of this study.

Download Full-text

What do we know about information security governance?

Information and Computer Security ◽

10.1108/ics-02-2019-0033 ◽

2020 ◽

Vol 28 (2) ◽

pp. 261-292 ◽

Cited By ~ 2

Author(s):

Stef Schinagl ◽

Abbas Shahim

Keyword(s):

Information Security ◽

Decision Makers ◽

Business Climate ◽

Privacy And Security ◽

Content Type ◽

Security Governance ◽

Body Of Knowledge ◽

Information Security Governance ◽

New Research ◽

Practical Implications

Purpose This paper aims to review the information security governance (ISG) literature and emphasises the tensions that exist at the intersection of the rapidly changing business climate and the current body of knowledge on ISG. Design/methodology/approach The intention of the authors was to conduct a systematic literature review. However, owing to limited empirical papers in ISG research, this paper is more conceptually organised. Findings This paper shows that security has shifted from a narrow-focused isolated issue towards a strategic business issue with “from the basement to the boardroom” implications. The key takeaway is that protecting the organisation is important, but organizations must also develop strategies to ensure resilient businesses to take advantage of the opportunities that digitalization can bring. Research limitations/implications The concept of DSG is a new research territory that addresses the limitations and gaps of traditional ISG approaches in a digital context. To this extent, organisational theories are suggested to help build knowledge that offers a deeper understanding than that provided by the too often used practical approaches in ISG research. Practical implications This paper supports practitioners and decision makers by providing a deeper understanding of how organisations and their security approaches are actually affected by digitalisation. Social implications This paper helps individuals to understand that they have increasing rights with regard to privacy and security and a say in what parties they assign business to. Originality/value This paper makes a novel contribution to ISG research. To the authors’ knowledge, this is the first attempt to review and structure the ISG literature.

Download Full-text

Perceived significance of information security governance to predict the information security service quality in software service industry

Information Management & Computer Security ◽

10.1108/imcs-01-2013-0002 ◽

2014 ◽

Vol 22 (1) ◽

pp. 2-23 ◽

Cited By ~ 2

Author(s):

Sanjay Bahl ◽

O.P. Wali

Keyword(s):

Information Security ◽

Service Quality ◽

Significant Finding ◽

Total Quality ◽

Content Type ◽

Security Governance ◽

Security Service ◽

Information Security Governance ◽

Software Services

Purpose – Information security is a growing concern in society, across businesses and government. As the offshore IT services market continues to grow providing numerous benefits, there are also perceived risks with respect to the quality of information security delivered in the supply chain. This paper aims to examine, as a case, the perceptions of Indian software services provider (service provider) employees with respect to information security governance and its impact on information security service quality that is delivered to customers. Design/methodology/approach – The paper provides a framework built upon the existing dimensions and instruments for total quality management and service quality, suitably modified to reflect the context of information security. SmartPLS, a structural equation modelling technique, has been used to analyse field survey data collected from across various Indian cities and companies. Findings – Significant finding is that information security governance in an IT outsourcing company providing software services has a highly significant impact on the information security service quality, which can be predicted. The paper also establishes that there is a positive relationship collectively between elements of information security governance and information security service quality. Research limitations/implications – Since data used in this study were taken solely from the responses of employees of outsourced service companies in India, it does not show if this translates into service improvements as perceived by the customer. Practical implications – Information security governance should be made an integral part of corporate governance and is an effective strategic technique, if software outsourcing business enterprises want to achieve a competitive edge, provide client satisfaction and create trust. Originality/value – The paper presents empirical data validation of the connection between information security governance and quality of service.

Download Full-text

Information security governance implementation within Ghanaian industry sectors

Information Management & Computer Security ◽

10.1108/imcs-06-2013-0044 ◽

2014 ◽

Vol 22 (3) ◽

pp. 235-250 ◽

Cited By ~ 2

Author(s):

Winfred Yaokumah

Keyword(s):

Information Security ◽

Business Strategy ◽

Oil And Gas ◽

Sampling Strategy ◽

Content Type ◽

Security Governance ◽

Utility Companies ◽

Information Security Governance ◽

And Performance ◽

Industry Sectors

Purpose – The purpose of this study is to assess the levels of information security governance (ISG) implementation among major Ghanaian industry sectors. The intent is to benchmark inter-industry sector ISG implementation and to identify areas that may require improvement. Design/methodology/approach – Random sampling strategy was used, and data were collected via Web survey. The data analysis utilized a one-way analysis of variance to determine the differences in means of the levels of implementation of ISG focus areas among five main industry sectors. Findings – The results showed that, as a whole, all the industry sectors have only partially implemented ISG. In particular, there existed statistical significant differences in ISG implementation among the industry sectors. Ranking ISG implementation, Financial Institutions were close to completion, Utility Companies, Others (Information Technology, Oil and Gas, Manufacturing) and Public Services had PI ISG and health care and educational institutions were at the planning stages. The result also revealed that all the industry sectors made marginal effort trying to align information security to business strategy, and performance measurement remained the least implemented focus area. Originality/value – Organizational leaders could use these findings to benchmark industry sectors’ ISG implementation, which could lead to competitiveness. Again, international enterprises that do businesses with these industry sectors would better understand the level of involvement of the top executives in governing information security toward the protection of valuable information assets.

Download Full-text