Information Security Culture: Towards an Instrument for Assessing Security Management Practices

Information Security Culture: Towards an Instrument for Assessing Security Management Practices

Joo S. Lim (The University of Melbourne, Parkville, Australia), Sean B. Maynard (The University of Melbourne, Parkville, Australia), Atif Ahmad (The University of Melbourne, Parkville, Australia) and Shanton Chang (The University of Melbourne, Parkville, Australia)
Copyright: © 2015 |Pages: 22
DOI: 10.4018/IJCWT.2015040103
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

There is considerable literature in the area of information security management (ISM). However, from an organizational viewpoint, the collective body of literature does not present a coherent, unified view of recommended security management practices. In particular, despite the existence of ‘best-practice' standards on information security management, organizations have no way of evaluating the reliability or objectivity of the recommended practices as they do not provide any underlying reasoning or justification. This paper is a first step towards the development of rigorous and formal instruments of measurement by which organizations can assess their security management practices. The paper identifies nine security practice constructs from the literature and develops measurement items for organizations to assess the adequacy of their security management practices. The study uses a multiple case study approach followed by interviews with a panel of four security experts to validate and refine these security practice constructs and their associated measures.
Article Preview

Introduction

The protection of information resources from a range of security threats is a key objective for Organizations. Organizations institute information security management (ISM) practices that apply a range of managerial and technical controls in pursuit of information security objectives. ISM practice areas include applying managerial controls such as risk management, policy, and education, training and awareness campaigns. Applications of technical controls include selection, configuration and monitoring of intrusion detection systems and firewalls. In this paper we define an ISM practice as any activity towards the application of both managerial and technical controls in pursuit of information security objectives.

Many publications present organizations with advice on ISM practices. Among these are best-practice industry standards (e.g. ISO/IEC 2013), professional literature (e.g. ITIL, COBIT) and academic research (e.g. Straub & Welke, 1998; von Solms, 2000; Baskerville & Siponen, 2002; Doherty & Fulford, 2006; D'Arcy & Greene, 2009; Ahmad, Maynard & Park, 2014). However, there has not been a comprehensive and rigorous synthesis of the literature undertaken and subsequently no coherent or unified view of recommended security management practices exists. ‘Best-practice’ standards do not provide the reasoning and justification used to arrive at the recommendations, and therefore “practitioners have no way of evaluating the reliability (or objectivity) of the claimed best practices” (Siponen and Willison 2009). This paper does not claim to compile an exhaustive list of security practices, but rather, its contribution is in the empirical validation of the most commonly identified security practices in literature. In particular, this paper presents a series of measurement items for the assessment of each security practice construct.

As a result, we ask two key questions:

  • 1.

    What information security management practices exist in organizations?

  • 2.

    What measurement items can be used to assess the utility of these management practices?

This study uses a multiple case study design, to investigate the practices of six Malaysian organizations. It then uses the case study results, in conjunction with the literature to develop the measurement items. To mitigate the risk of cultural bias in the study, the measurement instrument was validated by four Australian experts.

This paper is structured as follows: A literature synthesis of security practices is presented followed by the research approach used to develop and validate the security practice measurement items. We then present findings of the case studies for each of the security practices and then the discussion of the generation of the security practice measurement items.

Relevant Literature

We conducted a thorough search of information security literature using literature databases covering the major computer and information security journals and conferences including: Google Scholar, Springerlink, ACM Digital Library and Science Direct. Based on abstracts, keywords, and backward and forward chaining techniques, 79 key works dated between 1991 and 2015 from 45 different journals, conference proceedings and books were identified for the content analysis activity. Additionally, we added the ISO27000 series of security standards to the literature base for analysis (see Doherty and Fulford 2006). These 80 works were analyzed using content analysis techniques as described by Novak (2003). A concept mapping activity was undertaken by each of the researchers where key themes emerging from the literature are represented in a concept map. A concept map is a diagrammatic representation that organizes and represents key themes through a series of relationships between these themes. The researchers then met and discussed the concept maps and the themes, concentrating on the differences between each of the maps. After a consensus was reached between the researchers, 33 sub-themes (practices) were identified which were grouped into 9 themes (constructs). Table 1 shows definitions and supporting literature for each security practice construct.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 7: 4 Issues (2017)
Volume 6: 4 Issues (2016)
Volume 5: 4 Issues (2015)
Volume 4: 4 Issues (2014)
Volume 3: 4 Issues (2013)
Volume 2: 4 Issues (2012)
Volume 1: 4 Issues (2011)
View Complete Journal Contents Listing