Article Preview
TopIntroduction
The protection of information resources from a range of security threats is a key objective for Organizations. Organizations institute information security management (ISM) practices that apply a range of managerial and technical controls in pursuit of information security objectives. ISM practice areas include applying managerial controls such as risk management, policy, and education, training and awareness campaigns. Applications of technical controls include selection, configuration and monitoring of intrusion detection systems and firewalls. In this paper we define an ISM practice as any activity towards the application of both managerial and technical controls in pursuit of information security objectives.
Many publications present organizations with advice on ISM practices. Among these are best-practice industry standards (e.g. ISO/IEC 2013), professional literature (e.g. ITIL, COBIT) and academic research (e.g. Straub & Welke, 1998; von Solms, 2000; Baskerville & Siponen, 2002; Doherty & Fulford, 2006; D'Arcy & Greene, 2009; Ahmad, Maynard & Park, 2014). However, there has not been a comprehensive and rigorous synthesis of the literature undertaken and subsequently no coherent or unified view of recommended security management practices exists. ‘Best-practice’ standards do not provide the reasoning and justification used to arrive at the recommendations, and therefore “practitioners have no way of evaluating the reliability (or objectivity) of the claimed best practices” (Siponen and Willison 2009). This paper does not claim to compile an exhaustive list of security practices, but rather, its contribution is in the empirical validation of the most commonly identified security practices in literature. In particular, this paper presents a series of measurement items for the assessment of each security practice construct.
As a result, we ask two key questions:
This study uses a multiple case study design, to investigate the practices of six Malaysian organizations. It then uses the case study results, in conjunction with the literature to develop the measurement items. To mitigate the risk of cultural bias in the study, the measurement instrument was validated by four Australian experts.
This paper is structured as follows: A literature synthesis of security practices is presented followed by the research approach used to develop and validate the security practice measurement items. We then present findings of the case studies for each of the security practices and then the discussion of the generation of the security practice measurement items.
TopRelevant Literature
We conducted a thorough search of information security literature using literature databases covering the major computer and information security journals and conferences including: Google Scholar, Springerlink, ACM Digital Library and Science Direct. Based on abstracts, keywords, and backward and forward chaining techniques, 79 key works dated between 1991 and 2015 from 45 different journals, conference proceedings and books were identified for the content analysis activity. Additionally, we added the ISO27000 series of security standards to the literature base for analysis (see Doherty and Fulford 2006). These 80 works were analyzed using content analysis techniques as described by Novak (2003). A concept mapping activity was undertaken by each of the researchers where key themes emerging from the literature are represented in a concept map. A concept map is a diagrammatic representation that organizes and represents key themes through a series of relationships between these themes. The researchers then met and discussed the concept maps and the themes, concentrating on the differences between each of the maps. After a consensus was reached between the researchers, 33 sub-themes (practices) were identified which were grouped into 9 themes (constructs). Table 1 shows definitions and supporting literature for each security practice construct.