On Exploring Research Methods for Business Information Security Alignment and Artefact Engineering

On Exploring Research Methods for Business Information Security Alignment and Artefact Engineering

Yuri Bobbert
Copyright: © 2017 |Pages: 14
DOI: 10.4018/IJITBAG.2017070102
(Individual Articles)
No Current Special Offers


This paper examines research methods for designing and engineering a Business Information Security (BIS) artefact. Preventing and responding to cybercrime is becoming an integral part of management practices which are supervised by the Board of Directors (BoD), and it can no longer be perceived as just traditional IT. In order to improve the maturity of business information security a transformation is needed and this requires adequate reporting and dashboarding. Dashboard functions such as the current versus the desired state of the Maturity of Business Information Security (MBIS) reflect certain parameters that boards can influence. Determining the key dashboard functions that reflect these parameters of control was the main motivation for this research paper and the ultimate goal was to engineer a BIS artefact. We propose a research and design method that could be used to establish an experimental dashboard with initial parameters of control based on a Group Support System (GSS) approach. Finally, GSS is evaluated as a method for a) examining which parameters are effective for BIS, from multiple perspectives and b) helping to implement the artefact (make it fit the purpose) as well as the associated business alignment and decision-making.
Article Preview


Information Security is now a strategic issue for business leaders and several institutions and communities have launched numerous initiatives to encourage business leaders to ensure good stewardship in this area (WEF, 2015). The associated compliance obligations and the increase in security breaches have made many business leaders aware of its impact on the business continuity (Cashwell, Jackson, Jickling, & Webel, 2004), civil and legal liabilities (Fox-IT, 2011) reputation (Walsh et al., 2009; Peters, 2012), employability and financial position (Ishiguro et al., 2011; Cavusoglu et al., 2002). This is why Von Solms (2009) has argued that Information Security Management (ISM) is part of Information Security Governance (ISG). The IT Governance Institute (ITGI) states that ownership of data and its information risks are the responsibility of businesses and their owners (ITGI, 2005) as well as the IT department (Solms, 2005). The IT department might own the physical hardware and software assets, but not the data. To define security requirements in critical value chains and business processes, such as segregation of duties or use cases for logging, business involvement is required (S. Von Solms & R. Von Solms, 2009). Within this multidisciplinary context of Information Security we therefore use the term “Business Information Security” (V. Solms, 2005). Managing Business Information is a prerequisite for improving Business Information Security maturity (Allen, 2007). The International Federation of Accountants (IFAC) (IFAC, 2004) and ISACA (ISACA, 2012) describe information security as an integrated enterprise activity requiring proper governance of the work done in this area by the board and executive management.

Basie and Rossouw von Solms differentiate three levels: the strategic level (Board of Directors and Executive Management), the tactical level (Senior and middle management) and the operational level (lower management and administration). All directive setting and controlling activities (including monitoring and evaluating) are seen as part of the strategic level of governance (R. Von Solms & B. Von Solms, 2006). An example is the adoption of Information Security Control Frameworks such as the Information Security Forum (ISF) Standard of Good Practice. All activities designed to put these directives into practice take place at the tactical management level. The tactical level involves formulating policies and guidelines, for example establishing minimum standards that the organisation needs to adhere to, such as incident management and supply chain management. The level below the tactical level is where these policies and guidelines are translated into procedures and working methods. For example, this is the level where monitoring software is configured which triggers incident response processes or imposes stricter guidelines for suppliers. This paper focuses on defining artefact requirements for the strategic level which are substantiated by tactical and operational data.

Complete Article List

Search this Journal:
Open Access Articles: Forthcoming
Volume 10: 2 Issues (2019)
Volume 9: 2 Issues (2018)
Volume 8: 2 Issues (2017)
Volume 7: 2 Issues (2016)
Volume 6: 2 Issues (2015)
Volume 5: 2 Issues (2014)
Volume 4: 2 Issues (2013)
Volume 3: 2 Issues (2012)
Volume 2: 2 Issues (2011)
Volume 1: 4 Issues (2010)
View Complete Journal Contents Listing