Despite the existence of referential and standards of the security governance, the research literature remains limited regarding the practices of organizations and, on the other hand, the lack of a strategy and practical model to follow in adopting an effective information security governance. This chapter aims to explore the engagement processes and the practices of organizations involved in a strategy of information security governance. The statistical and econometric analysis of data from a survey of 1000 participants (with a participation rate of 83.67%) from large and medium companies belonging to various industries such as retail/wholesale, banking, services, telecom, private and governmental organizations provides a record of current practices in information security governance. The findings allowed the authors to propose a practical framework to evaluate the information security governance in organizations.
TopIntroduction
The threat to technology-based information assets is greater today than in the past (Maleh, Sahid, Ezzati, & Belaissaoui, 2018). The evolution of technology has also reflected in the tools and methods used by those attempting to gain unauthorized access to the data or disrupt business processes (L. Goodhue & Straub, 1991). Attacks are inevitable, whatever the organization (“Information Security Governance,” 2006). However, the degree of sophistication and persistence of these attacks depends on the attractiveness of this organization as a target (F. Rockart & D. Crescenzi, 1984), mainly regarding its role and assets. Today, the threats posed by some misguided individuals have been replaced by international organized criminal groups highly specialized or by foreign states that have the skills, personnel, and tools necessary to conduct secret and sophisticated cyber espionage attacks. These attacks are not only targeted at government entities. In recent years, several large companies have infiltrated, and their data have been “consulted” for several years without their knowledge. In fact, improving cybersecurity has emerged as one of the top IT priorities across all business lines. So, while companies (von Solms & van Niekerk, 2013; Bowen, Chew, & Hash, 2007)
Areas such as the aerospace industry and strategic resources can be ideal targets for cyber espionage by nation-states, others managing financial assets or large-scale credit card information are equally attractive to international criminal groups (Posthumus & von Solms, 2004; Humphreys, 2008).
These malicious actors no longer content themselves with thwarting the means of technical protection. Instead, they survey and exploit a variety of weaknesses detected in the targeted environment (Galliers & Leidner, 2014). These shortcomings are not only technological but also result from failures in protection procedures or gaps in vulnerability management practices. The best technology in the world, if misused will not provide an adequate defense against such threats (von Solms & van Niekerk, 2013).
Ensuring the information system IS security in a large organization is a real challenge (Sohrabi Safa, Von Solms, & Furnell, 2016). Only a good governance can reassure the general management, customers and partners, shareholders and ultimately the public at large (Mark Duffield, 2014).
The problem is that the security governance framework is designed to guide organizations in there IS security governance strategy but does not define the practical framework for the engagement in this strategy.
To address these concerns, some best practices and international standards (NIST, ISACA, ISO 27000 suite…) now includes chapters on security governance. The first reports or articles in academic journals that evoke the governance of information security date back to the early 2000s.
The proposed referential and best practices designed to guide organizations in their IT security governance strategy. However, does not define the practical framework to implement or to measure the organization engagement in term of IT security governance.
In this paper, we will study the practices and commitments of organizations in IS security governance. A survey of 836 medium and large companies at the international level (USA, UK, France, Morocco, China, Russia, etc.) was set up to define the best practices of these organizations regarding information security governance ISG. This study allowed us to propose a practical framework to evaluate the organization in their maturity state and to improve their level of information security governance according to their needs and resources.
The chapter is structured as follows. Section 2 presents the previous work on information security governance proposed in the literature. Section 3 describes the research methodology. The Section 4 presents the survey carried out among 836 medium and large international companies and gave a faithful picture of their practices in information security governance through statistical analysis. Then, we analyze and discusses the results of this research. Section 5 describes the proposed capability maturity framework for information security governance. Finally, Section 6 presents the conclusion of this work.