Information Assurance and Corporate Strategy: A Delphi Study of Choices, Challenges, and Developments for the Future

In this article, we identified processes associated with strengthening the alignment between information assurance, information systems and corporate strategies so that organizations could more effectively address legal and regulatory challenges. Our results are based on data gathered from 43 preliminary interviews and a subsequent Delphi exercise. The Delphi panel rated these processes in terms of desirability and feasibility. After three rounds a consensus of opinion was achieved. The results of the Delphi together with some practical implications are presented.

[1]  E. Eugene Schultz A framework for understanding and predicting insider attacks , 2002, Comput. Secur..

[2]  Moshe Zviran,et al.  Password Security: An Empirical Study , 1999, J. Manag. Inf. Syst..

[3]  Jean-Noël Ezingeard,et al.  Information security: setting the boardroom agenda , 2003 .

[4]  Grover S. Kearns,et al.  A Resource-Based View of Strategic IT Alignment: How Knowledge Sharing Creates Competitive Advantage , 2003, Decis. Sci..

[5]  P. Pavlou,et al.  Perceived Information Security, Financial Liability and Consumer Trust in Electronic Commerce Transactions , 2002 .

[6]  R. Schroeder,et al.  A THEORY OF QUALITY MANAGEMENT UNDERLYING THE DEMING MANAGEMENT METHOD , 1994 .

[7]  SarkerSuprateek,et al.  Using an adapted grounded theory approach for inductive theory building about virtual team development , 2000 .

[8]  Rossouw von Solms,et al.  A framework for the governance of information security , 2004, Comput. Secur..

[9]  Jerry N. Luftman Assessing It/Business Alignment , 2003, Inf. Syst. Manag..

[10]  J. Borges-Andrade,et al.  Forecasting core competencies in an R&D environment , 2001 .

[11]  James Backhouse,et al.  Structures of responsibility and security of information systems , 1996 .

[12]  Jerry N. Luftman,et al.  Enablers and Inhibitors of Business-IT Alignment , 1999, Commun. Assoc. Inf. Syst..

[13]  John W. Creswell,et al.  Research Design: Qualitative, Quantitative, and Mixed Methods Approaches , 2010 .

[14]  Sebastiaan H. von Solms,et al.  Corporate Governance and Information Security , 2001, Comput. Secur..

[15]  Eijiroh Ohki,et al.  Information security governance framework , 2009, WISG '09.

[16]  Albert H. Segars,et al.  Strategic Information Systems Planning Success: An Investigation of the Construct and Its Measurement , 1998, MIS Q..

[17]  Jerry N. Luftman,et al.  Achieving and Sustaining Business-IT Alignment , 1999 .

[18]  D. B. Montgomery,et al.  A Framework for the Comparison of Marketing Models: A Delphi Study , 1977 .

[19]  Jeanne W. Ross,et al.  The information systems balancing act: building partnerships and infrastructure , 1996, Inf. Technol. People.

[20]  Fred Niederman,et al.  Information Systems Management Issues for the 1990s , 1991, MIS Q..

[21]  Wullianallur Raghupathi,et al.  Corporate governance of IT: a framework for development , 2007, CACM.

[22]  RivardSuzanne,et al.  Ideal patterns of strategic alignment and business performance , 2004 .

[23]  Ramiro Montealegre,et al.  A Process Model of Capability Development: Lessons from the Electronic Commerce Strategy at Bolsa de Valores de Guayaquil , 2002, Organ. Sci..

[24]  Sebastiaan H. von Solms,et al.  Information Security - A Multidimensional Discipline , 2001, Comput. Secur..

[25]  Ashish Garg,et al.  Quantifying the financial impact of IT security breaches , 2003, Inf. Manag. Comput. Secur..

[26]  David P. Lepak,et al.  Human Resource Management, Manufacturing Strategy, and Firm Performance , 1996 .

[27]  Gurpreet Dhillon,et al.  Refereed Papers: Violation of Safeguards by Trusted Personnel and Understanding Related Information Security Concerns , 2001 .

[28]  Anat Hovav,et al.  Deterring internal information systems misuse , 2007, CACM.

[29]  Quey-Jen Yeh,et al.  On security preparations against possible IS threats across industries , 2006, Inf. Manag. Comput. Secur..

[30]  D. Larcker,et al.  Innovations in Performance Measurement: Trends and Research Implications , 1998 .

[31]  John C. Henderson,et al.  Strategic Alignment: Leveraging Information Technology for Transforming Organizations , 1993, IBM Syst. J..

[32]  Tomasz Smaczny Is an alignment between business and information technology the appropriate paradigm to manage IT in today’s organisations? , 2001 .

[33]  Jinwoo Kim,et al.  Businesses as Buildings: Metrics for the Architectural Quality of Internet Businesses , 2002, Inf. Syst. Res..

[34]  R. Kaplan,et al.  Using the balanced scorecard as a strategic management system , 1996 .

[35]  Yolande E. Chan Why Haven't We Mastered Alignment? The Importance of the Informal Organization Structure , 2002, MIS Q. Executive.

[36]  R. B. Woodruff,et al.  Exploring the Phenomenon of Customers' Desired Value Change in a Business-to-Business Context , 2002 .

[37]  Kenneth L. Kraemer,et al.  Executives’ Perceptions of the Business Value of Information Technology: A Process-Oriented Approach , 2000, J. Manag. Inf. Syst..

[38]  Frederick J. Parenté,et al.  An examination of factors contributing to delphi accuracy , 1984 .

[39]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[40]  John F. Preble,et al.  The selection of delphi panels for strategic planning purposes , 1984 .

[41]  Izak Benbasat,et al.  Factors That Influence the Social Dimension of Alignment Between Business and Information Technology Objectives , 2000, MIS Q..

[42]  Stephen F. Bush,et al.  Detecting Distributed Denial-of-Service Attacks Using Kolmogorov Complexity Metrics , 2005, Journal of Network and Systems Management.

[43]  Rajiv Sabherwal,et al.  Alignment Between Business and IS Strategies: A Study of Prospectors, Analyzers, and Defenders , 2001, Inf. Syst. Res..

[44]  Jean-Noël Ezingeard,et al.  A Model of Information Assurance Benefits , 2005, Inf. Syst. Manag..

[45]  Michael E. Whitman Enemy at the gate: threats to information security , 2003, CACM.

[46]  Alexander Hars,et al.  Web Based Knowledge Infrastructures for the Sciences: An Adaptive Document , 2000, Commun. Assoc. Inf. Syst..

[47]  Huong Ngo Higgins,et al.  Corporate system security: towards an integrated management approach , 1999, Inf. Manag. Comput. Secur..

[48]  Kalle Lyytinen,et al.  Identifying Software Project Risks: An International Delphi Study , 2001, J. Manag. Inf. Syst..

[49]  Janet A. Sniezek,et al.  A Comparison of Techniques for Judgmental Forecasting by Groups with Common Information , 1990 .

[50]  J. Barney Firm Resources and Sustained Competitive Advantage , 1991 .

[51]  C. Derrick Huang,et al.  Achieving IT-Business Strategic Alignment via Enterprise-Wide Implementation of Balanced Scorecards , 2007, Inf. Syst. Manag..

[52]  Albert H. Segars,et al.  An Empirical Examination of the Concern for Information Privacy Instrument , 2002, Inf. Syst. Res..

[53]  Herman Siebens,et al.  Concepts and Working Instruments for Corporate Governance , 2002 .

[54]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[55]  Lawrence Bodin,et al.  Information security and risk management , 2008, CACM.

[56]  B. Edwards,et al.  Chief Executive Officer Behavior: The Catalyst for Strategic Alignment , 2000 .

[57]  Kevin D. Mitnick Are You the Weak Link , 2003 .

[58]  Pauline Ratnasingam,et al.  A knowledge architecture for IT security , 2007, CACM.

[59]  Clifton L. Smith,et al.  The Development of Access Control Policies for Information Technology Systems , 2002, Comput. Secur..

[60]  Thomas J. Smedinghoff The State of Information Security Law: A Focus on the Key Legal Trends , 2008 .

[61]  J. Rockart,et al.  EIGHT IMPERATIVES FOR THE NEW IT ORGANIZATION , 1996 .

[62]  Danny Miller,et al.  TOWARD A NEW CONTINGENCY APPROACH: THE SEARCH FOR ORGANIZATIONAL GESTALTS , 1981 .

[63]  Marios Damianides Sarbanes–Oxley and it Governance: New Guidance on it Control and Compliance , 2005, Inf. Syst. Manag..

[64]  John F. Preble,et al.  TOWARDS A COMPREHENSIVE SYSTEM OF STRATEGIC CONTROL , 1992 .

[65]  Carol V. Brown Horizontal Mechanisms Under Differing IS Organization Contexts , 1999, MIS Q..

[66]  Pamela Jordan Basics of qualitative research: Grounded theory procedures and techniques , 1994 .

[67]  Carl Stephen Guynes,et al.  The it Alignment Planning Process , 2003, J. Comput. Inf. Syst..

[68]  Shi‐Ming Huang,et al.  Balancing performance measures for information security management: A balanced scorecard framework , 2006, Ind. Manag. Data Syst..

[69]  Patrice L. Viton,et al.  Creating Fraud Awareness , 2003 .

[70]  Andrew Rathmell,et al.  Engaging the Board: Corporate Governance and Information Assurance , 2004 .

[71]  Abdulla H. Abdul-Gader,et al.  The Impact of User Satisfaction on Computer-Mediated Communication Acceptance: A Causal Path Model , 1996 .

[72]  Nikki Swartz,et al.  The cost of Sarbanes-Oxley , 2003 .

[73]  Vernon J. Richardson,et al.  Information Transfer among Internet Firms: The Case of Hacker Attacks , 2003, J. Inf. Syst..

[74]  Hennie A. Kruger,et al.  A prototype for assessing information security awareness , 2006, Comput. Secur..

[75]  J. Creswell Qualitative, Quantitative, and mixed methods approaches SECOND EDITION , 2010 .

[76]  E. Brink,et al.  Constructing grounded theory : A practical guide through qualitative analysis , 2006 .

[77]  Jean-Noël Ezingeard,et al.  Perception of risk and the strategic impact of existing IT on information security strategy at board level , 2007, Online Inf. Rev..

[78]  John M. Ward,et al.  Reconciling the IT/business relationship: a troubled marriage in need of guidance , 1996, J. Strateg. Inf. Syst..

[79]  Roy C. Schmidt,et al.  MANAGING DELPHI SURVEYS USING NONPARAMETRIC STATISTICAL TECHNIQUES , 1997 .

[80]  Jean-Noël Ezingeard,et al.  Anchoring information security governance research: sociological groundings and future directions , 2006 .

[81]  Yolande E. Chan,et al.  Business Strategic Orientation, Information Systems Strategic Orientation, and Strategic Alignment , 1997, Inf. Syst. Res..

[82]  Industrial Strategy Information security breaches survey , 2013 .

[83]  Jean-Noël Ezingeard,et al.  Securing information: governance issues , 2004 .

[84]  Vernon J. Richardson,et al.  Assessing the risk in e-commerce , 2001, Proceedings of the 35th Annual Hawaii International Conference on System Sciences.

[85]  Karen Locke Grounded Theory in Management Research , 2000 .

[86]  Thilini Ariyachandra,et al.  Business Performance Management: One Truth , 2005, Inf. Syst. Manag..

[87]  Carol V. Brown,et al.  Alignment of the IS Functions With the Enterprise: Toward a Model of Antecedents , 1994, MIS Q..

[88]  Evangelos A. Kiountouzis,et al.  Information Management & Computer Security Formulating information systems risk management strategies through cultural theory , 2016 .

[89]  Kalman J. Cohen,et al.  Strategy: Formulation, Implementation, and Monitoring , 1973 .

[90]  Chin-Fu Ho,et al.  Information Technology Implementation Strategies for Manufacturing Organizations: A Strategic Alignment Approach , 1996, PACIS.

[91]  V. Govindarajan A Contingency Approach to Strategy Implementation at the Business-Unit Level: Integrating Administrative Mechanisms with Strategy , 1988 .

[92]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[93]  Patricia Y. Logan,et al.  Teaching Case: Bitten by a Bug: A Case Study in Malware Infection , 2003, J. Inf. Syst. Educ..

[94]  Jerry N. Luftman Assessing Business-IT Alignment Maturity , 2000, Commun. Assoc. Inf. Syst..

[95]  R. Baskerville,et al.  An information security meta‐policy for emergent organizations , 2002 .

[96]  John McHugh,et al.  Intrusion and intrusion detection , 2001, International Journal of Information Security.

[97]  A. Strauss Basics Of Qualitative Research , 1992 .

[98]  M. Jeffery,et al.  Best Practices in IT Portfolio Management , 2004 .

[99]  P. Papadopoulou,et al.  An integrated approach for securing electronic transactions over the Web , 2002 .

[100]  Debbie van Opstal The Resilient Economy: Integrating Competitiveness and Security , 2009 .

[101]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[102]  Virginia Franke Kleist,et al.  A Performance Evaluation Framework for a Public University Knowledge Management System , 2004, J. Comput. Inf. Syst..

[103]  John Sherwood SALSA: A method for developing the enterprise security architecture and strategy , 1996, Comput. Secur..

[104]  A. Clarke Situational Analysis: Grounded Theory After the Postmodern Turn , 2005 .

[105]  Ken Lindup The role of information security in corporate governance , 1996, Comput. Secur..

[106]  L. Raymond,et al.  FIT IN STRATEGIC INFORMATION TECHNOLOGY MANAGEMENT RESEARCH: AN EMPIRICAL COMPARISON OF PERSPECTIVES , 2001 .

[107]  Carol Stoak Saunders,et al.  Measuring Performance of the Information Systems Function , 1992, J. Manag. Inf. Syst..

[108]  Loren Paul Rees,et al.  Necessary measures: metric-driven information security risk assessment and decision making , 2007, CACM.

[109]  James C. Wetherbe,et al.  Key Issues in Information Systems Management: 1994-95 SIM Delphi Results , 1996, MIS Q..

[110]  George A. Geistauts,et al.  A Delphi Forecast for Alaska , 1985 .

[111]  Elliot Bendoly,et al.  ERP architectural/operational alignment for order‐processing performance , 2004 .

[112]  B. Hansotia,et al.  Gearing up for CRM: Antecedents to successful implementation , 2002 .

[113]  Amitava Dutta,et al.  Management's Role in Information Security in a Cyber Economy , 2002 .

[114]  Richard Baskerville,et al.  Risk analysis: an interpretive feasibility tool in justifying information systems security , 1991 .

[115]  Stephen Hinde The law, cybercrime, risk assessment and cyber protection , 2003, Comput. Secur..

[116]  Andrew Stewart Information security technologies as a commodity input , 2005, Inf. Manag. Comput. Security.

[117]  Louis Raymond,et al.  Ideal patterns of strategic alignment and business performance , 2004, Inf. Manag..

[118]  Ritu Agarwal,et al.  Organizational Mechanisms for Enhancing User Innovation in Information Technology , 1999, MIS Q..

[119]  G. Dhillon,et al.  Technical opinion: Information system security management in the new millennium , 2000, CACM.

[120]  Karen A. Forcht,et al.  Information security in business environments , 1996, Inf. Manag. Comput. Secur..

[121]  Rossouw von Solms,et al.  The 10 deadly sins of information security management , 2004, Comput. Secur..

[122]  J. Oktay Grounded Theory , 2012 .

[123]  Lesley Willcoxson,et al.  Progress in the IT/business relationship: a longitudinal assessment , 2004, J. Inf. Technol..

[124]  Martin Kendrick,et al.  Internal Control: Guidance for Directors on the Combined Code (The Turnbull Report) , 2000 .

[125]  Richard L. Daft,et al.  The Nature and Use of Formal Control Systems for Management Control and Strategy Implementation , 1984 .

[126]  N. Hoffart Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory , 2000 .

[127]  Kenneth J. Knapp,et al.  Cyber-Warfare Threatens Corporations: Expansion into Commercial Environments , 2006, Inf. Syst. Manag..

[128]  V. Mitchell,et al.  The Role of Geodemographics in Segmenting and Targeting Consumer Markets , 1994 .

[129]  James Backhouse,et al.  Circuits of Power in Creating de jure Standards: Shaping an International Information Systems Security Standard , 2006, MIS Q..

[130]  Jerry N. Luftman,et al.  Transforming the Enterprise: The Alignment of Business and Information Technology Strategies , 1993, IBM Syst. J..

[131]  Sunil Hazari Perceptions of End-Users on the Requirements in Personal Firewall Software: An Exploratory Study , 2005, J. Organ. End User Comput..

[132]  Albin Zuccato,et al.  Holistic security requirement engineering for electronic commerce , 2004, Comput. Secur..

[133]  J. Bryson,et al.  Putting the Resource-Based View of Strategy and Distinctive Competencies to Work in Public Organizations , 2007 .

[134]  Peter Weill,et al.  alignment: Learning , 2022 .

[135]  John M. Ward,et al.  Information Systems and Technology Application Portfolio Management – an Assessment Or Matrix-Based Analyses , 1988, J. Inf. Technol..

[136]  Michael J. Cerullo,et al.  Business Continuity Planning: A Comprehensive Approach , 2004, Inf. Syst. Manag..

[137]  Kurt J. Engemann,et al.  A Methodology for Managing Information-Based Risk , 1996 .

[138]  Varun Grover,et al.  Important Strategic and Tactical Manufacturing Issues in the 1990s , 1994 .

[139]  Sophie Cockcroft,et al.  GAPS BETWEEN POLICY AND PRACTICE IN THE PROTECTION OF DATA PRIVACY , 2002 .

[140]  Jerry N. Luftman,et al.  IT-Business Strategic Alignment Maturity: A Case Study , 2005, J. Cases Inf. Technol..

[141]  Suzanne D. Pawlowski,et al.  The Delphi method as a research tool: an example, design considerations and applications , 2004, Inf. Manag..

[142]  Suprateek Sarker,et al.  Using an adapted grounded theory approach for inductive theory building about virtual team development , 2000, DATB.

[143]  Robert D Austin,et al.  The myth of secure computing. , 2003, Harvard business review.