Towards a Taxonomy of Information Security Management Practices in Organisations

There is growing recognition of the role that management performs in protecting organisational information. However, our review of the academic and professional literatures did not find an empirically sound and coherent view of the range of management activities that can be applied as part of an information security program. As a result, organisations have insufficient guidance on what methods can be implemented to meet security objectives. Further, organisations have no empirically evidenced benchmark against which management practices can be assessed. This research project aims to develop a rigorous, comprehensive and empirically evidenced taxonomy of information security management practices (ISMPs) to provide organisations with comprehensive guidance. In this paper we report on the first phase of the development of the taxonomy. In this phase we conduct a comprehensive literature review to identify the range of ISMPs in the literature and suggest possible ways of classifying management level activity.

[1]  Humayun Zafar,et al.  Security Risk Management in Healthcare: A Case Study , 2014, Commun. Assoc. Inf. Syst..

[2]  Edward Humphreys,et al.  Information security management standards: Compliance, governance and risk management , 2008, Inf. Secur. Tech. Rep..

[3]  Rossouw von Solms Information security management: The second generation , 1996, Comput. Secur..

[4]  Emmanuel Aroms,et al.  NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems , 2012 .

[5]  Gurpreet Dhillon,et al.  Principles of information systems security - text and cases , 2006 .

[6]  Atif Ahmad,et al.  Towards an organizational culture framework for information security practices , 2012 .

[7]  K. Perreault,et al.  Research Design: Qualitative, Quantitative, and Mixed Methods Approaches , 2011 .

[8]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[9]  G. Dhillon Information Security Management: Global Challenges in the New Millennium , 2000 .

[10]  Kasia Muldner,et al.  Preparation, detection, and analysis: the diagnostic work of IT security incident response , 2010, Inf. Manag. Comput. Secur..

[11]  Theodore Tryfonas,et al.  From risk analysis to effective security management: towards an automated approach , 2004, Inf. Manag. Comput. Secur..

[12]  Mikko T. Siponen,et al.  Information security management standards: Problems and solutions , 2009, Inf. Manag..

[13]  Thomas Finne,et al.  Information Systems Risk Management: Key Concepts and Business Processes , 2000, Comput. Secur..

[14]  S. Madnick Management policies and procedures needed for effective computer security. , 1978, Sloan management review.

[15]  Detmar W. Straub,et al.  Information Security: Policy, Processes, and Practices , 2008 .

[16]  Evangelos A. Kiountouzis,et al.  Aligning Security Awareness With Information Systems Security Management , 2009, MCIS.

[17]  Christos Douligeris,et al.  On Incident Handling and Response: A state-of-the-art approach , 2006, Comput. Secur..

[18]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[19]  Jackie Rees Ulmer,et al.  Management of Information Security: Challenges and Research Directions , 2007, Commun. Assoc. Inf. Syst..

[20]  Ron Weber,et al.  Evaluating and Developing Theories in the Information Systems Discipline , 2012, J. Assoc. Inf. Syst..

[21]  Julie D Nosworthy,et al.  Implementing Information Security In The 21st Century Do You Have the Balancing Factors? , 2000, Comput. Secur..

[22]  Sean B. Maynard,et al.  Information security strategies: towards an organizational multi-strategy perspective , 2014, J. Intell. Manuf..

[23]  Shirley Gregor,et al.  The Nature of Theory in Information Systems , 2006, MIS Q..

[24]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[25]  A. B. Ruighaver,et al.  Ethical decision making: Improving the quality of acceptable use policies , 2010, Comput. Secur..

[26]  Yufei Yuan,et al.  Critical Success Factors Analysis on Effective Information Security Management: A Literature Review , 2014, AMCIS.

[27]  Joan Hash,et al.  SP 800-100. Information Security Handbook: A Guide for Managers , 2006 .

[28]  Reijo Savola Measurement of Information Security , 2006 .

[29]  Aggeliki Tsohou A Security Standards' Framework to Facilitate Best Practices' Awareness and Conformity , 2010, Inf. Manag. Comput. Secur..

[30]  Bel G. Raggad Information Security Management: Concepts and Practice , 2010 .

[31]  Nick Gaunt,et al.  Installing an appropriate information security policy , 1998, Int. J. Medical Informatics.

[32]  Eugene H. Spafford,et al.  PFIRES: a policy framework for information security , 2003, CACM.

[33]  A. B. Ruighaver,et al.  Informal Learning in Security Incident Response Teams , 2011 .

[34]  Evangelos A. Kiountouzis,et al.  Information systems security policies: a contextual perspective , 2005, Comput. Secur..

[35]  Qingxiong Ma,et al.  Information security management objectives and practices: a parsimonious framework , 2008, Inf. Manag. Comput. Secur..

[36]  Evangelos A. Kiountouzis,et al.  Investigating Information Security Awareness: Research and Practice Gaps , 2008, Inf. Secur. J. A Glob. Perspect..

[37]  Indira R. Guzman,et al.  Information Security Practices in Latin America: The case of Bolivia , 2010, AMCIS.

[38]  T. Grance,et al.  Computer Security Incident Handling Guide , 2004 .

[39]  B. McKelvey,et al.  Organizational Systematics: Taxonomy, Evolution, Classification , 1983 .

[40]  Nesren Waly,et al.  Improving Organisational Information Security Management: The Impact of Training and Awareness , 2012, 2012 IEEE 14th International Conference on High Performance Computing and Communication & 2012 IEEE 9th International Conference on Embedded Software and Systems.

[41]  William H. Glick,et al.  Typologies As a Unique Form Of Theory Building: Toward Improved Understanding and Modeling , 1994 .

[42]  Juhani Anttila,et al.  Balanced integration of information security into business management , 2004, Proceedings. 30th Euromicro Conference, 2004..

[43]  Rossouw von Solms,et al.  Management of risk in the information age , 2005, Comput. Secur..

[44]  A. B. Ruighaver,et al.  Incident response teams - Challenges in supporting the organisational security function , 2012, Comput. Secur..

[45]  James J. Chrisman,et al.  Toward a System for Classifying Business Strategies , 1988 .

[46]  Michael E. Whitman Enemy at the gate: threats to information security , 2003, CACM.

[47]  Claudia J. Ferrante,et al.  Policy Awareness, Enforcement and Maintenance: Critical to Information Security Effectiveness in Organizations , 2012 .

[48]  Joan Hash,et al.  Building an Information Technology Security Awareness and Training Program , 2003 .

[49]  P. Bowen,et al.  Information Security Handbook: A Guide for Managers , 2006 .

[50]  Phil Spurling,et al.  Promoting security awareness and commitment , 1995, Inf. Manag. Comput. Secur..

[51]  Terry Anthony Byrd,et al.  Information security policy: An organizational-level process model , 2009, Comput. Secur..

[52]  Atif Ahmad,et al.  Incident Handling: Where the need for planning is often not recognised , 2003, Australian Computer, Network & Information Forensics Conference.

[53]  Reijo Savola,et al.  Measurement of Information Security in Processes and Products , 2004, IICIS.

[54]  Marianne Swanson,et al.  SP 800-14. Generally Accepted Principles and Practices for Securing Information Technology Systems , 1996 .

[55]  Steve Purser Improving the ROI of the security management process , 2004, Comput. Secur..

[56]  Atif Ahmad,et al.  Information Security Risk Assessment: Towards a Business Practice Perspective , 2010, AISM 2010.

[57]  Sean B. Maynard,et al.  Embedding Information Security Culture Emerging Concerns and Challenges , 2010, PACIS.

[58]  Herbert J. Mattord,et al.  Roadmap to Information Security: For IT and Infosec Managers , 2011 .