Organisational Information Security Strategy: Review, Discussion and Future Research

Dependence on information, including for some of the world’s largest organisations such as governments and multi-national corporations, has grown rapidly in recent years. However, reports of information security breaches and their associated consequences indicate that attacks are escalating on organisations conducting these information-based activities. Organisations need to formulate strategy to secure their information, however gaps exist in knowledge. Through a thematic review of academic security literature, (1) we analyse the antecedent conditions that motivate the adoption of a comprehensive information security strategy, (2) the conceptual elements of strategy and (3) the benefits that are enjoyed post-adoption. Our contributions include a definition of information security strategy that moves from an internally-focussed protection of information towards a strategic view that considers the organisation, its resources and capabilities, and its external environment. Our findings are then used to suggest future research directions.

[1]  Eléonore Mounoud,et al.  Uncovering strategic assumptions: Understanding managers' ability to build representations , 1996 .

[2]  James Backhouse,et al.  Structures of responsibility and security of information systems , 1996 .

[3]  Finn Olav Sveen,et al.  Blind information security strategy , 2009, Int. J. Crit. Infrastructure Prot..

[4]  Atif Ahmad,et al.  Risk Management Standards - The Perception of Ease of Use , 2006 .

[5]  Rossouw von Solms,et al.  A model for deriving information security control attribute profiles , 2003, Comput. Secur..

[6]  A. B. Ruighaver,et al.  Incident response teams - Challenges in supporting the organisational security function , 2012, Comput. Secur..

[7]  Joobin Choobineh,et al.  Enterprise information security strategies , 2008, Comput. Secur..

[8]  A. B. Ruighaver,et al.  Information Security Governance: When Compliance Becomes More Important than Security , 2010, SEC.

[9]  Dorothy E. Leidner,et al.  Review: A Review of Culture in Information Systems Research: Toward a Theory of Information Technology Culture Conflict , 2006, MIS Q..

[10]  Nicole Beebe,et al.  Examination of Organizational Information Security Strategy: A Pilot Study , 2009, AMCIS.

[11]  Mathias Ekstedt,et al.  Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture , 2014, Comput. Secur..

[12]  Bradley K. Jensen,et al.  Information Security: An Organizational Change Perspective , 2004, AMCIS.

[13]  Stephen Hinde Security surveys spring crop , 2002, Comput. Secur..

[14]  Sangseo Park,et al.  Strategic Approach to Information Security in Organizations , 2008, 2008 International Conference on Information Science and Security (ICISS 2008).

[15]  L. R. Chao,et al.  An integrated system theory of information security management , 2003, Inf. Manag. Comput. Secur..

[16]  Sean B. Maynard,et al.  Information security strategies: towards an organizational multi-strategy perspective , 2014, J. Intell. Manuf..

[17]  M. Eric Johnson,et al.  Embedding Information Security into the Organization , 2007, IEEE Security & Privacy.

[18]  Jan H. P. Eloff,et al.  An Information Security Governance Framework , 2007, Inf. Syst. Manag..

[19]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[20]  Charles R. Schwenk THE COGNITIVE PERSPECTIVE ON STRATEGIC DECISION MAKING , 1988 .

[21]  Rachelle Bosua,et al.  Protecting organizational competitive advantage: A knowledge leakage perspective , 2014, Comput. Secur..

[22]  Nicole Beebe,et al.  Improving Organizational Information Security Strategy via Meso-Level Application of Situational Crime Prevention to the Risk Management Process , 2010, Commun. Assoc. Inf. Syst..

[23]  Dorothy E. Denning,et al.  Information Warfare And Security , 1998 .

[24]  Richard G. Taylor,et al.  The Roles of Positive and Negative Exemplars in Information Security Strategy , 2014 .

[25]  Yves Le Roux Information Security Governance for Executive Management , 2007, ISSE.

[26]  Richard T. Watson,et al.  Analyzing the Past to Prepare for the Future: Writing a Literature Review , 2002, MIS Q..

[27]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[28]  Pratim Datta,et al.  The economics and psychology of consumer trust in intermediaries in electronic markets: the EM-Trust Framework , 2008, Eur. J. Inf. Syst..

[29]  Peter F. Drucker,et al.  Business Objectives and Survival Needs: Notes on a Discipline of Business Enterprise , 1958 .

[30]  Ilan Oshri,et al.  Information security in networkable Windows-based operating system devices: Challenges and solutions , 2007, Comput. Secur..

[31]  Henry Mintzberg The Strategy Concept I: Five Ps for Strategy , 1987 .

[32]  Dwayne Whitten,et al.  Effective Information Security Requires a Balance of Social and Technology Factors , 2012, MIS Q. Executive.

[33]  Shahid A. Zia,et al.  Competitive Strategy: Techniques for Analyzing Industries & Competitors , 2013 .

[34]  Rossouw von Solms,et al.  A framework for the governance of information security , 2004, Comput. Secur..

[35]  Randall G. Bowdish Military Strategy: Theory and Concepts , 2013 .

[36]  Benjamin T. Hazen,et al.  Evaluating Adoption of Emerging IT for Corporate IT Strategy: Developing a Model Using a Qualitative Method , 2013, Inf. Syst. Manag..

[37]  Richard Baskerville,et al.  Information Systems Security Strategy: A Process View , 2008 .

[38]  Rossouw von Solms,et al.  Information security culture: A management perspective , 2010, Comput. Secur..

[39]  Seung-Hyun Kim,et al.  A comparative study of cyberattacks , 2012, Commun. ACM.

[40]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..

[41]  Jongwoo Kim,et al.  Incident-centered information security: Managing a strategic balance between prevention and response , 2014, Inf. Manag..

[42]  N. Doherty,et al.  Aligning the information security policy with the strategic information systems plan , 2006, Comput. Secur..

[43]  Jean-Noël Ezingeard,et al.  Anchoring information security governance research: sociological groundings and future directions , 2006 .

[44]  Daniel J. Ryan,et al.  Expected benefits of information security investments , 2006, Comput. Secur..

[45]  Walter Baets,et al.  Aligning information systems with business strategy , 1992, J. Strateg. Inf. Syst..

[46]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[47]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[48]  Jeff Tutton Incident response and compliance: A case study of the recent attacks , 2010, Inf. Secur. Tech. Rep..

[49]  Brian J. Kelly PRESERVE, PROTECT, AND DEFEND , 1999 .

[50]  Rossouw von Solms,et al.  The 10 deadly sins of information security management , 2004, Comput. Secur..

[51]  Detmar W. Straub,et al.  Validation Guidelines for IS Positivist Research , 2004, Commun. Assoc. Inf. Syst..

[52]  Robert Booker,et al.  Re-engineering enterprise security , 2006, Comput. Secur..

[53]  Richard Baskerville,et al.  Third-degree conflicts: information warfare , 2010, Eur. J. Inf. Syst..

[54]  Michael Dinger,et al.  Absorptive Capacity and Information Systems Research: Review, Synthesis, and Directions for Future Research , 2012, MIS Q..

[55]  Rajiv D. Banker,et al.  Evaluating cross-organizational impacts of information technology – an empirical analysis , 2010, Eur. J. Inf. Syst..