An Empirical Study of Information Security Management Success Factors

Information security management (ISM) is a continuous, structured and systematic security approach to manage and protect the organisation’s information from being compromised by irresponsible parties. To ensure the information remains secure, many organisations have implemented ISM by establishing and reviewing information security (IS) policy, processes, procedures and organisational structures. Regardless of the efforts, security threats, incidents, vulnerabilities and risks are still plaguing many organisations. Lack of awareness of ISM effectiveness due to low understanding of the success factors is one of the major factors that cause this phenomenon.  This study aimed to address this subject by firstly identifying the ISM key factors from existing literature and then by confirming the factors and discovering other related factors from practitioners’ perspective. This study used qualitative method where it adopted semi-structured interviews involving nine practitioners. The data were analysed using content analysis technique. Through the analysis, the study validated several ISM factors and their elements that contribute to the success of ISM. The findings provide practitioners with the high understanding of ISM key factors and could guide practitioners in implementing proper ISM.

[1]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[2]  Ali Hussein Saleh Zolait,et al.  Assessment of Information Security Maturity: An Exploration Study of Malaysian Public Service Organizations , 2012, J. Syst. Inf. Technol..

[3]  Thomas Peltier Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management , 2001 .

[4]  Luqiang Yang,et al.  Study on the Improvement of the Internal Audit Work in IT Environment , 2011, 2011 Fourth International Symposium on Knowledge Acquisition and Modeling.

[5]  Ana Paula Cabral Seixas Costa,et al.  An Analysis of and Perspective on the Information Security Maturity Model: a case study of a Public and a Private Sector Company , 2012, AMCIS.

[6]  Ron Lepofsky,et al.  COBIT® 5 for Information Security , 2014 .

[7]  Janice Mayer,et al.  A model to assess the maturity level of the Risk Management process in information security , 2009, 2009 IFIP/IEEE International Symposium on Integrated Network Management-Workshops.

[8]  P. Bowen,et al.  Information Security Handbook: A Guide for Managers , 2006 .

[9]  Hannes Federrath,et al.  The Effects of Cultural Dimensions on the Development of an ISMS Based on the ISO 27001 , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[10]  Abhishek Narain Singh,et al.  Identifying factors of "organizational information security management" , 2014, J. Enterp. Inf. Manag..

[11]  Hee-Kyung Kong,et al.  Will the Certification System for Information Security Management Help to Improve Organizations' Information Security Performance? The Case of K-ISMS , 2016 .

[12]  Wing S. Chow,et al.  Determinants of the critical success factor of disaster recovery planning for information systems , 2009, Inf. Manag. Comput. Secur..

[13]  Yusep Rosmansyah,et al.  The measurement design of information security management system , 2014, 2014 8th International Conference on Telecommunication Systems Services and Applications (TSSA).

[14]  Kok Wai Wong,et al.  Cybersecurity Practices for E-Government: An Assessment in Bhutan , 2015, ICE-B 2015.

[15]  Vinod Pathari,et al.  Identifying linkages between statements in information security policy, procedures and controls , 2012, Inf. Manag. Comput. Secur..

[16]  Vinod Pathari,et al.  Deriving an information security assurance indicator at the organizational level , 2013, Inf. Manag. Comput. Secur..

[17]  Eirik Albrechtsen,et al.  Implementation and effectiveness of organizational information security measures , 2008, Inf. Manag. Comput. Secur..

[18]  R. Sures,et al.  Effectiveness of information systems security in IT organizations in Malaysia , 2003, 9th Asia-Pacific Conference on Communications (IEEE Cat. No.03EX732).

[19]  Shuchih Ernest Chang,et al.  Exploring organizational culture for information security management , 2007, Ind. Manag. Data Syst..

[20]  Rozilawati Razali,et al.  An assessment model of information security implementation levels , 2011, Proceedings of the 2011 International Conference on Electrical Engineering and Informatics.

[21]  Shuchih Ernest Chang,et al.  Organizational factors to the effectiveness of implementing information security management , 2006, Ind. Manag. Data Syst..

[22]  Mohammed A. Alnatheer,et al.  Information Security Culture Critical Success Factors , 2015, 2015 12th International Conference on Information Technology - New Generations.

[23]  Hans B. F. Mulder,et al.  Governance Practices and Critical Success Factors Suitable for Business Information Security , 2015, 2015 International Conference on Computational Intelligence and Communication Networks (CICN).

[24]  Norafida Ithnin,et al.  Main human factors affecting information system security , 2013 .

[25]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[26]  Kasim Randeree,et al.  A business continuity management maturity model for the UAE banking sector , 2012, Bus. Process. Manag. J..

[27]  Emma Nuraihan Mior Ibrahim,et al.  Contributing factor to business continuity management (BCM) failure - A case of Malaysia public sector , 2015 .

[28]  Sudhir K. Jain,et al.  Modeling of information security management parameters in Indian organizations using ISM and MICMAC approach , 2013 .

[29]  Klaus Krippendorff,et al.  Content Analysis: An Introduction to Its Methodology , 1980 .

[30]  Qurat-ul-ain Mastoi,et al.  Information security aligned to enterprise management , 2015 .

[31]  Waidah Ismail,et al.  Embedding organizational culture values towards successful business continuity management (BCM) implementation , 2014, Proceedings of the 6th International Conference on Information Technology and Multimedia.

[32]  Roslina Ibrahim,et al.  Understanding Success Factors of an Information Security Management System Plan Phase Self-Implementation , 2015 .

[33]  Mehdi Kazemi,et al.  Evaluation of information security management system success factors: Case study of Municipal organization , 2012 .

[34]  Steven Woodhouse,et al.  Critical success factors for an Information Security Management System , 2022 .

[35]  Nijaz Bajgoric,et al.  Business continuity management: a systemic framework for implementation , 2014, Kybernetes.

[36]  Rozilawati Razali,et al.  Information security management success factors , 2016 .

[37]  Zhiling Tu Information Security Management: A Critical Success Factors Analysis , 2016 .