Critical Success Factors Analysis on Effective Information Security Management: A Literature Review

Information security has been a crucial strategic issue in organizational management. Information security management is a systematic process of effectively coping with information security threats and risks in an organization. With the pressure of high implementation and maintenance cost, organizations need to distinguish between controls they need and those that are less critical. Applying critical success factors approach, this study proposes a theoretical model to investigate main factors that contribute to successful information security management. By reviewing the information security standards and literature in IS field, six critical success factors are identified and the relationship among these factors are proposed. The results reveal that with business alignment, organizational support, IT competences, and organizational awareness of security risks and controls, information security controls can be effectively developed, resulting in success of information security management.

[1]  Mo Adam Mahmood,et al.  Technical opinionAre employees putting your company at risk by not following information security policies? , 2009, Commun. ACM.

[2]  F. Nelson Ford,et al.  Information security: management's effect on culture and policy , 2006, Inf. Manag. Comput. Secur..

[3]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[4]  X. Sean Wang,et al.  Security Management, Integrity, and Internal Control in Information Systems - IFIP TC-11 WG 11.1 & WG 11.5 Joint Working Conference [18-19 November 2004, Fairfax, Virginia; USA] , 2006, IICIS.

[5]  Robert M. Davison,et al.  The balanced scorecard: a foundation for the strategic management of information systems , 1999, Decis. Support Syst..

[6]  Theophanis C. Stratopoulos,et al.  Determinants of a sustainable competitive advantage due to an IT-enabled strategy , 2003, J. Strateg. Inf. Syst..

[7]  Rodger Jamieson,et al.  Determining Key Factors in E-Government Information System Security , 2006, Bled eConference.

[8]  Jackie Rees Ulmer,et al.  Management of Information Security: Challenges and Research Directions , 2007, Commun. Assoc. Inf. Syst..

[9]  Chun-Yen Chen,et al.  Exploring the relationships between IT capabilities and information security management , 2011, Int. J. Technol. Manag..

[10]  Qingxiong Ma,et al.  An Integrated Framework for Information Security Management , 2009 .

[11]  Adéle Martins,et al.  Assessing Information Security Culture , 2002, ISSA.

[12]  Mary J. Culnan,et al.  Why IT Executives Should Help Employees Secure Their Home Computers , 2008, MIS Q. Executive.

[13]  Harri Oinas-Kukkonen,et al.  A review of information security issues and respective research contributions , 2007, DATB.

[14]  E. Kelloway,et al.  Development and test of a model linking safety-specific transformational leadership and occupational safety. , 2002, The Journal of applied psychology.

[15]  Rossouw von Solms,et al.  Information security management: why standards are important , 1999, Inf. Manag. Comput. Secur..

[16]  Hemantha S. B. Herath,et al.  Investments in Information Security: A Real Options Perspective with Bayesian Postaudit , 2008, J. Manag. Inf. Syst..

[17]  Irene M. Y. Woon,et al.  Forthcoming: Journal of Information Privacy and Security , 2022 .

[18]  William R. King It Capabilities, Business Processes, and Impact on the Bottom Line , 2002, Inf. Syst. Manag..

[19]  Allen C. Johnston,et al.  Improved security through information security governance , 2009, CACM.

[20]  Linda G. Wallace,et al.  Is Information Security Under Control?: Investigating Quality in Information Security Management , 2007, IEEE Security & Privacy.

[21]  Louis Raymond,et al.  Performance outcomes of strategic and IT competencies alignment , 2004, J. Inf. Technol..

[22]  D. Larcker,et al.  Coming up short on nonfinancial performance measurement. , 2003, Harvard business review.

[23]  Kirstie Hawkey,et al.  An integrated view of human, organizational, and technological challenges of IT security management , 2009, Inf. Manag. Comput. Secur..

[24]  J. Rockart The changing role of the information systems executive : a critical success factors perspective , 1982 .

[25]  Rossouw von Solms,et al.  A Responsibility Framework for Information Security , 2004, IICIS.

[26]  David R. Firth,et al.  Communications of the Association for Information Systems , 2011 .

[27]  Henri Barki,et al.  User Participation in Information Systems Security Risk Management , 2010, MIS Q..

[28]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[29]  Andrew Stewart Information security technologies as a commodity input , 2005, Inf. Manag. Comput. Security.

[30]  J. Eloff,et al.  Information security management: a new paradigm , 2003 .

[31]  Rossouw von Solms,et al.  Information security culture: A management perspective , 2010, Comput. Secur..

[32]  Detmar W. Straub,et al.  Key information liability issues facing managers: software piracy, proprietary databases, and indi , 1990 .

[33]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[34]  James Backhouse,et al.  Circuits of Power in Creating de jure Standards: Shaping an International Information Systems Security Standard , 2006, MIS Q..

[35]  Thanet Aksorn,et al.  Critical success factors influencing safety program performance in Thai construction projects , 2008 .

[36]  Rossouw von Solms,et al.  The 10 deadly sins of information security management , 2004, Comput. Secur..

[37]  Thomas Peltier,et al.  Information Technology: Code of Practice for Information Security Management , 2001 .

[38]  A. Seetharaman,et al.  Critical Success Factors of Total Quality Management , 2006 .

[39]  Dale Goodhue,et al.  Develop Long-Term Competitiveness through IT Assets , 1996 .

[40]  Dwayne Whitten,et al.  Effective Information Security Requires a Balance of Social and Technology Factors , 2012, MIS Q. Executive.

[41]  Rossouw von Solms,et al.  A framework for the governance of information security , 2004, Comput. Secur..

[42]  Shuchih Ernest Chang,et al.  Organizational factors to the effectiveness of implementing information security management , 2006, Ind. Manag. Data Syst..

[43]  Vladislav V. Fomin,et al.  The Adoption of Information Security Management Standards: A Literature Review , 2009 .

[44]  Shi‐Ming Huang,et al.  Balancing performance measures for information security management: A balanced scorecard framework , 2006, Ind. Manag. Data Syst..

[45]  Serpil Aytac,et al.  Factors influencing information security management in small- and medium-sized enterprises: A case study from Turkey , 2011, Int. J. Inf. Manag..

[46]  Terry Cooke-Davies,et al.  The “real” success factors on projects , 2002 .

[47]  Radhika Santhanam,et al.  Issues in Linking Information Technology Capability to Firm Performance , 2003, MIS Q..

[48]  Shuchih Ernest Chang,et al.  Exploring organizational culture for information security management , 2007, Ind. Manag. Data Syst..

[49]  James N. Vedder How much can we learn from success , 1992 .

[50]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[51]  Anandhi S. Bharadwaj,et al.  A Resource-Based Perspective on Information Technology Capability and Firm Performance: An Empirical Investigation , 2000, MIS Q..

[52]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[53]  J. Rockart Chief executives define their own data needs. , 1979, Harvard business review.

[54]  Hemantha S. B. Herath,et al.  Balanced Scorecard Implementation of Security Strategies: A Framework for IT Security Performance Management , 2010, Inf. Syst. Manag..

[55]  Rebecca T. Mercuri Analyzing security costs , 2003, CACM.

[56]  Sebastiaan H. von Solms,et al.  Information Security - The Third Wave? , 2000, Comput. Secur..

[57]  Terry Anthony Byrd,et al.  Information security policy: An organizational-level process model , 2009, Comput. Secur..

[58]  Detmar W. Straub,et al.  Organizational structuring of the computer security function , 1988, Comput. Secur..

[59]  R. Morgan,et al.  Business performance and dimensions of strategic orientation , 2003 .

[60]  Robert E. Spekman,et al.  Characteristics of partnership success: Partnership attributes, communication behavior, and conflict resolution techniques , 1994 .