Evaluating the Perceived Impact of Collaborative Exchange and Formalization on Information Security

INTRODUCTION Today, in large part, information security is the implementation of controls and best practices suggested by consultants, standard governing bodies (i.e. National Institute of Standards & Technology) (NIST), International Organization for Standardization / International Electrotechnical Commission (ISO/IEC), etc.), the organization's information security department and, sometimes, the organization's employees. While the use of global standards of practice, top management and the information security department within the organization to guide information security planning and implementations may be useful, existing research consistently shows a positive relationship exists between user involvement in planning and the effectiveness of the information systems function within organizations (Gottschalk, 1999; Sambamurthy et al., 1994; Segars & Grover, 1998). A deliverable of the information security planning process is the organization's information security policies and procedures. Standard governing bodies (NIST, ISO/IEC) and researchers (Bidgoli, 2003; Garrison & Posey, 2006) stress the importance of creating information security policies and provide guidance on the different types of information security policies that an organization may need. This research attempts to examine the impact of end-user involvement and formalized information security policies on the effectiveness of the information security function within organizations. Specifically, this study focuses on two antecedent variables, collaborative exchange and formalization, and how it impacts the effective utilization of the information security strategies of deterrence, detection and recovery. Collaborative exchange is an assessment of the extent of collaboration between upper-level management, end users and the information security function. Formalization is an assessment of the extent of established formal information security policies within an organization. The purpose of this research is twofold. First, this research aims to examine the individual effects of formalization and collaborative exchange on the effectiveness of information security detection, deterrence, and recovery activities. Much of the effort expended in the management of information security is in developing and enforcing information security policies. By examining formalization separately, the impact of information security policy development on effective utilization of information security strategies can be assessed. The second aim of this research is to examine the impact of collaborative exchange and formalization in concert on the effectiveness of information security detection, deterrence, and recovery activities. Evaluating complementary effect of collaborative exchange and formalization on effective utilization of information security strategies provides evidence supporting the importance of establishing information security policies with input and effort from all major constituencies within the organization. This study makes several contributions to the literature and practice. First, this research provides insight into how management choices in regards to establishing formal communication channels and developing information security policies may impact the effectiveness of the information security function. Second, the presence of the dependent variable, effectiveness of detection, deterrence and recovery activities, gives academics and practitioners a success measure which can guide more effective decision making in the information security domain. The remainder of this manuscript is organized as follows. The next section discusses the literature supporting the constructs of interest in this study. The following two sections will present the methodological approach taken in this study and the results of data collection. The next section will present the efforts in data analysis. The last section will present a discussion of the important findings and limitations of this research. …

[1]  Lawrence Bodin,et al.  Evaluating information security investments using the analytic hierarchy process , 2005, CACM.

[2]  Petter Gottschalk,et al.  Implementation predictors of strategic information systems plans , 1999, Inf. Manag..

[3]  Albert L. Lederer,et al.  Information Resource Planning: Overcoming Difficulties in Identifying Top Management's Objectives , 1987, MIS Q..

[4]  Amitava Dutta,et al.  Management's Role in Information Security in a Cyber Economy , 2002 .

[5]  T. Byrd,et al.  An Examination of IT Planning in a Large, Diversified Public Organization* , 1995 .

[6]  R. Zmud Diffusion of Modern Software Practices: Influence of Centralization and Formalization , 1982 .

[7]  Erik Brynjolfsson,et al.  The productivity paradox of information technology , 1993, CACM.

[8]  D. Sandy Staples,et al.  Dimensions of Information Systems Success , 1999, Commun. Assoc. Inf. Syst..

[9]  Helen L. James,et al.  Managing information systems security: a soft approach , 1996, Proceedings of 1996 Information Systems Conference of New Zealand.

[10]  Gavriel Salvendy,et al.  Usability and Security An Appraisal of Usability Issues in Information Security Methods , 2001, Comput. Secur..

[11]  Kenneth L. Kraemer,et al.  Evolution and organizational information systems: an assessment of Nolan's stage model , 1984, CACM.

[12]  Wynne W. Chin Issues and Opinion on Structural Equation Modeling by , 2009 .

[13]  Grover S. Kearns,et al.  The Role of Convergence in Information Systems and Business Planning , 2006, Journal of International Technology and Information Management.

[14]  Rajiv Sabherwal,et al.  The Relationship Between Information System Planning Sophistication and Information System Success: An Empirical Assessment* , 1999 .

[15]  H TeoThompsonS.,et al.  An examination of major IS planning problems , 2001 .

[16]  Sema A. Kalaian,et al.  Analyzing The Effect Of Top Management Support On Information System (IS) Performance Across Organizations And Industries Using Hierarchical , 2005, Journal of International Technology and Information Management.

[17]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[18]  Thompson S. H. Teo,et al.  An examination of major IS planning problems , 2001, Int. J. Inf. Manag..

[19]  Rolph E. Anderson,et al.  Multivariate data analysis with readings (2nd ed.) , 1986 .

[20]  Dennis F. Galletta,et al.  Some Cautions on the Measurement of User Information Satisfaction , 1989 .

[21]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[22]  Vijay Sethi,et al.  Environmental assessment in strategic information systems planning , 2005, Int. J. Inf. Manag..

[23]  Henk W. Volberda,et al.  Exploratory Innovation, Exploitative Innovation and Peformance: Effects of Organizational Antecedents and Environmental Moderators , 2006, Manag. Sci..

[24]  Maurizio Zollo,et al.  Deliberate Learning and the Evolution of Dynamic Capabilities , 2002 .

[25]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[26]  Computer Security Checklist for Non-Security Technology Professionals , 2006 .

[27]  William R. King,et al.  Organizational Characteristics and Information Systems Planning: An Empirical Study , 1994, Inf. Syst. Res..

[28]  Albert L. Lederer,et al.  Key predictors of the implementation of strategic information systems plans , 2003, DATB.

[29]  Shuchih Ernest Chang,et al.  Organizational factors to the effectiveness of implementing information security management , 2006, Ind. Manag. Data Syst..

[30]  Shamsud D. Chowdhury,et al.  Centralization as a design consideration for the management of call centers , 2004, Inf. Manag..

[31]  Albert L. Lederer,et al.  Root Causes of Strategic Information Systems Planning Implementation Problems , 1992, J. Manag. Inf. Syst..

[32]  Indira R. Guzman,et al.  Examining the linkage between organizational commitment and information security , 2003, SMC'03 Conference Proceedings. 2003 IEEE International Conference on Systems, Man and Cybernetics. Conference Theme - System Security and Assurance (Cat. No.03CH37483).

[33]  Sebastiaan H. von Solms,et al.  Information Security - The Third Wave? , 2000, Comput. Secur..

[34]  Salvatore T. March,et al.  Building and implementing an information architecture , 1989, DATB.

[35]  Wynne W. Chin,et al.  A Partial Least Squares Latent Variable Modeling Approach for Measuring Interaction Effects: Results from a Monte Carlo Simulation Study and an Electronic - Mail Emotion/Adoption Study , 2003, Inf. Syst. Res..

[36]  Malcolm Robert Pattinson,et al.  How well are information risks being communicated to your computer end-users? , 2007, Inf. Manag. Comput. Secur..

[37]  Daniel E. Geer,et al.  Information security is information risk management , 2001, NSPW '01.

[38]  Albert H. Segars,et al.  Strategic Information Systems Planning Success: An Investigation of the Construct and Its Measurement , 1998, MIS Q..

[39]  Albert L. Lederer,et al.  Toward a theory of strategic information systems planning , 1996, J. Strateg. Inf. Syst..

[40]  Detmar W. Straub,et al.  Gender Differences in the Perception and Use of E-Mail: An Extension to the Technology Acceptance Model , 1997, MIS Q..