Implementation and effectiveness of organizational information security measures

Purpose – The purpose of this paper is to study the implementation of organizational information security measures and assess the effectiveness of such measures.Design/methodology/approach – A survey was designed and data were collected from information security managers in a selection of Norwegian organizations.Findings – Technical‐administrative security measures such as security policies, procedures and methods are the most commonly implemented organizational information security measures in a sample of Norwegian organizations. Awareness‐creating activities are applied by the organizations to a considerably lesser extent, but are at the same time these are assessed as being more effective organizational measures than technical‐administrative ones. Consequently, the study shows an inverse relationship between the implementation of organizational information security measures and assessed effectiveness of the organizational information security measures.Originality/value – Provides insight into the non‐t...

[1]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[2]  I. Svedung,et al.  Proactive Risk Management in a Dynamic Society , 2000 .

[3]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[4]  Harri Oinas-Kukkonen,et al.  A review of information security issues and respective research contributions , 2007, DATB.

[5]  Janne Merete Hagen,et al.  Evaluating applied information security measures - an analysis of the data from the Norwegian Computer Crime Survey 2006 , 2007 .

[6]  Andrew Hale,et al.  Safety Management: The Challenge of Change , 2000 .

[7]  Evangelos A. Kiountouzis,et al.  Information systems security policies: a contextual perspective , 2005, Comput. Secur..

[8]  Andrew Hale,et al.  Culture's confusions , 2000 .

[9]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[10]  Leon Reznik,et al.  Notice of Violation of IEEE Publication PrinciplesWhich models should be applied to measure computer security and information assurance? , 2003, The 12th IEEE International Conference on Fuzzy Systems, 2003. FUZZ '03..

[11]  Jens Rasmussen,et al.  Risk management in a dynamic society: a modelling problem , 1997 .

[12]  Jan Hovden,et al.  The safety representative under pressure. A study of occupational health and safety management in the Norwegian oil and gas industry , 2008 .

[13]  Jan H. P. Eloff,et al.  Information Security Policy - What do International Information Security Standards say? , 2002, ISSA.

[14]  J. Hovden,et al.  Industrial safety management and information security management: risk characteristics and management approaches , 2007 .

[15]  Dawn M. Cappelli,et al.  Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors , 2005 .

[16]  Mike Kemp,et al.  Defence-in-Depth: Beyond trust: security policies and defence-in-depth , 2005 .

[17]  David Woods,et al.  Resilience Engineering: Concepts and Precepts , 2006 .

[18]  Brian W. Cashell The Economic Impact of Cyber-Attacks , 2004 .

[19]  Daniel E. Geer,et al.  Information security is information risk management , 2001, NSPW '01.

[20]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[21]  L. Bolman,et al.  Reframing Organizations: Artistry, Choice, and Leadership. Jossey-Bass Management Series, Social and Behavioral Science Series, and Higher and Adult Education Series. , 1991 .

[22]  Sebastiaan H. von Solms,et al.  Information Security - A Multidimensional Discipline , 2001, Comput. Secur..

[23]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[24]  G. Morgan,et al.  Images of Organizations , 1997 .

[25]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[26]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[27]  Chris Sundt,et al.  Information security and the law , 2006, Inf. Secur. Tech. Rep..

[28]  Sebastiaan H. von Solms,et al.  Information Security - The Fourth Wave , 2006, Comput. Secur..

[29]  Dawn M. Cappelli,et al.  Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector , 2005 .

[30]  Terry L. Wiant,et al.  Information security policy's impact on reporting security incidents , 2005, Comput. Secur..

[31]  B. Voss,et al.  The Ultimate Defense of Depth: Security Awareness in Your Company , 2001 .

[32]  Rossouw von Solms,et al.  Towards an Information Security Competence Maturity Model , 2006 .

[33]  Terrence E. Deal,et al.  Reframing Organizations: Artistry, Choice, and Leadership. Jossey-Bass Management Series, Social and Behavioral Science Series, and Higher and Adult Education Series. , 1991 .

[34]  Everett C. Johnson Awareness Training: Security awareness: switch to a better programme , 2006 .

[35]  Hal Berghel The two sides of ROI: return on investment vs. risk of incarceration , 2005, CACM.

[36]  Clifton L. Smith,et al.  The Development of Access Control Policies for Information Technology Systems , 2002, Comput. Secur..

[37]  Christos Douligeris,et al.  On Incident Handling and Response: A state-of-the-art approach , 2006, Comput. Secur..

[38]  Pelle Ehn,et al.  Scandinavian Design: On Participation and Skill , 1992, Usability - Turning Technologies into Tools.

[39]  Sebastiaan H. von Solms,et al.  Information Security - The Third Wave? , 2000, Comput. Secur..

[40]  N. Doherty,et al.  Aligning the information security policy with the strategic information systems plan , 2006, Comput. Secur..

[41]  Bruce A. Lobree Impact of Legislation on Information Security Management , 2002, Inf. Secur. J. A Glob. Perspect..

[42]  J. Hovden,et al.  User participation in information security , 2007 .