Exploring Organisational ISMS Alignment with Structuration Theory: A Case Study in a Norwegian Public Sector Agency

Information Security Management Systems (ISMS) provides organisations with guidance and strategies on how to implement information security into their organisations and achieve resiliency. It is largely recognised that adequate information security resilience is achieved through people, processes, and technology. Despite this recognition, however, several organisations still struggle to achieve proper alignment of information security across the organisation. For many organisations, there is a misalignment between their information security and their overarching organisational objectives. This is often represented by perceptions that information security is a technical problem and is removed from the activities and processes which support the daily organisational objectives. This misalignment can create situations where the ISMS of an organisation is not enacted properly. This research has set out with the purpose of elucidating how these misalignments occur and suggest possible opportunities for alignment. This sought is achieved through the use of Anthony Gidden’s structuration theory, which Wanda Orliwkoski has put into a theoretical framework which can be applied to empirical conditions. This framework has allowed this thesis to approach ISMS alignment in a novel and theoretical way, by identifying recursive structures which inform organisational activities and processes. This has been done at a Norwegian public sector agency. This led the research to identify structures within the organisational setting which pose obstacles to the necessary ISMS alignment. Simultaneously it identified structures which provide opportunities for the ISMS to align itself with existing activities and processes. This research, thus, provides one practical and one theoretical result. Firstly, it has diagnosed organisational reasons as to why the ISMS at the agency has not been integrated in a desired manner. Secondly, it has demonstrated the explanatory power of the theoretical framework, thus providing information security researchers a new tool to study and analyse ISMS alignment with. Keywords: ISMS, information security, information security culture, information security governance, strategic and organisational alignment, structuration theory, Action Design Researc

The Chain-Link Fence Model: A Framework for Creating Security Procedures

A long standing problem in information technology security is how to help reduce the security footprint. Many specific proposals exist to address specific problems in information technology security. Most information technology solutions need to be repeatable throughout the course of an information systems lifecycle. The Chain-Link Fence Model is a new model for creating and implementing information technology procedures. This model was validated by two different methods: the first being interviews with experts in the field of information technology and the second being four distinct case studies demonstrating the creation and implementation of information technology procedures. (169 pages

Exploring the relationships between IT capabilities and information security management

This study surveyed 288 organisations to explore the relationship between information technology (IT) capabilities and information security management (ISM). A review of the literature helped to not only identify the important factors of IT capabilities and ISM implementation, but also formulate a research framework. Both IT capabilities and ISM implementation were subsequently empirically measured to study how IT practice influenced the organisational implementation of ISM principles. SPSS and LISREL were used to analyse the collected data and validate the proposed framework. Subsequently, the study's hypotheses were examined via path analyses and the analytical results revealed that IT capabilities were significantly associated with the effectiveness of ISM. The validated model and the corresponding study results can provide a reference for enterprise managers and decision makers to develop favourable tactics for achieving their goal of ISM - mitigating information security risks