How CISOs Can Become Effective Leaders? A Path-Goal Approach

Information security is a complex issue and Chief Information Security Officers (CISO) are faced with various challenges. Additional research is needed to study the role of CISOs in attaining information security compliance. In this paper, we follow path-goal theory of leadership as a theoretical lens to understand how CISOs can be more effective information security leaders. We present a research model for effective security leadership with emphasis on security member characteristics, organizational environment and security motivation process. This paper suggests that CISOs leadership behaviors must be tailored to communicate and influence subordinates’ perception as well as paths to the attainment of information security goals

Management attitudes toward information security in Omani public sector organisations

The incorporation of ICT in public sector organisations is progressing rapidly in Oman where the government sees this as a means to enhance the delivery of online services. In this context, preserving the security of information, and making Information Security a core organisational aspect in public sector organisations, requires attention from management. Our research is the first known attempt to gauge management attitudes toward Information Security in Oman. We also consider how such attitudes influence Information Security governance. In addressing these issues, we review current compliance with Information Security procedures in Omani public sector organisations, review management attitudes toward Information Security governance practices, and explore how management attitudes toward Information Security impact upon these aspects

The Impact of Security Practices on Regulatory Compliance and Security Performance

This study examines how a healthcare organization’s security practices (including IT controls, policies, education, and hiring practices) influence their perceived regulatory compliance and security performance. We utilized qualitative and quantitative survey data provided by senior IT managers from 250 healthcare organizations. Healthcare organizations must focus on preventing breaches as well as complying with government regulation. Using hierarchical linear modeling (HLM), we examine how specific security practices improve regulatory compliance, protect patient information, and minimize the impact of a breach incident. The results show that audit polices are positively associated with perceived regulatory compliance and security policies are associated with security performance. We also find that the interaction of both audit and security policies has a more significant effect than either type alone. Surprisingly, an organization’s level of compliance is not significantly associated with actual security performance. This study can provide healthcare organizations with strategic guidelines to improve their regulatory compliance and security performance

Mismatched Understanding of IS Security Policy: A RepGrid Analysis

Professional and academic literature indicates that organizational stakeholders may hold different perceptions of security rules and policies. This discrepancy of perceptions may be rooted into a conflict between the compliance of stakeholders to organizational norms on the one hand, and security rules on the other. The paper argues that a mismatched understanding of security policy can have a devastating effect on the security of organizations, and should therefore be treated as a key reason for non-compliance to security policy. Using Personal Construct Theory and Repertory Grids we explore how different stakeholder groups within an organization can hold divergent views on the same security policies. Our findings have implications for the design of security policy training and awareness programs, as well as for the institution and internalization of good IS governance practices

Identifying Data Breaches Timely: Boards’ Technology Committee Matters

This study investigates the effect of having a board-level technology committee on the time it takes for firms to identify a data breach. Data breach is one of the most important risks firms face. Boards of directors play a key role in overseeing these risks. The technology committee is an important means through which boards play this role. We present preliminary results using a sample of public firms that experienced data breaches between 2010 and 2021. Our results show that firms with technology committees can identify data breaches more quickly than those without. We also outline our future research agenda to address potential endogeneity issues and explore the underlying mechanisms. This study will contribute to the cybersecurity and corporate governance literature by demonstrating the effect of technology committees on firms’ ability to identify data breaches

Understanding Cyber Security Perceptions Related to Information Risk in a Healthcare Setting

Healthcare organizations are facing an information system expansion for efficiency, for effectiveness, and for profitability date. We cannot expect all healthcare employees to become information systems or security experts; however, human perceptions of risks and the identification of those risks require an organizational approach. A case study analysis of physicians practicing through a multi-million dollar healthcare organization is presented to better understand their group perceptions of risk relating to the organization’s information strategy

EXPERT OPINIONS ON INFORMATION SECURITY GOVERNANCE FACTORS: AN EXPLORATORY STUDY

Information Security Governance (ISG) is an important discipline that addresses information security at a strategic level providing strategic direction, optimized use of information resources and proper security incident management. ISG and the impact of poor security incident management have attracted much attention in the literature but unfortunately there is little empirical evidence regarding the explicit link between ISG and its effectiveness in terms of reducing negative impacts on business objectives from security incidents. Consequently, little exploration of ISG factors and their impact on the above mentioned measure of effectiveness exists. Further, to direct endeavors the crucial question is if there exist any differences in how effective these factors are in attaining this target. Currently, there is a lack in research considering this question. The research presented in this article explores the ISG domain further by empirically examine 30 ISG factors and their ability of reducing negative impacts on business objectives from security incidents. Data has been collected by surveying ISG experts. Ten factors were identified to have significant different means in relation to other factors according to a one-way ANOVA analysis that was conducted. The results give an indication on what ISG factors that have an effect, providing both support for further academic research and also decision support for implementing ISG

End-users Compliance to the Information Security Policy: A Comparison of Motivational Factors

Business information, held within information systems, is critical for most organizations. To protect these critical information assets, security controls should be deployed which might come as a hindrance for the end-users. The Information Security Policies (ISP) give direction to their behaviors. Organizations can focus on conditions likely to promote so-called motivational factors influencing the end-users intentions to perform the desired behavior of compliance to ISP in order to protect these information assets. In total, six motivational factors, applicable to intentions on compliance, are found during research and are measured within five organizational contexts. From the measurements and analysis is learned, that the degree to which these factors relate differs per factor and per context. Two of these factors were found to always relate in such degree to compliance intentions that even without measuring the degree for a particular organization, applying these factors can be very effective for any organization or context. The other four factors have shown to be effective within particular context(s) meaning measurement of the context is needed before utilizing these factors within an organization to optimize the effect of efforts