Information Security Strategy in Organisations: Review, Discussion and Future Research Directions

Dependence on information, including for some of the world’s largest organisations such as governments and multi-national corporations, has grown rapidly in recent years. However, reports of information security breaches and their associated consequences continue to indicate that attacks are still escalating on organisations when conducting these information-based activities. Clearly, more research is needed to better understand how organisations should formulate strategy to secure their information. Through a thematic review of academic security literature, we (1) analyse the antecedent conditions that motivate the potential adoption of a comprehensive information security strategy, (2) the current perspectives of strategy and (3) the yields and benefits that could be enjoyed post-adoption. Our contributions include a definition of information security strategy. We argue for a paradigm shift to extend from internally-focussed protection of organisation-wide information towards a strategic view that considers the inter-organisational level. Our findings are then used to suggest future research directions

Investigating Roles of Information Security Strategy

A fundamental understanding of the complexities comprising an information security strategy (ISS) in an organization is lacking. Most ISS implementations in government organizations equate anti-virus or installing a firewall to that of an ISS. While use of hardware and software forms a good defense; neither comprises the essence of an ISS. The ISS best integrates with business and information system strategies from the start, forming and shaping the direction of overall strategy synergistically within large government organizations. The researcher used grounded theory and investigated what a large government organization’s choices were with the differing roles an information security professional (ISP) chooses to operate with and to develop an information security program. Analysis of the data collected from interviewing 32 chief information security officers (CISOs) revealed how CISOs viewed their programs, aligned their goals in the organization, and selected role(s) to execute strategy. Use of grounded theory coding practices of the interviews showed a deficit in complexities of an ISS and a lack of an ISS in the majority of organizations. The participants came from multiple organizations in the National Capital Region on the east coast of the United States. This study advances the body of knowledge in a qualitative understanding of actions taken by CISOs to select a direction towards ISS implementation, role selection, and development of information security programs. It provides a theory for further testing of strategy development and role maturity

An evaluation model for information security strategies in healthcare data systems

This thesis presents a newly developed evaluation model, EMISHD (An "Evaluation Model for Information Security Strategies in Healthcare Data Systems") which can address the specific requirements of information security in healthcare sector. Based on a systematic literature review and case study, the information security requirements and the existing evaluation models used to examine the information security strategies of healthcare data systems have been analysed. The requirements of information security in any sector generally vary in line with changes in laws and regulations, and the emergence of new technologies and threats, which require existing information security strategies to be strengthened to deal with new challenges. The systemic review of the existing evaluation models identified from the previous research resulted in the development of a new evaluation model (EMISHD) specifically designed to examine the information security strategies in healthcare data systems according to the specific requirements. A case study of a healthcare organisation in Saudi Arabia is conducted in order to apply the newly developed evaluation model (EMISHD) in a real life case and to validate the evaluation results through observation

An evaluation model for information security strategies in healthcare data systems

This thesis presents a newly developed evaluation model, EMISHD (An "Evaluation Model for Information Security Strategies in Healthcare Data Systems") which can address the specific requirements of information security in healthcare sector. Based on a systematic literature review and case study, the information security requirements and the existing evaluation models used to examine the information security strategies of healthcare data systems have been analysed. The requirements of information security in any sector generally vary in line with changes in laws and regulations, and the emergence of new technologies and threats, which require existing information security strategies to be strengthened to deal with new challenges. The systemic review of the existing evaluation models identified from the previous research resulted in the development of a new evaluation model (EMISHD) specifically designed to examine the information security strategies in healthcare data systems according to the specific requirements. A case study of a healthcare organisation in Saudi Arabia is conducted in order to apply the newly developed evaluation model (EMISHD) in a real life case and to validate the evaluation results through observation

DEFINING VALUE BASED INFORMATION SECURITY GOVERNANCE OBJECTIVES

This research argues that the information security governance objectives should be grounded in the values of organizational members. Research literature in decision sciences suggest that individual values play an important role in developing decision objectives. Information security governance objectives, based on values of the stakeholders, are essential for a comprehensive security control program. The study uses Value Theory as a theoretical basis and value focused thinking as a methodology to develop 23 objectives for information security governance. A case study was conducted to reexamine and interpret the significance of the proposed objectives in an organizational context. The results suggest three emergent dimensions of information security governance for effective control structure in organizations: resource allocation, user involvement and process integrity. The synthesis of data suggests eight principles of information security governance which guides organizations in achieving a comprehensive security environment. We also present a means-end model of ISG which proposes the interrelationships of the developed objectives. Contributions are noted and future research directions suggested

Security of accounting information systems : A cross-sector study of UK companies

The issue of information systems (IS) security has received considerable attention from both academics and professionals. Information systems security has become a major part of core business processes in companies of all sizes and types, and it has become more vital than ever for companies to have an organised, efficient, and proactive security approach to their IS. Despite this importance, a number of significant gaps exist in the academic literature. Most of the previous studies have dealt with IS security or information security in general, without particular attention to accounting information systems (AIS) security. Security research is fragmented, and most previous studies lack an overall and comprehensive view of AIS security issues. Each study has tended to deal with a particular security dimension. In addition, much research on IS security has been overwhelmingly focused on the technical aspects with limited consideration given to non-technical issues such as security policy, training and awareness, risk assessment or security budget. In an attempt to fill these gaps, the current study presents an integrated view of AIS security in UK companies by addressing both the technical and non-technical aspects of security. The current study aims to investigate the AIS security level among UK companies in different industry sectors by investigating the sources and types of AIS security threats, the different types of controls implemented to prevent or reduce security threats, and the existence of a management framework for AIS security within UK companies in different sectors. To achieve the research objectives, the current study employed quantitative and qualitative approaches using a postal questionnaire and semi-structured interviews. The first stage involved sending a postal questionnaire to the IT managers of 800 UK listed companies in different industry sectors. A total of 104 responses were received, of which 65 responses were usable for statistical analysis. The second stage involved conducting nine interviews with IT managers of UK companies. The results indicated that some activities and practices forming the AIS security management framework are well known and undertaken by the majority of UK companies regardless of the industry sector for example AIS security policy, security risk assessment, security incident handling procedures, and a business continuity plan. However, security training and awareness program, security budget, and the British Standard for Information Security (BS 7799) are the most neglected security practices in the majority of companies. The results also showed that UK companies suffer from different types of security incidents however, many incidents go unreported because of the fear of negative publicity and the majority prefer to maintain their brand and to deal with these incidents internally. The results also revealed that employees are now the most common source of AIS security threats facing UK companies. In addition, the results suggested frequent occurrence of some types of security threats, for instance, employees' errors such as unintentional destruction of data by employees, spamming and malware attacks, and employees' sharing of passwords. Moreover, the majority of companies are paying more attention to software, hardware, input, and output security controls. However, more effort must be devoted to organisational and personnel controls