ABAA F64A 1A 5156A 654AF65 454A64556456D46 45FG4A564G56 BJB234 F4F 564F654G654G654F65 4684 6IHF456G45S646G5S4SG65 465S45G64SG6545S4GF6FG V5DSFSGAARAVFAF6544F5F EAFFE654A654FEFAE
Circle the Wagons!
An Exploratory Study of Effective Information Security Governance
Master’s Thesis Arnout van Velzen Studentnr. 5639921 June 30, 2014
Thesis Supervisor: Dr. A. Nusselder
M.Sc. Information Studies Business Information Systems Faculty of Natural Sciences, Mathematics and Informatics University of Amsterdam
Circle the Wagons!
An Exploratory Study of Effective Information Security Governance by
Arnout van Velzen Studentnr. 5639921
Submitted in partial fulfillment of the requirements for the degree of
M.Sc. Information Studies Business Information Systems track
from the
University of Amsterdam
Faculty of Natural Sciences, Mathematics and Informatics June 2014
under the supervision of Dr. André Nusselder
Acknowledgements
I would like to extend my gratitude to all the people who have contributed to the completion of this project. First off, to the interviewees who have selflessly dedicated their time and cooperation (even on their day off!) for their trust and openness, but whom of course must remain anonymous. Also, many thanks to the people behind the professional networks that agreed to support the survey; CIO Platform Nederland, Ngi-NGN, MSP-ISAC, ICT Netwerk Nijmegen, Kajurria.nl, Platform voor InformatieBeveiliging and Amsterdam Informatie Netwerk. And of course, to the many survey respondents who have taken the time to fill out the questions. Without the altruistic commitment of all these professionals this study would not have been possible.
Moreover, my sincere gratitude to my supervisor, dr. André Nusselder, who has expertly guided me throughout this process, for his enthusiasm and counsel. Also, I would like to thank my professors who have taught and inspired me during my Master’s studies. And thanks to everyone else whom I have discussed this research with for all the valuable feedback. And last but not least, thanks and love to my family for their support always.
Index
Acknowledgements ... 2
1. Abstract ... 5
2. Introduction ... 6
3. Theoretical Framework ... 7
3.1 Information Systems Governance ... 8
3.2 Information Security Management ... 9
3.3 Data Security Governance ... 11
3.3.1 Data Security as a Governance Issue ... 11
3.3.2 The Tools of the Trade ... 13
3.3.3 Outcomes and Challenges ... 16
4. Research Definition ... 20 4.1 Research Rationale... 20 4.2 Scientific Setting ... 21 4.3 Relevance ... 21 5. Research Design ... 22 5.1 Mixed Methods ... 22
5.2 Systematic Literature Review ... 24
5.3 Interviews ... 25
5.4 Survey ... 28
6. Interview Results... 30
6.1 Governance ... 30
6.2 Measures ... 31
6.3 Outcomes and Risks ... 34
6.4 Challenges ... 34 7. Survey Results ... 37 7.1 Descriptive Statistics ... 37 7.2 Further Tests ... 42 8. Cross Analysis ... 44 9. Discussion ... 49 9.1 Implications ... 49 9.2 Recommendations ... 53
9.3 Critical Review... 55
9.4 Further Research ... 57
10. Conclusion ... 58
11. References ... 59
12. Appendices ... 70
12.1 List of Tables and Figures... 70
12.2 List of Abbreviations ... 71
12.3 Literature Scheme ... 72
12.4 Interview Summaries ... 73
12.5 Interview Topic List ... 79
12.6 Interview Coding Scheme ... 81
12.7 Survey ... 82
12.8 Screenshots Survey ... 88
12.9 Overview of Variables ... 89
1. Abstract
Today organizations live and breathe by the grace of information systems, yet too often major security incidents occur. Since technologically much can be secured, the cause is sought with management of information security. Perhaps the most important part of management and the focus of this study is governance. Information security governance (ISG) shapes the framework for daily management, including such elements as policies, procedures, roles and reporting. Hence the main query to this research is how organizations may govern information security effectively. This exploratory study in the Netherlands applied a mixed methods approach combining a literature review, interviews and a survey. Interviews were conducted with thirteen representatives from mental health care and other organizations. Furthermore, a survey among information security executives was held through professional networks. Cross analysis of the results illustrated that information security governance is not optimally implemented in many organizations.
The findings suggest information security should be a priority, coordinated across the organization, top management should be actively involved, and information security should be aligned with corporate governance. Different measures and standards for information security governance were identified, for example a need for performance indicators and common use of the ISO 27002 standard. Data assurance appears to be largely motivated by business considerations, rather than reasoning from the risk perception. Major challenges for information security governance stem from insider threat of transgressing employees and current developments in information security. In some nuancing comments, data security should be in service of the business, a compromise between workability and safety, and may never be fully secure. These conclusions were brought together in the HARP-model of effective ISG pertaining to a holistic and agile approach which is risk driven and people oriented. Several recommendations are imparted for managers and policymakers, for example to invest in rigorous awareness programmes. The paper closes with a critical review and suggestions for further research.
Keywords: Information Security Governance, Data Assurance, Business Information Systems, Business IT Alignment, Mixed Methods
2. Introduction
In recent years the world was shaken up over a series of data indiscretions by some of the most competent organizations, some illustrative examples; hackers purloined encrypted data on some 40 million credit and debit cards used November 27 thru December 15, 2013, from major U.S. retailer Target (Coleman-Lochner & Rupp, 2013; McCoy, 2013). Announced December 20th, sales dropped 21% during the busy holiday shopping season, despite discounts and communications, and Target may be facing legal scrutiny and lawsuits. In 2012, due to a technical glitch in Facebook’s archive users downloading contact data on their friends received other users’ personal information as well (Shih, 2013). Although this loss of six million phone numbers and e-mail addresses did not lead to harmful consequences, it came at a time when Facebook was criticized for sharing private data with U.S. intelligence.
In November of 2013 hackers infringed two million passwords through keylogging malware covertly installed on users’ computers, of which 318,000 from Facebook, as well as more from Google, Yahoo, Twitter and 93,000 other websites (Paglieri, 2013). This April the Heartbleed bug revealed an information hemorrhage from the widely used OpenSSL internet-protocol (Perlroth, 2014). Recently also, online auction giant eBay leaked 145 million passwords after a cyber attack by hackers (Mac, 2014). These incidents among many paint a grim picture; data security crises have become increasingly prevalent. Indeed, a survey in the United Kingdom reported 81% of large firms and 61% of small firms experienced a security breach (PriceWaterhouseCoopers, 2014).
Information has become the cornerstone of modern society and organizations have grown increasingly dependent on information (Barney, 2004). Moreover, external links of organizations through collaboration (e.g. virtual organizations), more connectivity of devices (e.g. Internet of Things), and public and governmental scrutiny (e.g. European data protection regulation, Sarbanes-Oxley Act) are trends that exacerbate information security vulnerabilities. More and more important data has put an ‘information burden’ on organizations to negate operating under threat of electronic crime and service interruption. While the technical resolutions of data security have already received a lot of attention in extant academic literature and professional communities, this study seeks to explain these issues from the ‘soft side’ or managerial perspective of data security.
Perhaps the most important element of information security is governance, which includes risk management, coordination and accountability, that provides the framework for daily management (e.g., Kritzinger & Von Solms, 2006). With the growing reliance on information, securing data against data loss, service interruption and data breaches is becoming a more pressing issue for legal, operational and strategic reasons (e.g., Lebek, Uffen, Breitner, Neumann & Hohler, 2013). One prevalent doctrine in information management prescribes that information systems should also be leveraged strategically to contribute to organizational goals, known as business IT alignment (e.g., Chan & Reich, 2007). In line with this train of thought, the central query to this exploratory study is; “How can organizations govern information security
effectively?” The underlying research applied a literature review, interviews and a survey in the
Netherlands to explore the answers. Insights into the managerial perspective pose a lacuna in research on information security and provide valuable tools to policymakers in different capacities. In what follows the theoretical background of IT governance, information security and information security governance is first laid out, before elaborating on the effectual research.
3. Theoretical Framework
Information security is an increasingly important, complex and multidisciplinary challenge for IT managers. The management of information systems should however also be aligned with the business. This is where IT governance comes in, setting the stage for IT management, which nestles the central topic of this study, information security governance, snug between IT governance and information security management. Each of these topics is discussed in detail below.
3.1 Information Systems Governance
Corporate governance may be defined as the structure of rights and responsibilities among different stakeholders within a firm, e.g. managers, shareholders, board of directors, employees, et cetera (Aguilera & Jackson, 2003; Haxhi & Aguilera, 2012). Although definitions of corporate governance vary widely due to the many disciplines it is approached with (Aguilera & Jackson, 2010). Strategic decision making may be considered the essence of the firm, attributing to the paramount importance of governance structures and mechanisms (Cowling & Sugden, 1998). Claessens and Yurtoglu (2012) found that firms benefit from corporate governance frameworks through better access to external capital, improved operational performance, reduced risks and better stakeholder relations.
IT governance entails which decisions should be made to optimize information systems management, i.e. the decision domains, and by whom, i.e. the locus of accountability (Khatri & Brown, 2010). Governance in this respect is significantly different from management, which refers to the actual making and implementation of decisions. It is also worth noticing information technology is not congruent to information assets, which refers to valuable data or documented facts. Information systems governance includes such activities as strategic alignment, value and benefits analysis, risk management, developing policies and procedures, and performance measurement (Webb, Pollard & Ridley, 2006).
Following a common doctrine in information science, data security efforts should be aligned with organizational objectives (Chan & Reich, 2007). The term ‘alignment’ is a generic description that refers to ‘matching’ or ‘fit’ of corporate resources and activities with the external context to increase performance (Baker & Jones, 2008). Such a common denominator is however controversial because of the diverse applications of alignment and concomitant dimensions. Effective IT governance depends on the right level of dominance of either IT or business executives in the decision domains of IT principles, infrastructure, architecture, and investments (Weil & Woodham, 2002). Different governance mechanisms abound to control IT costs, including executive committees, budgeting, service level agreements, chargebacks or process teams (Van Maanen & Berghout, 2002). Another way to control IT costs is by quantifying technological cost drivers and resource consumption following the Activity Based Costing method (Dedene, Viaene, Cumps & De Backer, 2004).
3.2 Information Security Management
Information security is increasingly recognized as one of the most important responsibilities of information management (Lebek et al., 2013). Herein users’ awareness and behavior are identified as the weakest link and main cause of data breaches. Indeed, the information culture made up of values and behavior has a crucial impact on information use (Choo, 2006). It may be defined as “the set of processes, procedures, personnel, and technology charged with protecting an organization’s information assets” (Jourdan, Rainer, Marshall & Ford, 2010, p.34). Information security is aimed at the preservation of the confidentiality (secrecy of sensitive information), integrity (unaltered completeness) and availability (functional access, uptime) of information (Olivier, 2002; Von Solms & Van Niekerk, 2013).
Traditionally technological resolutions have been the main focus of information security. Many technological solutions are available, including firewall technology, antivirus software, data encryption, two-factor authentication and many other means (Creery & Byres, 2005). One common technique is tokenization or the process of replacing a sensitive piece of data with an encoded safe substitute (Mattsson, 2009). The algorithm that is used to encrypt the data determines the security strength. It is often used for financial, medical, legal or otherwise private information, for example in order to comply with the Payment Card Industry Data Security Standard (PCI-DSS). Although it is a strong and cost effective measure as part of a risk-based holistic approach, the adaptations to existing systems may be so burdensome as to advise against
it. Requirements engineering, or the process of identifying, representing and keeping score of
software requirements, is also prudent for data security (Mayer, DuBois, Rifaut, 2007).
Not only has information security become increasingly important, it has undergone a shift from being a technological issue to a managerial responsibility for all layers of the organization
(Bunker, 2012). Activities of security management include end-user training, updating and
maintaining systems, project management, risk management and policy evaluation (Whitman & Mattord, 2004). Wherein the process of risk analysis in order entails assessing information assets, threats, vulnerabilities, current safeguards and finally risks (Jourdan, Rainer, Marshall & Ford, 2010). Moreover, recently attention has risen for agile security arrangements to adapt to ever transformative contexts (Torrellas, 2003).
As a risk management problem IT and business should be aligned on data security through a variety of strategic, operational and tactical tools (Mayer, DuBois, Rifaut, 2007). For
example, data security activities should be financially justified with managers (Klempt,
Schmidpeter, Sowa & Tsinas, 2007). While firms are dependent on information for their
survival, rational IT managers will invest in information security only if there is a positive financial return (Chai, Kim & Rao, 2011). The costs of information system disruptions due to security incidents include such expenses as restoration expenditures and compensation fees.
However, determining financial returns or arranging insurance for information security is notoriously difficult (Gordon & Loeb, 2002; Shetty, Schwartz, Felegyhazi & Walrand, 2010).
Chai, Kim and Rao (2011) found a positive return of information security investments in stock market reactions. While investments in data security were often met with skepticism, the Sarbanes-Oxley Act has rendered information security mandatory and topical. Information systems are seen as a costly nuisance especially by small to medium enterprises, despite it also being a possible source of innovation (Levy, Powell & Yetton, 2001).
As stated, legal demands such as the 2002 Sarbanes-Oxley Act have placed renewed emphasis on data security, and corporations are moving more and more beyond compliance (Damianides, 2004). The Dutch law on data privacy will likely be extended by the European General Data Protection Regulation under the auspices of the Dutch Data Protection Authority (Kranenborg, 2013; Maxwell, 2014). Despite a variety of threats to data security, e.g. unauthorized access, natural disasters or computer crashes, many organizations fail to successfully implement an information security policy (Jourdan, Rainer, Marshall & Ford, 2010). Security policies are often defined at the strategic and tactical levels of an organization, but fail to reach operational levels (Von Solms, Thomson & Maninjwa, 2011).
Hence there is cause to seek progress in information security with management, rather than with the technological instruments. As information security management has evolved into governance, this study trails the forefront of this research field (Jacobs, 2014; Von Solms, 2006). As explained above, governance refers to the coordination framework of directing, controlling and regulating that shapes the decision making process and daily management which ultimately determines information security success. Information security governance as the focal concept of this study is detailed further in the extended literature review in the following section.
3.3 Data Security Governance
3.3.1 Data Security as a Governance Issue
The most common descriptor of the governance of data security is Information Security Governance (ISG) (Von Solms & Von Solms, 2009). Other names are ‘data security governance’ or ‘digital security governance’ (e.g. Eijkman, 2013). Many consider ISG to be business security as part of corporate governance (Von Solms & Von Solms, 2005; Allen & Westby, 2007) and a subset of IT governance (Abu-Musa, 2010; Robles, Kim & Kim, 2008). ISG involves applying governance principles to information security issues, which comprises of management commitment, compliance enforcement, and coordination of personnel and resources, to protect the confidentiality, integrity and availability of information against threats (Kritzinger & Von Solms, 2006; Von Solms & Von Solms, 2006a). Aspects of ISG are accountability to shareholders, compliance with legal provisions, outlining security policies, promoting security awareness and training, defining roles and responsibilities, contingency planning, and implementing best practices and other ISG standards (Mears & Von Solms, 2005). Indeed, overall ISG pertains to people, processes and technology (DeOliveira-Alves, Da
Costa Carmo & De Almeida, 2006). Several definitions of ISG abound;
“The establishment and maintenance of the control environment to manage the risks relating to the confidentiality, integrity and availability of information and its supporting processes and systems.” - Moulton and Coles (2003, p. 581)
“A subset of enterprise governance that provides strategic direction, ensures that objectives are achieved, manages risks appropriately, uses organizational resources responsibly, and monitors the success or failure of the enterprise security program.” - ITGI (2006, p. 17)
“The set of responsibilities and practices exercised by the board of directors and executive management with the goal of providing information security strategic direction, ensuring that information security objectives are achieved, ascertaining that information security risks are managed appropriately, and verifying that the information security resources are used responsibly.” - Allen and Westby (2007, p. 3)
Information security has shifted toward strategic governance, coordination with external parties, risk management and regulatory compliance, wherein multidisciplinary, human and organizational aspects have become crucial (Dlamini, Eloff & Eloff, 2009). The increased
dependency of organizations on information technology has prompted a need for controls in the form of IT governance (Parfitt & Tryfonas, 2009). Governance has thus been coined as the fourth wave of information security, following technical, managerial and institutional waves (Von Solms, 2006). As an essential component to corporate governance, information security governance naturally should protect information assets against business risks (Von Solms & Von Solms, 2005; Von Solms & Von Solms, 2006b). Furthermore, institutional pressure by means of international law has made information security a governance issue, e.g. the Sarbanes-Oxley Act, BASEL II or European privacy regulation (Moulton & Coles, 2003).
An ECAR survey shows institutions lack formal policies, contingency plans and awareness programmes, so despite recognition by CIOs information security governance is not an operational priority (Abu-Musa, 2010; Oblinger & Hawkins, 2006). Moreover, often roles and responsibilities are poorly defined, ISG is not aligned with business objectives, risk assessment is underdeveloped, ISG is not on the board agenda, processes do not function properly or performance measurement is absent. Similarly, Westby (2010) found that ISG is often poorly linked to corporate risk management, executives are rarely adequately involved, and insurance coverage is not sufficiently assessed, although more internal communication and expressed importance by boards were positive signs.
ISG should be an essential and integral element of corporate governance and be incorporated in direct and control cycles to protect information assets (Von Solms & Von Solms, 2006a; Von Solms & Von Solms, 2006b). ISG has a cyclical nature moving between formal policy, technical procedures and informal culture (Mishra & Dhillon, 2006), operating on strategic, operational/tactical and technical levels (Ula, Ismail & Sidek, 2011).
Because of legal, socio-political and technological contingencies, information security governance should be holistically accounted for across the organization (Eijkman, 2013; Oblinger & Hawkins, 2006; Saint-Germain, 2005) and needs high-level executive involvement as the board of directors is ultimately responsible (Abu-Musa, 2010; McFadzean, Ezingeard & Birchall, 2007; Mears & Von Solms, 2005; Von Solms & Von Solms, 2006a). Senior attention
to information security may rely on their risk perception and the strategic import of information
systems (McFadzean, Ezingeard & Birchall, 2007). Interestingly, managerial knowledge of IT is found to be indicative of IT practice (Boynton, Zmud & Jacobs, 1994). Moreover, top management involvement results in improved security culture and policy compliance (Knapp,
Marshall, Rainer & Ford, 2006). In a critical view on ISG as a board responsibility, a gap between practitioners and the board is noted, information security should be approached from a corporate governance perspective, and ISG managers should be aware of biases and semantics (Bihari, 2008). Indeed, the divide between reactive information security management and corporate governance should be resolved through ISG to achieve strategic optimization (Johnston & Hale, 2009).
3.3.2 The Tools of the Trade
ISG practice involves ensuring governance and senior commitment, creating policies and procedures, the implementation of (counter-) measures and procedures, as well as monitoring outcomes (Kritzinger & Von Solms, 2006). Examples of more technical measures are restricting access through identification and authentication, maintaining confidentiality against unauthorized access (e.g. encryption), protecting integrity of data against modification (e.g. message authentication codes), establishing non-repudiation (e.g. digital signatures), or assuring availability (e.g. backups). Less technical approaches involve classifying and labeling data, as well as assessing possible risks and impacts before elaborating security controls (Hilton, 2009; Johnston & Hale, 2009).
Good ISG practice not only involves developing sound policies, but also communicating these policies clearly, instilling ownership of data and installing accountability structures (Ward & Smith, 2002). Similarly, policy compliance is best achieved through centralized controls rather than federated to end users (Warkentin & Johnston, 2008). Employee behavior may be influenced through extrinsic pressure such as subjective norms and peers, intrinsic motivations such as the perceived effectiveness of actions, and the certainty of non-compliance detection
and penalties (Herath & Rao, 2009). Similarly, compliancy intentions and behavior may be
assured through preemptive actions, strong social bonds, peer behavior and individual values (Mishra & Dhillon, 2006).
ISG is engaged with the (financial) metrics and monitoring of such measures as firewalls, intrusion detection or security awareness programmes (Garigue & Stefaniu, 2003). Indeed, not only should organizations install awareness programmes to inform and activate
employees, but also tools to measure the effects (Kruger & Kearney, 2006). Measuring the
financial value of investments in information system attributes such as security has always been complicated, but necessary to justify investments to business (Butler, 2002). An example is a
cost-benefits analysis method that asserts whether more cost-efficient solutions exist for possible risks. The necessity and value of data security is hardly questioned, e.g. voluntary disclosure of security measures was positively awarded on market value (Gordon, Loeb & Sohail, 2010). It is suggested to integrate strategic indicators, such as from the Balanced Scorecard, with business objectives and best practices (DeOliveira-Alves, Da Costa Carmo & De Almeida, 2006). Management reporting of ISG metrics could be visualized through ‘dashboard’ software (Okuhara, Shiozaki & Suzuki, 2010).
Von Solms and Von Solms (2004) add that ISG does not have a silver bullet solution, should be based on risks and internationally recognized best practices, and requires infrastructure, tools and supporting mechanisms. Moreover, compliance testing your own department leads to biased results, so it is advised to separate operational and compliance management (Von Solms, 2005b). Periodic audits by independent controllers provide another safeguard for adequate ISG (Flowerday & Von Solms, 2005). To guide interoperability among tools and represent security information for management an ontology could be developed as a dictionary for ISG communication and mitigate a multitude, diversity or dearth of semantics (Dos Santos-Moreira et al., 2008). Also, utilizing capability assessment tools for continuous improvement based on capability maturity model principles would be beneficial (Williams, 2008). Furthermore, ISG should be integrated with corporate risk management, which generally includes assessment, treatment, communication and monitoring of risks and impacts (Corpuz & Barnes, 2010).
To guide holistic ISG many guidelines and standards abound (Huang, Lee & Kao, 2006; Humphreys, 2008). Von Solms and Von Solms’ (2009) model of ISG is made up of a direct and control cycle vested in best practices derived from such standards. The most popular example is the ISO/IEC 17799 standard for information security informing such best practices as demonstrating management commitment, developing coordination and responsibility frameworks, asset classification and control, user training and awareness, and physical security of information systems (Saint-Germain, 2005; Conner & Coviello, 2004). Other best practices discussed in the ISO/IEC 17799 are failure mitigation and incident response protocols, access control, software and maintenance, continuity management, and legal compliance. The code of practice for information security management has since been renamed from ISO 17799 to ISO
27002 and extended with the ISO 27001 standard for management systems requirements (Brenner, 2007).
While the more detailed ISO/IEC 17799 focuses on security and certification, the complementary COBIT standard covers broader ground integrated in IT governance (Saint-Germain, 2005; Von Solms, 2005). Similarly, ITIL may be implemented to govern more general IT processes and control, in tandem with ISO/IEC 17799 which focuses more on data
security. Moreover, ISG maturity models could be discerned based on standards, such as the COBIT maturity model which ranges from merely expressing the need for ISG to continuous improvement and financial metrics (DeOliveira-Alves, Da Costa Carmo & De Almeida, 2006).
Drawing on socio-technical and institutional theory, Williams, Hardy and Holgate (2013) provide a framework for information security governance practice. Accordingly, information protection governance constitutes diverse and adaptive governance arrangements made up of a vast network of internal and external connections and trust mechanisms. An overall framework of data governance can be derived by operationalizing the locus of accountability (whom) for every decision domain (what), thus creating a data governance matrix to be utilized by information managers (Khatri & Brown, 2010). Ula, Ismail and Sidek (2011) developed a governance framework for the banking industry based on such standards as COBIT, ISO 17799, FFIEC and PCI-DSS. Abu-Musa (2010) combined a large number of frameworks proposed by many of the authors cited here to arrive at a comprehensive framework with all the necessary components to guide ISG implementation.
3.3.3 Outcomes and Challenges
Some outcomes of ISG are strategic alignment of information security, improved risk management, better utility of resources, performance measurement and organizational value (ITGI, 2006). An acceptable level of risk protects against information loss, service interruption, unauthorized access, and data misuse and corruption. Ezingeard, McFadzean and Birchall (2005) distinguish operational, tactical, strategic and organizational benefits. Operational benefits are business process resilience, improved service and responsiveness, and information utilization. Similarly, operational gains spawn from predictability which reduces operational costs, optimal resource allocation, improved electronic transactions, avoiding process interruptions, efficient risk management and avoiding incident recovery efforts (ITGI, 2006; Abu-Musa, 2010).
Tactical benefits of ISG are a better understanding of business opportunities, commitment and trust from business partners and customers, confidence and assurance about information, less likelihood of privacy violations, as well as easier compliance and better control (Ezingeard, McFadzean & Birchall, 2005; ITGI, 2006; Abu-Musa, 2010; Ula, Ismail & Sidek, 2011; Hilton, 2009). Indeed, compliance with laws and regulations is a primary reason for ISG adoption
(Swindle & Conner, 2004; Moulton & Coles, 2003; Johnston & Hale, 2009), as well as self-governance as an alternative to further governmental regulation (Abu-Musa, 2010).
Strategic benefits of ISG entail improved governance, e.g. policy compliance, accountability, and auditability, as well as cheaper equity, less costs and increased sales (ITGI, 2006; Abu-Musa, 2010; Ezingeard, McFadzean & Birchall, 2005). Organizational benefits include improved shareholder value based on governance evaluation, competitive advantage, a license to operate, protection of the organization's reputation and risk reduction (Abu-Musa, 2010; Ezingeard, McFadzean & Birchall, 2005; Posthumus & Von Solms, 2004; ITGI, 2006; Ula, Ismail & Sidek, 2011; Williams, 2001). Furthermore, ISG has external value benefitting different relevant stakeholders, including clients, governments or supply chain partners (Swindle & Conner, 2004).
ISG is likely to be effective when it upholds a conducive information culture and provides a framework for decision making and strategic direction (Allen & Westby, 2007). Conversely, any failure to govern data security properly could lead to identity theft, competitive disadvantage, loss of consumer information, and sophisticated criminal or destructive use of information (Abu-Musa, 2010). Other information security risks are illegal transactions, network penetration, foreign intelligence, phishing (social engineering employees into ceding valuable information), as well as ‘digital’ risks such as keylogging software, spyware, trojan horses, hackers and viruses (Ula, Ismail & Sidek, 2011; Johnston & Hale, 2009). Moreover, not taking due care could put the organization under legal liability of negligence (ITGI, 2006; Von Solms & Von Solms, 2006b).
In terms of challenges, ISG faces ethical dilemmas of using and sharing digital personal data and accountability for risk management (Eijkman, 2013). For example, the right of privacy is currently often weighed against the benefits of the right to information (Kleve & De Mulder, 2007). Investing in information security could be considered a corporate social responsibility, stemming from a duty not to cause harm and to contribute to societal stability (Matwyshyn, 2009). Increasing strategic alliances imply sharing data ISG responsibilities with outside parties, prompting ISG agreements and federated security models (Todd, Zibert & Midwinter, 2006; Hilton, 2009). Aside from more expansive organizational networks, trends such as espionage and a public and legal demand for data security and privacy attributes to the importance of ISG (Allen & Westby, 2007). Recently, the transition of information systems into the ‘cloud’ (i.e.
internet based servers) gives rise to new security problems, mainly dealing with data isolation, data leakage and corruption, infection from a lack of hedging, and service reliability, wherein access and identity management are key technical issues, that puts organizations off (Okuhara, Shiozaki & Suzuki, 2010).
Another vital problem is the threat of employees abusing or harming information systems, which the international standards for ISG help to negate (Humphreys, 2008). Indeed, the insider threat is the cause of the majority of information breaches and people are considered the weakest link in information security (Mishra & Dhillon, 2006). Trusted human agents inside the organization may abuse information assets, either involuntary or deliberate, and cause major economic damage (Warkentin & Willison, 2009). ISG norms and responsibilities are driven by informal structures such as behavior, values and beliefs (Mishra & Dhillon, 2006). The failure to establish policies and treat ISG as a priority is commonly caused by cultural obstacles (Oblinger & Hawkins, 2006). IT security culture develops through interaction with policies and measures, individual perceptions, and exhibited behavior, hence implementing the right ISG components leads to a more conducive ISG culture (Veiga & Eloff, 2007). Organizations should strive to align employee value systems by promoting the importance of security behavior, for example through employee training (Mishra & Dhillon, 2006), and by involving employees in the ISG dialogue to effectuate understanding (Hilton, 2009).
Other common challenges to ISG are ubiquitous access to information systems, an enterprise-wide approach, global legal compliance, justifying resource commitments and the intangible nature of information security (Allen & Westby, 2007). In a critical discussion, Anderson (2001) purports that ISG can be understood through micro-economics, e.g. establishing moral hazard, asymmetric information and externalities, and this deeper political problem should be addressed by all parties involved.
Topic Summary Articles Defining ISG Information Security Governance (ISG) is a subpart of
corporate governance dealing with accountability, direction, compliance, policy, responsibilities, contingencies, risk management, and controls to protect valuable information assets
Von Solms & Von Solms, 2009; Eijkman, 2013; Von Solms & Von Solms, 2005; Allen & Westby, 2007; Abu-Musa, 2010; Robles, Kim & Kim, 2008; Kritzinger & Von Solms, 2006; Von Solms & Von Solms, 2006a; Mears & Von Solms, 2005; Moulton & Coles, 2003; ITGI, 2006
ISG as a governance issue Information security underwent an evolution toward
strategic, multidisciplinary, pan- organizational, board-level governance due to information dependency and legal requirements, and its necessity is hardly questioned but ISG is still largely failing and a board-practice gap was noted
Dlamini, Eloff & Eloff, 2009; Parfitt & Tryfonas, 2009; Van Solms, 2006; Von Solms & Von Solms, 2005; Von Solms & Von Solms, 2006b; Moulton & Coles, 2003; Williams, 2001; Oblinger & Hawkins, 2006; Eijkman, 2013; Saint-Germain, 2005; Abu-Musa, 2010; McFadzean, Ezingeard & Birchall, 2007; Mears & Von Solms, 2005; Von Solms & Von Solms, 2006a; Bihari, 2008; Kritzinger & Von Solms, 2006; Gordon, Loeb & Sohail, 2010; Knapp, Marshall, Rainer & Ford, 2006; Westby, 2010
Integrated into CG ISG should be integrated in control cycles Von Solms & Von Solms, 2006a; Von Solms & Von Solms, 2006b; Mishra & Dhillon, 2006; Ula, Ismail & Sidek, 2011
ISG measures financial metrics and monitoring, awareness programs, non compliance detection and penalties, training, governance integration and senior commitment, policies and procedures, countermeasures, accountability structures, classifying data and risk management, independent audits, ontologies, capability assessment, physical security, contingency scenarios, access control, maintenance, legal compliance
Garigue & Stefaniu, 2003; Kruger & Kearney, 2006; Herath & Rao, 2009; Mishra & Dhillon, 2006; Ward & Smith, 2002; Warkentin & Johnston, 2008; Hilton, 2009; Von Solms, 2005b; Flowerday & Von Solms, 2005; Dos Santos-Moreira et al., 2008; Williams, 2008; Saint-Germain, 2005; Conner & Coviello, 2004; Corpuz & Barnes, 2010; Johnston & Hale, 2009; Okuhara, Shiozaki & Suzuki, 2010
standards, frameworks and best practices
frameworks should be based on best practices explicited in standards and guaranteed by certifications
Von Solms and Von Solms, 2004; Williams, Hardy & Holgate, 2013; Khatri & Brown, 2010; Huang, Lee & Kao, 2006; Humphreys, 2008; Von Solms and Von Solms, 2009; Saint-Germain, 2005; Conner & Coviello, 2004; Ula, Ismail and Sidek, 2011; Von Solms, 2005; Abu-Musa, 2010; DeOliveira-Alves, Da Costa Carmo & De Almeida, 2006
Outcomes strategic alignment of information security, improved risk management, better utility of resources, performance measurement; less data corruption, interruption and misuse; operational benefits of efficiency and continuity; tactical benefits include better external relationships and compliance;
organizational benefits include license to operate; benefits external stakeholders
Abu Musa, 2010; Ezingeard, McFadzean and Birchall, 2005; Ula, Ismail & Sidek, 2011; Hilton, 2009; Swindle & Conner, 2004; Moulton & Coles, 2003; Johnston & Hale, 2009
Risks Data misuse, corruption and discontinuity from technical and human risks leading to financial and legal repercussions as well as damage the organizational reputation
Abu-Musa, 2010; Ula, Ismail & Sidek, 2011; Von Solms, 2006; Johnston & Hale, 2009
Challenges formal strategy, policies and procedures, poorly defined roles, not aligned, underdeveloped risk management, not receive board commitment, suboptimal processes, no performance measurement, ethical dilemmas, sharing data with outside parties, insider threat, cultural obstacles, micro-economic externalities, public and legal demand, ubiquitous information systems, enterprise wide approach, the cloud
Abu-Musa, 2010; Eijkman, 2013; Todd, Zibert & Midwinter, 2006; Hilton, 2009; Humphreys, 2008; Mishra & Dhillon, 2006; Oblinger & Hawkins, 2006; Veiga & Eloff, 2007; Anderson, 2001; Matwyshyn, 2009; Kleve & De Mulder, 2007; Allen & Westby, 2007; Okuhara, Shiozaki & Suzuki, 2010
4. Research Definition
4.1 Research Rationale
As outlined above, organizations experience a data burden as they fail time and time again to sufficiently secure information, despite a wide range of technological and organizational security measures available, which may point to problems of governance. This exploratory study investigates how organizations coordinate and account for the whole of their information security initiatives in an optimal fashion. Hence the central research question is formulated as:
“How can organizations govern information security effectively?”
Wherein ISG is considered to be effective when it optimally ensures the confidentiality, integrity and availability of data and is aligned with business objectives. Five sub-questions were further developed to guide research and answer the central query;
SQ1: What are common ISG approaches? SQ2: What are best practices of ISG? SQ3: What are outcomes of ISG?
SQ4: What are challenges and opportunities for ISG? SQ5: What are motivations for ISG?
Several strengths, weaknesses, opportunities and challenges could be identified in the literature review, and, borrowing from the generic SWOT-analysis, these viewpoints aid understanding of the dynamics of the phenomena observed, which is a common strategy in research (e.g. Justice, 2002; Kaplan and Haenlein, 2010). The literature also denotes that ISG should be aligned with corporate governance, hence it is judicious to examine this relationship. The research scope is further restricted to the Netherlands, since the Dutch are global leaders in information technology. For example, the Netherlands places 4th in the World Economic Forum’s Networked Readiness Index (Bilbao-Osorio, Dutta & Lanvin, 2014).
The objectives of this exploratory study are to achieve a tentative theory on effective ISG, as well as illustrate the current state in the Netherlands and opportunities and challenges of the field. Such a theory serves to fill the gap in extant literature and provide valuable
recommendations to guide policymakers. Also, it is intended to contribute to general discourse on information security and governance. In sum, the tangible results comprise of empirical data, a model of effective ISG, management implications and survey items.
4.2 Scientific Setting
As mentioned, there is a lot of attention in scientific journals to ‘data security’, but there are few recent studies on the ‘business side’ as a whole. The failure of ISG given the many data breaches motions to investigate the effectiveness of ISG. The effectiveness of ISG and the relatively moderate field of ISG in general constitute a gap in academic knowledge (McFadzean, Ezingeard & Birchall, 2007; Kooper, Maes & Lindgreen, 2011; Dlamini, Eloff & Eloff, 2009; Williams, Hardy & Holgate, 2013) at the forefront of information security research (Jacobs, 2004; Von
Solms, 2006). Many individual subtopics in ISG are also found to require further research, e.g.
the human aspect of information security (McFadzean, Ezingeard & Birchall, 2007), policy compliance (Herath & Rao, 2009) or reporting ISG to the board (Mears & Von Solms, 2005).
Separate issues like accounting or frameworks have gotten some attention, but are rarely integrally addressed. Furthermore, the body of literature on ISG is largely lacking empirical studies, as most are theoretical. This study aims to bring together streams of research and move ISG research from ‘what’ to ‘how’. This research proposal builds on the works of notable ISG researchers such as the Von Solms brothers, Johnston, Allen and Westby. Also, because the field of information security is fast moving it is advantaged by up-to-date research. Lastly, by providing a national perspective from the Netherlands this study provides unique and relevant insights.
4.3 Relevance
Firstly, this exploration into the relatively nascent field of ISG seeks to fill a gap on effective and holistic approaches to ISG. However, the insights garnered may also be appropriated to studies on data security, business information systems, corporate governance and business IT alignment. Also, this study makes a contribution in the form of empirical data and survey items, and aims to spike scientific discussion and further research. Lastly, the research proposed would present a unique and up-to-date national perspective from the Netherlands.
To organizations this study provides a number of practical implications and further understanding of ISG to contribute to organizational objectives and secure information. Moreover, the conclusions provided here may be useful to policy makers in other capacities such as government as well. In an economic sense, improved understanding of ISG leads to more efficient and reliable firms and less information externalities. On a societal level, the underlying research may aid to avoid abuse of citizens’ sensitive information, general discourse on data security, and understanding of the intricacies and tradeoffs of our reliance on information systems and its security.
The topicality of data security is exemplified by the news coverage of the many data leaks in the past few years that have gained the attention of the general public, a growing security industry and newly announced or expected legislation (e.g. the Sarbanes-Oxley Act, European privacy regulation, Dutch law on data leaks). Similarly, scientific articles on “information security governance” (190 in 2010; 238 in 2012; 230 in 2013 according to Google Scholar) and Google Trends reflect recent interest in the subject matter.
5. Research Design
5.1 Mixed Methods
All research methods have their limitations, which may be compensated for by combining different methods in a mixed methods strategy (Creswell, 2002). This research design builds on the premise that combining data from different methods leads to better understanding of complex problems (Creswell & Clark, 2007). Herein quantitative methods may build on qualitative methods, or vice versa, or be conducted separately (Easterbrook, Singer, Storey & Damian, 2008). Befitting the nascency and ambiguity of this study a sequential exploratory strategy was preferred here, wherein a quantitative survey builds on qualitative interviews. The literature review lays the groundwork, thereafter the interviews develop a theory in a rich grounded fashion, upon which the survey tests the resultant assumptions (Keele, 2012). These mixed methods are complementary and function to build on the outcomes of the previous method (Palinkas et al., 2011). However, Harris and Brown (2010) warn that mixing methods is not without problems due to methodological differences, and suggest ensuring close alignment
between methods and in triangulation evaluating methods as distinct results.
Within the time and resource constraints of a Master’s thesis and taking into consideration the sensitive nature of the subject, the research design entailed a literature review, interviews and a survey. Such matters of ‘how’ in the face of an early investigation best suits a qualitative research strategy (Yin, 2003). Qualitative research and experiments are approaches that are commonly used to empirically verify theoretical research (Robson, 2011; Hoepfl, 1997). The literature review yielded a preliminary framework of information security governance that was extended and empirically verified through interviews, to be tested further via an online survey. A similar research design is found in Stephens and Valverde (2013), Knapp, Marshall, Rainer and Ford (2006), and Spears and Barki (2010). These methods are discussed in further detail below, after the cross analysis and validity of the research design are explained.
Figure 3: Mixed Methods Research Design
Cross data analysis of the literature review, interview and survey results is conducted through constant comparative analysis before integration into one theory (Onwuegbuzie & Leech, 2006). Constant comparative analysis in this respect entails continuously contrasting the different methods’ results and eventually integrating these links into a coherent narrative (Sandelowski, 2000; Johnson & Onwuegbuzie, 2004). The validation framework for mixed methods designs suggest five elements; quality of the literature review, construct validation of the methods used, the inferential consistency of links within the study, utilization in further research, and the social acceptance of findings (Leech, Dellinger, Brannagan, & Tanaka, 2010).
Triangulation is one solution to ascertain validity and reliability in mixed methods research, which means to find consistencies between multiple factors on research dimensions such as different methods, data, researchers or theories to get more accurate results (Robson, 2011; Baxter & Jack, 2008). On a side note, as Patton (2002 in Guion, Diehl & McDonald, 2011) stresses, it is the very inconsistencies (disparities between data) that provide valuable insights as well. Triangulation relies on the principle of replication logic, implying that recurrent agreeing results point to a high degree of verisimilitude (Eisenhardt & Graebner, 2007). Note that triangulation, especially using multiple methods, requires more time and resources and adds complexity to the research (Thurmond, 2001).
5.2 Systematic Literature Review
The goal of a systematic literature review is to minimize bias in locating, selecting, coding, and aggregating individual studies (Schlosser, 2007; Robson, 2011). In addition, a systematic literature review also presents the current state of affairs on a given topic. Such a design is desirable to identify new patterns in extant literature and elucidate pauses (Petticrew & Roberts, 2006). Due to limitations the literature review was restricted to electronic databases. Taking into account the nascency of the subject inclusion criteria were considerably broad. Moreover, the exploratory character of this study allows qualitative and quantitative research from various disciplines, such as information science, software engineering or applied science, plus ‘grey’ or unpublished sources. Inclusion criteria mainly consisted of the publication date (preferably post-millennial), credibility of the source (e.g. impact factor, nr. of citations), author eminence, and reputable associated institutions.
The intended literature sample was the top scientific articles identified through Google Scholar describing data security governance and related topics. Annotated references, keywords or authors were exploited to locate further articles. Constant comparative analysis, i.e. contrasting additional sources with already processed articles, reassured newfound data was useful. To ascertain the validity of the systematic literature review, it was done with methodological rigour per the protocol described above (Petticrew & Roberts, 2006; Schlosser, 2007). The Google Scholar database is one of the most extensive scientific literature databases in existence, ensuring an acceptable breadth of articles. Moreover, bias and validity of the sources
shortcomings would not cascade into the literature investigation.
The literature search was completed when no further relevant insights would emerge from additional articles. This decision was sensible since the consensual framework relies less on peripheral literature. Search terms employed were “information assurance”, “data security governance”, and all possible combinations thereof. A total of 56 articles made it into the final literature review, twelve of which from Computers & Security, four from Information
Management and Computer Security, as well as four book chapters, six conference proceedings,
three industry reports and one white paper. Most articles were entirely theoretical, with the exception of one case study, one document analysis, two interview studies and eight surveys.
5.3 Interviews
Subsequent to the literature review, semi-structured interviews with organizations were conducted to gain empirical feedback and refine the results. The nascent attributes of the research subject implied a ‘rich’ method of data acquisition was a preferred starting point. Hence, interviews were conducted to efficiently procure a rich host of data given the direct feedback and open-ended characteristics (Hoepfl, 1979). Face-to-face communication allows little reflection leading to more profound results, but requires researchers to pay attention to both replies and the line of questioning. This qualitative method relies on purposeful sampling, i.e. cases are selected based on ‘richness’ of information or their revealing and idiosyncratic merit, as opposed to random probabilistic sampling in quantitative studies (Eisenhardt & Graebner, 2007; Hoepfl, 1997).
The most eligible organizations are in industries dealing with sensitive information, many legal demands and high risk from security breaches, such as finance, medical or online industries, because they are most likely to apply advanced ISG. Over the course of several weeks a wide range of organizations across the Netherlands had been contacted by e-mail and telephone to request participation. The intention was to speak to relevant managers that were sufficiently informed about ISG practice. Eventually, two groups of interviewees could be formed.
Code Organization Function Date Duration Method GGZ 1 Mental Healthcare Information Architect 4/28/2014 34 Minutes On Location GGZ 2 Mental Healthcare IT Coordinator 5/9/2014 27 Minutes On Location GGZ 3 Mental Healthcare Advisor Quality & IT 5/13/2014 17 Minutes By Phone GGZ 4 Mental Healthcare Manager IT 5/19/2014 22 Minutes By Phone GGZ 5 Mental Healthcare Advisor Info. Sec. 5/22/2014 25 Minutes By Phone GGZ 6 Mental Healthcare ICT Architect 5/28/2014 44 Minutes On Location GGZ 7 Mental Healthcare Director IT 5/30/2014 31 Minutes By Phone
INT 1 Higher Education
Info. Sec. Manager,
Corp. Info. Sec. Manager 5/13/2014 33 Minutes On Location INT 2 Financial Services Sr. Manager Security 5/16/2014 23 Minutes By Phone INT 3 Semi-Government Security Officer 5/19/2014 40 Minutes By Phone
INT 4 Research Institute
Security, Risk &
Compliance Manager 5/21/2014 39 Minutes On Location
INT 5 Asset Management
Business Engineer,
Innovation/Information Mgr 5/26/2014 52 Minutes On Location INT 6 Online Retail IT Security Manager 6/5/2014 33 Minutes On Location Table 2: Overview of Interviews
Firstly, seven participants in mental healthcare agreed to an interview, reflecting how much of an issue information security has become in this sector. For example, there are privacy concerns surrounding digital patient dossiers (Kuperman, 2011) and sharing private medical information (Hooghiemstra, 2001). A second umbrella group could be formed consisting of eight interviewees from six different organizations. Namely, an organization in higher education, financial service provider, semi-governmental organization, research institute, asset management organization and online retailer; all large players in their respective industries. The consistency in the first group boosts internal validity, while the maximal variation in the second group yields more generalizable patterns (Hoepfl, 1997). This strategy negates common sampling errors of both insufficient breadth as well as depth of information. The interviews were held between April 28th and June 5th of 2014. Although preferably held at the interviewee’s office, in six instances the interviews were conducted by telephone for logistical reasons.
The interviews were held in Dutch and guided by a semi-structured topic list that enabled follow-up questions (DiCicco-Bloom & Crabtree, 2006). The questions asked during the interviews therefore had an open character. Most interviews were held at the interviewees’ offices to provide a comfortable environment for the interviewee. Also, some time was reserved
interview questions were informed by the outcomes of the prior literature review and interviews. With permission the interviews were recorded on a laptop computer and later fully transcribed for further analysis1. Standards of ethical research were abided and the interviewees were consistently reassured about their anonymity.
Qualitative data analysis of the interview transcripts applied a common process of categorizing data, interpreting patterns and veraciously communicating results (Hoepfl, 1997). Data analysis commences with open-coding, or assigning labels for all imaginable conceptual categories. This is succeeded by an audit trail which sorts codes by context, before causal patterns are determined in axial coding to develop a theoretical model. Lastly, this model is transformed into a narrative that closely parallels reality. These phases need not be executed sequentially, but may be done contiguously. Thorough documentation is crucial to reliable and replicable research, hence using computer aided data analysis software (CAQDAS) is generally recommended. This study utilized NVivo software to analyze the interview transcripts (cf. Bazeley & Jackson, 2013).
Groundedness may infer qualitative data is more truthful than quantitative abstraction, though the validity of qualitative research derives chiefly from the research rationale and method (Eisenhardt & Graebner, 2007). The internal validity of the interviews was asserted in a number of ways. The interviews were recorded and transcribed literally to assure an accurate reflection of the whole interview. Also, member check confirmed representational agreement between the interviews and transcripts by checking back with the interviewees. The validity of qualitative research is based on triangulation, or contrasting multiple data sources, theories, observers or methods to arrive at a conclusion (Baxter & Jack, 2008). Multiple interviews and coherence with the literature review enabled data triangulation to optimize external validity.
1
5.4 Survey
For the survey on ISG, the target population consisted of all managers stationed in the Netherlands that are directly responsible for information security governance. The sample for a survey, i.e. the group of respondents, should ideally be selected at random from the target population (Groves, 2011). However, given the constraints of the underlying study a semi-convenience sample is warranted. Since no database with contact information for such individuals could be accessed for this purpose, professional networks were utilized as a proxy sampling frame. Organized professional networks were approached by e-mail and telephone asking to distribute a survey request among their members. This survey request linked to the Qualtrics online survey tool, stressed anonymity of responses and promised a copy of this final paper as an incentive.
Also, the request was posted on LinkedIn groups dedicated to ISG where the author was granted membership or by the aforementioned organized professional networks. Since network membership was thought to be sufficient, no further eligibility criteria were applied, but control variables for the sample characteristics were incorporated. The survey was active between May 25th and June 13th of 2014 and the requests were extended at different times during this period due to the reliance on third parties. Within this short time frame no reminders could be sent by e-mail and the sampling design forewent follow-ups on incomplete surveys.
Based on an intermediate tentative analysis of the literature review and interviews conducted at the time, conceptualizations were developed adhering to the central research questions. Since no similar surveys with predefined items could be located these concepts were operationalized into items at the author’s discretion2
. The survey was subsequently created using the Qualtrics online survey tool, since this is considered one of the best tools according to the research community (e.g. Chang & Vowles, 2013). All conventions for operationalization, and item and survey design, such as routing or framing, as well as survey distribution, were abided during this process (e.g. Couper, Traugott & Lamias, 2001; Schonlau, Fricker & Elliot, 2002). Care was also taken to adequately anonymize responses. Unfortunately, time limitations did not allow a proper pre-test or pilot survey.
The survey results were downloaded from Qualtrics and analyzed using SPSS statistics software. Although SPSS is rather limited compared to other statistics packages, it has sufficient
features for this study and is preferred for its ease of use. Eventually 92 results were harvested, with 14 in progress but abandoned, of which 54 completed, amounting to a completion rate of 51%. The average duration of the survey was 10:25 minutes, barring a few outliers. For the requests sent by e-mail response rates could be calculated for CIO Platform Nederland (18%), Ngi-NGN (15.50%) and MSP-ISAC (30%), which were all below average (Sheehan, 2001). The relatively mediocre response could be attributed to the sensitivity of the subject, the considerable length of the survey or any unwillingness on the part of ISG executives to cooperate with student research. However, the exploratory and supporting nature of the survey warrants a relatively more in-depth survey.
The open questions on the respondents’ respective sector and job title were translated from Dutch and recoded by the researcher into generalized codes based on personal interpretation. No missing values were recorded in the completed results due to the application of forced response features in the survey. The reverse coded and string variables were also recoded before processing. To investigate patterns among control and experimental variables several common correlations were done in SPSS. Also, a scale construct for ISG performance was constructed with principal component and factor analysis.
The main sources of bias in survey results were addressed in the following manner. To test for common method bias, attributed to the method or some other inherent property other than the responses, Harman’s single factor test was conducted (Chang, Van Witteloostuijn & Eden, 2010). To check for non-response bias, eighteen incomplete results were compared to the completed sample as representatives of the non-respondents and by extension the population (Wang, 2001; Kaufman, 2007). In order to combat social desirability bias, or bias from answers conform social expectation rather than honesty, the ordinary resolution is to include a social desirability scale (e.g. Luo, Rindfleisch & Tse, 2007). However, because this would imply adding at least six more items resulting in even less response this check was left out. In this case the cure would likely induce more bias than the disease. Finally, bias from a single informant (e.g. Kearns & Lederer, 2000) for each company could not realistically be avoided if anonymity was to be maintained. Within the exploratory context of this study, maintaining a certain level of caution vis-a-vis the results in combination with the interviews was deemed affordable.
6. Interview Results
6.1 Governance
In terms of governance models, operational responsibility for information security usually seems to lie with one or more dedicated managers, be it an IT coordinator, information security manager or other IT executive staff function. No teams for information security were reported, but the executive is supported by other staff and technical roles. The end-responsibility mostly lies with line management, such as a CIO and board of directors. A few organizations also employ a data security officer, who functions as an extension of the Dutch Data Protection Authority (DPA). Most interviewees generally agree ISG belongs to business, since IT is too technologically focused, but with a strong operational connection to IT. The interdisciplinary and holistic nature of information security is stressed as well as cooperation with internal stakeholders such as marketing, legal, facilities or risk management. Incidents are all run by the executive and this person is often consulted by other departments. Moreover, it was suggested that most organizational developments should be informed with the information security executive, it was even suggested they have a veto right. A lot of responsibility for data security is also divested to the end user. Other remarks described relying on flat hierarchies, reasoning from risk and IT sometimes being outsourced.
“There is just not much IT can do about it, at some point your responsibility as IT stops, you can only imbue people to pay attention.” - GGZ 6
Despite increasing attention to information security, the board of directors or top management are often not actively involved, they assume it has already been sufficiently organized or lack knowledge and awareness. The board are also a regular roadblock for ISG, e.g. by not ratifying proposed policy documents. It is the task of the information security executive to instill management support through regular reporting, although it is indicated to be difficult to convey such an abstract and hinderous topic. Information security was not perceived to be a priority, as daily operations take precedence due to time and resource limitations. Incidents do get prioritized, with an emphasis on technological solutions. There is also mention of a gap between official and de facto priority, and creating merely an appeal of safety.
“But actually implicitly that choice is already made, ‘well that is not what we are going spend time on right now’.” - INT 5
Costs were expressed in many cases not to be an issue, as information security is just part of IT budget. However, budget cuts put a strain on ISG and resource availability is limited. Costs of ISG investments are balanced against benefits, for example given the economic value of the information protected. It was also suggested it is difficult to justify costs of information security or determine the potential financial damage of risks, as financial metrics or checks and balances are often absent in ISG.
6.2 Measures
Several governance measures for information security have been discussed in the interviews. Audits by external parties such as accountants, government or certification officials are common to ensure information security is in line with industry standards. Sometimes these audits are performed in-house or focus on a particular aspect, e.g. network security. However, despite a lot of trust being put into audits, they are criticized for not being exhaustive and neglecting certain components.
Although a conducive culture is recognized as crucial, many lack awareness programmes and state poor internal awareness of information security issues. Mentioned ways to create awareness are (introduction) training, presentations, e-mails, posters, e-learning and intranet messages, but it is often limited to informal correction and explanation. Creating awareness is deemed challenging and awareness tests among personnel often have negative results. Explanations given are generational differences, the abstract nature of information security, inherent technological sensitivity and employees underestimating the risks.
“Young people think well that is what I do at home so, and I think people that are a little older understand the risks a little easier than younger people.” - GGZ 2
The dynamic and changing field of information security is mostly considered normal and not an issue, as current information security management is sufficient. Although some find it
