Professional Documents
Culture Documents
Strategic Value Alignment For Information Security Management: A Critical Success Factor Analysis
Strategic Value Alignment For Information Security Management: A Critical Success Factor Analysis
www.emeraldinsight.com/2056-4961.htm
ICS
26,2 Strategic value alignment for
information security management:
a critical success factor analysis
150 Cindy Zhiling Tu
School of Computer Science and Information Systems,
Received 4 April 2017 Northwest Missouri State University, Maryville, Missouri, USA, and
Revised 31 January 2018
Accepted 7 February 2018
Yufei Yuan, Norm Archer and Catherine E. Connelly
DeGroote School of Business, McMaster University, Hamilton, Ontario, Canada
Abstract
Purpose – Effective information security management is a strategic issue for organizations to safeguard
their information resources. Strategic value alignment is a proactive approach to manage value conflict in
information security management. Applying a critical success factor (CSF) analysis approach, this paper aims
to propose a CSF model based on a strategic alignment approach and test a model of the main factors that
contributes to the success of information security management.
Design/methodology/approach – A theoretical model was proposed and empirically tested with data
collected from a survey of managers who were involved in decision-making regarding their companies’
information security (N = 219). The research model was validated using partial least squares structural
equation modeling approach.
Findings – Overall, the model was successful in capturing the main antecedents of information security
management performance. The results suggest that with business alignment, top management support and
organizational awareness of security risks and controls, effective information security controls can be
developed, resulting in successful information security management.
Originality/value – Findings from this study provide several important contributions to both theory and
practice. The theoretical model identifies and verifies key factors that impact the success of information
security management at the organizational level from a strategic management perspective. It provides
practical guidelines for organizations to make more effective information security management.
Keywords Information security management, Top management support, Business alignment,
Critical success factor, Organizational awareness, Value alignment
Paper type Research paper
1. Introduction
Information is a valuable resource that is critical for an organization’s success, but it is also
vulnerable to a variety of attacks from both inside and outside of the organization (Lowry
and Moody, 2015). With the growing threat and severity of security attacks, information
security has become increasingly important to the survival of organizations. An
organization’s main objective is to provide valuable services to society. By doing so, it also
generates profits or other benefits to the organization, as well as benefits to its employees
and customers. Information is useful to help organizations to make better decisions and
Information & Computer Security
provide better services. Information security, however, is not directly linked to this mission.
Vol. 26 No. 2, 2018
pp. 150-170
Rather, it deals with the negative aspects of security threats, which is something to avoid if
© Emerald Publishing Limited at all possible (Liang and Xue, 2009). This often creates value conflict. For instance,
2056-4961
DOI 10.1108/ICS-06-2017-0042 managers who focus on using a company’s resources for business competition may ignore
security risks and optimistically think that these attacks will not happen (Rhee et al., 2012). Strategic value
This results from viewing information security as a burden and not wanting to spend alignment
money on it. In general, employees are expected to do good jobs to be rewarded. They may
have value conflicts toward security and view security policy as unnecessary or interfering
with productivity (Guo et al., 2011). From a customer perspective, the focus is to get good
service conveniently. Therefore, customers may also view security measures such as
complex password setting as headaches or the use of biometric identity authentication with
privacy concerns (Breward et al., 2017). To improve information security, the key is to 151
recognize such value conflicts and find a way to deal with them effectively. Literature has
shown that the most proactive way to deal with value conflicts is to work toward value
alignment (Lynn Fitzpatrick, 2007). Specifically, for security-related value conflicts, it is
important to create value alignment for all the parties involved in information security
management (ISM).
ISM has been recognized widely as strategically important to organizations (Ma et al.,
2009; Nazareth and Choi, 2015). The goal of ISM is to protect the confidentiality, integrity
and availability of information and to mitigate the various risks and threats to such
information (Chang et al., 2011; Posthumus and von Solms, 2004). Even though information
security has been consistently identified at the top of the information systems (IS) agenda
(Dutta and McCrohan, 2002), research on organizational perspectives of security
management is limited as yet, but it is beginning to emerge as a field of study (Ransbotham
and Mitra, 2009; Soomro et al., 2016).
In practice, ISM standards are among the most widely used methods of security
management. These standards aim to provide an international, authoritative and
comprehensive benchmark for IS security and have been considered as being the keystone
in any successful ISM activities (Von Solms, 1999). However, most ISM standards and
guidelines are fostered by an appeal to common practice, offering little evidence of their
usefulness and relevance in practice (Siponen, 2005). Practitioners have no way of
evaluating the reliability (or objectivity) of the claimed best practices (Siponen and Willison,
2009). Hence, there is a need for rigorous qualitative and quantitative empirical studies to
test and refine ISM methods in practical settings.
Effective ISM must implement organizational-level solutions to security problems in the
organization’s socio-organizational context (Kayworth and Whitten, 2010). Consequently,
practitioners and scholars have recognized that the emphasis of information security should
go beyond technical controls and incorporate business process and organizational issues
(Choobineh et al., 2007; Culnan et al., 2008; Kayworth and Whitten, 2010; Ma et al., 2009;
Parakkattu and Kunnathur, 2010; Siponen, 2005; Siponen et al., 2009; Van Niekerk and Von
Solms, 2010). To achieve an acceptable level of information security, an appropriate set of
security controls must be identified, implemented and maintained within the organization.
However, even with well-developed security controls, organizations may not achieve ISM
success if there is no organizational support and organizational awareness of security within
the organization. Because of the complexity of security management issues and value
conflicts, professional guidelines are very much needed. To address this research gap, this
study focuses on ISM at the organizational level. Using strategic value alignment approach,
we study the organizational factors that determine the success of ISM. In this study, ISM is
defined as a systematic process of effectively coping with information security threats and
risks in an organization, through the application of a suitable range of physical, technical or
operational security controls to protect information assets and achieve business goals.
Building on the IS literature and ISM standards, this study attempts to fill the void in the
understanding of ISM effectiveness by identifying critical success factors (CSFs) of ISM and
ICS developing an ISM performance model to empirically test the validity of the identified CSFs.
26,2 More specifically, this study tries to answer the following questions:
Q1. What are the critical factors that must be present to make ISM effective?
152 The rest of the paper is organized as follows. In the next section, the research background
and theoretical foundation of this study are presented. Then a research model is developed,
along with relevant hypotheses. The related methodology for model verification is
discussed. Finally, following data analysis, discussion and conclusions highlight
implications of this work for future research and practice.
2. Research background
2.1 Value conflict and value alignment for information security management
According to Lynn (2007), values are defined as peoples’ preferences and priorities that
reflect what is important to them. Values are the foundation on which organizations are
built. Although organizational values were defined as the values shared by its members, it is
possible that not every member of the organization shares all its values to the same extent.
Conflict may occur when people have different ideas about what is important, as well as
different answers for something that requires resolution. Conflict can be either productive or
unproductive, depending on how collaboration is managed. Without a higher order
organizing principle, an organization may self-organize into various structural conflicts
(Fritz, 1999). To avoid unproductive conflict, there must be enough alignment between ends
and means values for progress toward the overall mission and vision to occur (Hultman and
Gellermann, 2002). In the case of ISM, value conflict may exist among managers, IT
departments, employees and consumers because of different priorities and a lack of security
awareness. Researchers have identified value conflict phenomena such as self-defense of
security violations with neutralization theory (Siponen and Vance, 2010) and conflict
resolving approaches such as sanctions to stop security violations based on deterrence
theory (D’Arcy et al., 2009). However, this approach may not be effective (Hu et al., 2011).
Reactive problem-solving approaches generally address symptoms rather than causes and
the “flurry of activity hides what is really going on” (Fritz, 1999, p. 9). A proactive value
alignment approach recognizes the importance of strategic alignment between a company’s
overall business strategy and its ISM strategy. This strategic alignment will tend to promote
top management support and bolster organizational awareness of security risks, thus
enhancing the implementation of security controls. This will result in achieving successful
ISM measured from balanced and interrelated perspectives including business value,
stakeholder orientation, internal processes and future readiness.
Current studies on ISM focus on the conceptual understanding of ISM, the performance
evaluation of ISM and the factors that affect the success of ISM. A few papers have provided
conceptual view of ISM at the organizational level from different perspectives: as an
integrated component in corporate governance (Johnston and Hale, 2009; Posthumus and
von Solms, 2004; Tsohou et al., 2015; von Solms and von Solms, 2006), as a form of risk
management (Chang et al., 2011; Dhillon and Backhouse, 2001; Webb et al., 2014) and as a
life cycle of dynamic multiple-phase decision-making (Ma et al., 2009; Nazareth and Choi,
2015; Nyanchama, 2005; Pipkin, 2000). A group of researchers has called for investigating
the quality of information security programs (Choobineh et al., 2007). Some scholars have
developed performance indexes for ISM based on a balanced scorecard (BSC) model with
limited testing (Herath et al., 2010). However, the comprehensive performance measurement
of ISM success needs to be further developed and empirically verified. Other papers have Strategic value
tried to examine the influence of organizational factors on the effectiveness of ISM alignment
implementation (Singh et al., 2014) in a specific context such as e-government (Smith and
Jamieson, 2006) or small- and medium-sized businesses (Chang and Ho, 2006; Singh and
Gupta, 2014; Smith and Jamieson, 2006; Yildirim et al., 2011). Indeed, some organizational
factors in ISM have been recognized in the literature (Kayworth and Whitten, 2010; Singh
et al., 2014; Soomro et al., 2016). However, there is a lack of empirical evidence or general
theoretical frameworks for ISM success especially from strategic value alignment 153
perspective. It has been suggested that empirical studies in relation to the issues of security
management and the development of secure IS based on suitable reference theories, are
particularly necessary (Siponen and Oinas-Kukkonen, 2007).
Top
Management
Support ISM Performance
H7
H1
H5 Business Values
H3
Business H4 Security H9 Internal Process
Alignment Controls
User Orientation
H6
H2
H8
Future Readiness
Organizational
Figure 1.
Awareness
Research model
ICS deployment of the resources needed to support ISM. Business alignment facilitates top
26,2 management support for ISM, suggesting the hypothesis:
H1. Business alignment positively affects top management support of ISM.
158 The development and implementation of a set of effective information security controls
contributes to information security effectiveness (Chang and Lin, 2007; Doherty et al., 2009;
Singh et al., 2013). A clearly defined set of policies regarding proper and improper use of the
information system is a precondition to implementing effective security management
(Straub, 1990). Better designed and implemented controls will result in better control
performance from fewer errors or increased efficiency (Spears and Barki, 2010). To
determine whether ISM is meeting its goals, the organization needs to measure the progress
of all organizational security controls (Ma et al., 2009). In addition, complying with ISM
standards constitutes important drivers to success of ISM (Martins and Eloff, 2002). We
therefore hypothesize that:
H9. Effective security controls positively influence the performance of ISM.
4. Research method
All constructs were measured by multiple items. As very limited empirical studies have
been done on ISM at the organization level, few predefined scales were found for the
social-organizational factors of ISM. Thus, new multiple-item scales were constructed
for this study. Wherever possible, initial scale items were taken from validated
measures in the existing literature, reworded to relate to the context of ISM. The items
were scored on a five-point Likert scale, ranging from 1 (strongly disagree) to 5
(strongly agree).
A combination of methods was used on separate samples to examine how the CSFs of ISM
affect ISM performance. In the first phase, two interviews were conducted with IT
professionals who had worked on ISM to discern key information from practitioners about
critical factors that make ISM effective and about ISM performance measurement. The main
CSFs they mentioned were business alignment, top management support, organizational
security education and training, technical competence and formal information security controls.
These factors were consistent with most of the CSFs we abstracted from prior literature.
Because we tried to focus on the socio-organizational issues, we did not include technical
competence into our model. This interview information was then used to aid in research
instrument development. In the second phase, a pilot study (n = 99) was conducted in North
America for refining and validating the measurement scales derived partly from existing scales
which were adapted to the context of ISM. The results suggested that the scales of the five
reflective constructs were reliable and valid. All items were kept without modification, which
retained content validity. The final list of items is provided in Appendix.
In the third phase, statistical data were collected in a field survey. Participation in the
study was voluntary. Participants were chief information officers, chief security officers, IT
managers, information security managers and senior IT staff. All participants were actively
involved with decision-making regarding their company’s information security. Because of
the sensitivity of the topic and the difficulty of reaching IT managers directly, participants
were recruited by a commercial market research company, Empanel Online[1]. Finally, a
usable data set of 219 cases was obtained for testing the theoretical model. The demographic
characteristics of the participants are summarized in Table I.
Demographic Group Count (%)
Strategic value
alignment
Job position Chief information officer (CIO) 54 24.7
Chief security officer (CSO) 24 11.0
IT manager 87 39.7
Information security manager 22 10.0
Senior IT staff 23 10.5
Other 9 4.1 159
Industry Manufacturing 49 22.4
Retail and distribution 18 8.2
Financial Services 21 9.6
Technology 65 29.7
Health 23 10.5
Telecommunication 14 6.4
Travel, leisure and entertainment 1 0.5
Education 8 3.7
Utilities, energy and mining 4 1.8
Government 2 0.9
Other 14 6.4
Organization type Domestic 128 58.4
International 91 41.6
Organization size 1-50 18 8.2
Table I.
51-200 36 16.5
201-500 71 32.4 Demographic
Above 500 94 42.9 characteristics of
Applied security standard Yes 70 32.0 participants
No 149 68.0 (N = 219)
5. Data analysis
The research model was tested using partial least square (PLS) software, specifically
WarpPLS 5.0 (Kock, 2015). Analyses were performed to evaluate both the measurement and
the structural models.
All item loadings are greater than 0.70 and significant (p < 0.001). As shown in Table II,
AVE for each construct is greater than 0.50 and the square root of AVE for each construct
meets the criterion of 0.707. Furthermore, the composite reliabilities of all constructs are also
greater than 0.80. Based on the above criteria, the PLS results indicate a satisfactory level of
convergent validity.
Discriminant validity is verified by the difference between the AVE of a construct and its
correlations with other constructs. Discriminant validity is achieved if the square root of
each construct’s AVE is greater than its correlations with other constructs and item loadings
on their respective constructs are greater than their cross loadings on other constructs
(Fornell and Larcker, 1981; Johnston and Warkentin, 2010).
Item loadings on their corresponding constructs are greater than their cross loadings on
other constructs. The highest construct correlation is 0.75 and the lowest square root of AVE
is 0.77, which demonstrate that the square root of each construct’s AVE is greater than its
correlations with other constructs. Thus, the PLS results indicate an acceptable level of
discriminant validity.
161
Business 0.42*** Security Controls 0.15* ISM Performance
Alignment (R 2 = 0.69) (R 2 = 0.57)
Organizational
Awareness
(R 2 = 0.59) Figure 2.
PLS model
testing results
Notes: ***p < 0.001; *p < 0.05
the main antecedents of ISM performance. The proposed research model analysis verified all
the hypotheses, answering the two proposed research questions. The results from the model
also support the application of the BSC framework for measuring ISM performance. This
indicates that a BSC framework, which is widely used to measure common organization
performance, is also suited to measuring intangible assets such as ISM.
Note
1. Available at: www.empanelonline.com
References
Ahimbisibwe, A., Ahimbisibwe, A., Daellenbach, U., Daellenbach, U., Cavana, R.Y. and Cavana, R.Y.
(2017), “Empirical comparison of traditional plan-based and agile methodologies: critical success
factors for outsourced software development projects from vendors’ perspective”, Journal of
Enterprise Information Management, Vol. 30 No. 3, pp. 400-453.
Aksorn, T. and Hadikusumo, B.H.W. (2008), “Critical success factors influencing safety program
performance in Thai construction projects”, Safety Science, Vol. 46 No. 4, pp. 709-727.
Barlette, Y. and Fomin, V.V. (2009), “The adoption of information security management standards: a
literature review”, IGI Global, pp. 119-140.
Barling, J., Loughlin, C. and Kelloway, E.K. (2002), “Development and test of a model linking safety-
specific transformational leadership and occupational safety”, Journal of Applied Psychology,
Vol. 87 No. 3, pp. 488-496.
Bremser, W.G. and Chung, Q. (2005), “A framework for performance measurement in the E-business
environment”, Electronic Commerce Research and Application, Vol. 4 No. 4, pp. 395-412.
Breward, M., Hassanein, K. and Head, M. (2017), “Understanding consumers’ attitudes toward
controversial information technologies: a contextualization approach”, Information Systems
Research, Vol. 28 No. 4, pp. 760-774.
Chan, M., Woon, I. and Kankanhalli, A. (2005), “Perceptions of information security in the workplace:
linking information security climate to compliant behavior”, Journal of Information Privacy and
Security, Vol. 1 No. 3, pp. 18-41.
Chang, S.E. and Ho, C.B. (2006), “Organizational factors to the effectiveness of implementing information
security management”, Industrial Management & Data Systems, Vol. 106 No. 3, pp. 345-361.
Chang, S.E. and Lin, C.-S. (2007), “Exploring organizational culture for information security
management”, Industrial Management & Data Systems, Vol. 107 No. 3, pp. 438-458.
Chang, S.E., Chen, S.-Y. and Chen, C.-Y. (2011), “Exploring the relationships between it capabilities and
information security management”, International Journal of Technology Management, Vol. 54
Nos 2/3, pp. 147-166.
ICS Chin, W.W. (1998), “The partial least squares approach to structural equation modeling”, in in Marcoulides,
G.A. (ed.), Modern Methods for Business Research, lawrence Erlbaum, Mahwah, NJ, pp. 295-336.
26,2
Choobineh, J., Dhillon, G., Grimaila, M.R. and Rees, J. (2007), “Management of information security:
challenges and research directions”, Communications of the Association for Information
Systems, Vol. 20 No. 1, pp. 958-971.
Culnan, M.J., Foxman, E.R. and Ray, A.W. (2008), “Why it executives should help employees secure
164 their home computers”, MIS Quarterly Executive, Vol. 7 No. 1, pp. 49-56.
Cumps, B., Martens, D., De Backer, M., Haesen, R., Viaene, S., Dedene, G., Baesens, B. and Snoeck, M.
(2009), “Inferring comprehensible business/Ict alignment rules”, Information & Management,
Vol. 46 No. 2, pp. 116-124.
D’Arcy, J., Hovav, A. and Galletta, D. (2009), “User awareness of security countermeasures and its
impact on information systems misuse: a deterrence approach”, Information Systems Research,
Vol. 20 No. 1, pp. 79-98.
Datta, S.P. and Banerjee, P. (2011), “Guidelines for performance measures of information security of it
network and systems”, International Journal of Research and Reviews in Next Generation
Networks, Vol. 1 No. 1, pp. 39-43.
Davies, T. (2002), “The ‘Real’ success factors on projects”, International Journal of Project Management,
Vol. 20 No. 3, pp. 185-190.
Dhillon, G. and Backhouse, J. (2001), “Current directions in is security research: towards socio-
organizational perspectives”, Information Systems Journal, Vol. 11 No. 2, pp. 127-153.
Doherty, N.F. and Fulford, H. (2006), “Aligning the information security policy with the strategic
information systems plan”, Computers & Security, Vol. 25 No. 1, pp. 55-63.
Doherty, N.F., Anastasakis, L. and Fulford, H. (2009), “The information security policy unpacked: a
critical study of the content of university policies”, International Journal of Information
Management, Vol. 29 No. 6, pp. 449-457.
Dutta, A. and McCrohan, K. (2002), “Management’s role in information security in a cyber economy”,
California Management Review, Vol. 45 No. 1, pp. 67-87.
Erkan, K. (2005), “Evaluating it security performance with quantifiable metrics”, available at: http://
citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.102.4000&rep=rep1&type=pdf
Falk, R.F. and Miller, N.B. (1992), A Primer for Soft Modeling, University of Akron Press, Akron, OH.
Fornell, C. and Larcker, D.F. (1981), “Evaluating structural equation models with unobservable
variables and measurement error”, Journal of Marketing Research, Vol. 18 No. 1, pp. 39-50.
Fritz, R. (1999), The Path of Least Resistance for Managers: Designing Organizations to Succeed,
Berrett-Koehler Publishers, Oakland, CA.
Gerow, J.E., Grover, V., Thatcher, J. and Roth, P.L. (2014), “Looking toward the future of it – business
strategic alignment through the past: a meta-analysis”, MIS Quarterly, Vol. 38 No. 4, pp. 1159-1185.
Guo, K.H., Yuan, Y., Archer, N.P. and Connelly, C.E. (2011), “Understanding nonmalicious security
violations in the workplace: a composite behavior model”, Journal of Management Information
Systems, Vol. 28 No. 2, pp. 203-236.
Hagen, M.J., Albrechtsen, E. and Hovden, J. (2008), “Implementation and effectiveness of organizational
information security measures”, Information Management & Computer Security, Vol. 16 No. 4,
pp. 377-397.
Herath, T., Herath, H. and Bremser, W.G. (2010), “Balanced scorecard implementation of security
strategies: a framework for it security performance management”, Information Systems
Management, Vol. 27 No. 1, pp. 72-81.
Huang, S.-M., Lee, C.-L. and Kao, A.-C. (2006), “Balancing performance measures for information
security management: a balanced scorecard framework”, Industrial Management & Data
Systems, Vol. 106 No. 2, pp. 242-255.
Hu, Q., Dinev, T., Hart, P. and Cooke, D. (2012), “Managing employee compliance with information Strategic value
security policies: the critical role of top management and organizational culture”, Decision
Sciences, Vol. 43 No. 4, pp. 615-660. alignment
Hu, Q., Xu, Z., Dinev, T. and Ling, H. (2011), “Does deterrence work in reducing information security
policy abuse by employees?”, Communications of the ACM, Vol. 54 No. 6, pp. 54-60.
Hultman, K. and Gellermann, W. (2002), Balancing Individual and Organizational Values: Walking the
Tightrope to Success, Jossey-Bass/Pfeiffer, San Francisco, CA.
ISO/IEC (2013), “Iso/Iec 27001:2013 information technology – security techniques – information
165
security management systems – requirements”, 2nd Ed., ISO/IEC, Geneva.
Johnston, A.C. and Hale, R. (2009), “Improved security through information security governance”,
Communications of the ACM, Vol. 52 No. 1, pp. 126-129.
Johnston, A.C. and Warkentin, M. (2010), “Fear appeals and information security behaviors: an
empirical study”, MIS Quarterly, Vol. 34 No. 3, pp. 549-566.
Kaplan, R.S. and Norton, D.P. (1992), “The balanced scorecard-measures that drive performance”,
Harvard Business Review, Vol. 70 No. 1, pp. 71-79.
Kaplan, R.S. and Norton, D.P. (1993), “Putting the balanced scorecard to work”, Harvard Business
Review, Vol. 71 No. 5, pp. 134-147.
Kaplan, R.S. and Norton, D.P. (2004), “The strategy map: guide to aligning intangible asset”, Strategy &
Leadership, Vol. 32 No. 5, pp. 10-17.
Katzenbach, J. and Smith, D.K. (2003), The Wisdom of Teams, 3rd Ed. HarperCollins Publishers,
New York, NY.
Kayworth, T. and Whitten, D. (2010), “Effective information security requires a balance of social and
technology factors”, MIS Quarterly Executive, Vol. 9 No. 3, pp. 163-175.
Knapp, K.J., Marshall, T.E., Rainer, R.K. and Ford, N.F. (2006), “Information security: management’s
effect on culture and policy”, Information Management & Computer Security, Vol. 14 No. 1,
pp. 24-36.
Knapp, K.J., Morris, F., Jr, Marshall, T.E. and Byrd, T.A. (2009), “Information security policy: an
organizational-level process model”, Computers & Security, Vol. 28 No. 7, pp. 493-508.
Kock, N. (2015), Warppls 5.0. Laredo, ScriptWarp Systems, Texas.
Lebek, B., Uffen, J., Neumann, M., Hohler, B. and Breitner, M.H. (2014), “Information security awareness
and behavior: a theory-based literature review”, Management Research Review, Vol. 37 No. 12,
pp. 1049-1092.
Lee, S. and Ahn, H. (2008), “Assessment of process improvement from organizational change”,
Information & Management, Vol. 45 No. 5, pp. 270-280.
Liang, H. and Xue, Y. (2009), “Avoidance of information technology threats: a theoretical perspective”,
MIS Qquarterly, Vol. 33 No. 1, pp. 71-90.
Lowry, P.B. and Moody, G.D. (2015), “Proposing the control-reactance compliance model (Crcm) to
explain opposing motivations to comply with organisational information security policies”,
Information Systems Journal, Vol. 25 No. 5, pp. 433-463.
Luftman, J., Kempaiah, R. and Nash, E. (2006), “Key issues for it executives 2005”, MIS Quarterly
Executive, Vol. 5 No. 2, pp. 81-99.
Lynn Fitzpatrick, R. (2007), “A literature review exploring values alignment as a proactive approach to
conflict management”, International Journal of Conflict Management, Vol. 18 No. 3, pp. 280-305.
Ma, Q., Schmidt, M.B. and Pearson, J.M. (2009), “An integrated framework for information security
management”, Review of Business, Vol. 30 No. 1, pp. 58-69.
Maarop, N., Thamadharan, K., Samy, G.N., Zainuddin, N.M.M., Azmi, A., Yusop, O.M. and Azizan, A.
(2016), “Information security management system implementation success factors: a review”,
Advanced Science Letters, Vol. 22 No. 10, pp. 3023-3026.
ICS Marr, B. and Schiuma, G. (2003), “Business performance measurement – past, present and future”,
Management Decision, Vol. 41 No. 8, pp. 680-687.
26,2
Martin, C., Bulkan, A. and Klempt, P. (2011), “Security excellence from a total quality management
approach”, Total Quality Management, Vol. 22 No. 3, pp. 345-371.
Martins, A. and Eloff, J. (2002), “Assessing information security culture”, Information Security South
Africa (ISSA), Johannesburg, South Africa, pp. 1-14.
166 Mohr, J. and Spekman, R. (1994), “Characteristics of partnership success: partnership attributes,
communication behavior, and conflict resolution techniques”, Strategic Management Journal,
Vol. 15 No. 2, pp. 135-152.
Nazareth, D.L. and Choi, J. (2015), “A system dynamics model for information security management”,
Information & Management, Vol. 52 No. 1, pp. 123-134.
Nyanchama, M. (2005), “Enterprise vulnerability management and its role in information security
management”, Information Systems Security, Vol. 14 No. 3, pp. 29-56.
Parakkattu, S. and Kunnathur, A.S. (2010), “A framework for research in information security
management”, 2010 Northeast Decision Sciences Institute Proceedings, pp. 318-323.
Pipkin, D.L. (2000), Information Security: Protecting the Global Enterprise, Prentice-Hall PTR, Upper
Saddle River, NJ.
Posthumus, S. and von Solms, R. (2004), “A framework for the governance of information security”,
Computers & Security, Vol. 23 No. 8, pp. 638-646.
Psomas, E. (2016), “The underlying factorial structure and significance of the six sigma difficulties and
critical success factors: the Greek case”, The TQM Journal, Vol. 28 No. 4, pp. 530-546.
Ransbotham, S. and Mitra, S. (2009), “Choice and chance: a conceptual model of paths to information
security compromise”, Information Systems Research, Vol. 20 No. 1, pp. 121-139.
Rhee, H.S., Ryu, Y.U. and Kim, C.T. (2012), “Unrealistic optimism on information security
management”, Computers & Security, Vol. 31 No. 2, pp. 221-232.
Rivard, S., Raymond, L. and Verreault, D. (2006), “Resource-based view and competitive strategy: an
integrated model of the contribution of information technology to firm performance”, Journal of
Strategic Information Systems, Vol. 15 No. 1, pp. 29-50.
Rockart, J.F. (1979), “Chief executives define their own data needs”, Harvard Business Review, Vol. 57
No. 2, pp. 81-93.
Rockart, J.F. (1982), “The changing role of the information systems executive: a critical success factors
perspective”, Sloan Management Review, Vol. 6 No. 1, pp. 3-13.
Singh, A.N. and Gupta, M.P. (2014), “Identifying factors of ‘organizational information security
management’”, Journal of Enterprise Information Management Decision, Vol. 27 No. 5,
pp. 644-667.
Singh, A.N., Gupta, M.P. and Ojha, A. (2014), “Identifying factors of ‘organizational information
security management’”, Journal of Enterprise Information Management, Vol. 27 No. 5,
pp. 1-24.
Singh, A.N., Picot, A., Kranz, J., Gupta, M.P. and Ojha, A. (2013), “Information securitymanagement
(Ism) practices: lessons from select cases from India Andgermany”, Global Journal of Flexible
Systems Management, Vol. 14 No. 4, pp. 225-239.
Siponen, M. and Vance, A. (2010), “Neutralization: new insights into the problem of employee
information systems security policy violations”, MIS Quarterly, Vol. 34 No. 3, pp. 487-502.
Siponen, M.T. (2005), “An analysis of the traditional is security approaches: implications for research
and practice”, European Journal of Information Systems, Vol. 14 No. 3, pp. 303-315.
Siponen, M.T. and Oinas-Kukkonen, H. (2007), “A review of information security issues and respective
research contributions”, The DATA BASE for Advances in Information Systems, Vol. 38 No. 1,
pp. 60-80.
Siponen, M.T. and Willison, R. (2009), “Information security management standards: problems and Strategic value
solutions”, Information & Management, Vol. 46 No. 5, pp. 267-270.
alignment
Siponen, M.T., Mahmood, M.A. and Pahnila, S. (2009), “Are employees putting your company at risk by not
following information security policies?”, Communications of the ACM, Vol. 52 No. 12, pp. 145-147.
Smith, S. and Jamieson, R. (2006), “Determining key factors in E-government information system
security”, Information Systems Management, Vol. 23 No. 2, pp. 23-32.
Soomro, Z.A., Shah, M.H. and Ahmed, J. (2016), “Information security management needs more holistic
approach: a literature review”, International Journal of Information Management, Vol. 36 No. 2,
167
pp. 215-225.
Spears, J.L. and Barki, H. (2010), “User participation in information systems security risk management”,
MIS Quarterly, Vol. 34 No. 3, pp. 503-522.
Straub, D.W. (1988), “Organizational structuring of the computer security function”, Computers &
Security, Vol. 7 No. 2, pp. 185-195.
Straub, D.W. (1990), “Effective is security: an empirical study”, Information Systems Research, Vol. 1
No. 3, pp. 255-276.
Straub, D.W. and Collins, R.W. (1990), “Key information liability issues facing managers: software piracy,
proprietary databases, and individual rights to privacy”, MIS Quarterly, Vol. 14 No. 2, pp. 143-156.
Straub, D.W. and Welke, R.J. (1998), “Coping with systems risk: security planning models for
management decision making”, MIS Quarterly, Vol. 22 No. 4, pp. 441-470.
Tsohou, A., Karyda, M., Kokolakis, S. and Kiountouzis, E. (2015), “Managing the introduction of
information security awareness programmes in organisations”, European Journal of
Information Systems, Vol. 24 No. 1, pp. 38-58.
Van Niekerk, J.F. and Von Solms, R. (2010), “Information security culture: a management perspective”,
Computers & Security, Vol. 29 No. 4, pp. 476-486.
Von Solms, B. and Von Solms, R. (2004), “The 10 deadly sins of information security management”,
Computers & Security, Vol. 23 No. 5, pp. 371-376.
Von Solms, R. (1999), “Information security management: why standards are important”, Information
Management & Computer Security, Vol. 7 No. 1, pp. 50-58.
von Solms, R. and von Solms, S.H.B. (2006), “Information security governance: a model based on the
direct–control cycle”, Computers & Security, Vol. 25 No. 6, pp. 408-412.
Warkentin, M. and Willison, R. (2009), “Behavioral and policy issues in information systems security:
the insider threat”, European Journal of Information Systems, Vol. 18 No. 2, pp. 101-105.
Webb, J., Maynard, S., Ahmad, A. and Shanks, G. (2014), “Information security risk management: an
intelligence-driven approach”, Australasian Journal of Information Systems, Vol. 18 No. 3, pp. 391-404.
Werlinger, R., Hawkey, K. and Beznosov, K. (2009), “An integrated view of human, organizational, and
technological challenges of it security management”, Information Management & Computer
Security, Vol. 17 No. 1, pp. 4-19.
Whitman, M.E. (2008), “Security policy: from design to maintenance”, in Straub, D.W., Goodman, S.
and Baskerville, R.L. (Eds), Information Security: Policy, Processes, and Practices, M. E. Sharpe,
Armonk, NY, pp. 123-151.
Yeoh, W. and Popovic, A. (2016), “Extending the understanding of critical success factors for
implementing business intelligence systems”, Journal of the Association for Information Science
and Technology, Vol. 67 No. 1, pp. 134-147.
Yildirim, E.Y., Akalp, G., Aytac, S. and Bayram, N. (2011), “Factors influencing information security
management in small-and medium-sized enterprises: a case study from Turkey”, International
Journal of Information Management, Vol. 31 No. 4, pp. 360-365.
Zammani, M. and Razali, R. (2016), “Information security management success factors”, Advanced
Science Letters, Vol. 22 No. 8, pp. 1924-1929.
ICS Appendix
26,2
Construct Item Source Literature
For instructions on how to order reprints of this article, please visit our website:
www.emeraldgrouppublishing.com/licensing/reprints.htm
Or contact us for further details: permissions@emeraldinsight.com