The current issue and full text archive of this journal is available on Emerald Insight at:
www.emeraldinsight.com/2056-4961.htm
ICS
26,2
150
Received 4 April 2017
Revised 31 January 2018
Accepted 7 February 2018
Information & Computer Security
Vol. 26 No. 2, 2018
pp. 150-170
© Emerald Publishing Limited
2056-4961
DOI 10.1108/ICS-06-2017-0042
Strategic value alignment for
information security management:
a critical success factor analysis
Cindy Zhiling Tu
School of Computer Science and Information Systems,
Northwest Missouri State University, Maryville, Missouri, USA, and
Yufei Yuan, Norm Archer and Catherine E. Connelly
DeGroote School of Business, McMaster University, Hamilton, Ontario, Canada
Abstract
Purpose – Effective information security management is a strategic issue for organizations to safeguard
their information resources. Strategic value alignment is a proactive approach to manage value conflict in
information security management. Applying a critical success factor (CSF) analysis approach, this paper aims
to propose a CSF model based on a strategic alignment approach and test a model of the main factors that
contributes to the success of information security management.
Design/methodology/approach – A theoretical model was proposed and empirically tested with data
collected from a survey of managers who were involved in decision-making regarding their companies’
information security (N = 219). The research model was validated using partial least squares structural
equation modeling approach.
Findings – Overall, the model was successful in capturing the main antecedents of information security
management performance. The results suggest that with business alignment, top management support and
organizational awareness of security risks and controls, effective information security controls can be
developed, resulting in successful information security management.
Originality/value – Findings from this study provide several important contributions to both theory and
practice. The theoretical model identifies and verifies key factors that impact the success of information
security management at the organizational level from a strategic management perspective. It provides
practical guidelines for organizations to make more effective information security management.
Keywords Information security management, Top management support, Business alignment,
Critical success factor, Organizational awareness, Value alignment
Paper type Research paper
1. Introduction
Information is a valuable resource that is critical for an organization’s success, but it is also
vulnerable to a variety of attacks from both inside and outside of the organization (Lowry
and Moody, 2015). With the growing threat and severity of security attacks, information
security has become increasingly important to the survival of organizations. An
organization’s main objective is to provide valuable services to society. By doing so, it also
generates profits or other benefits to the organization, as well as benefits to its employees
and customers. Information is useful to help organizations to make better decisions and
provide better services. Information security, however, is not directly linked to this mission.
Rather, it deals with the negative aspects of security threats, which is something to avoid if
at all possible (Liang and Xue, 2009). This often creates value conflict. For instance,
managers who focus on using a company’s resources for business competition may ignore
security risks and optimistically think that these attacks will not happen (Rhee et al., 2012). Strategic value
This results from viewing information security as a burden and not wanting to spend alignment
money on it. In general, employees are expected to do good jobs to be rewarded. They may
have value conflicts toward security and view security policy as unnecessary or interfering
with productivity (Guo et al., 2011). From a customer perspective, the focus is to get good
service conveniently. Therefore, customers may also view security measures such as
complex password setting as headaches or the use of biometric identity authentication with
privacy concerns (Breward et al., 2017). To improve information security, the key is to 151
recognize such value conflicts and find a way to deal with them effectively. Literature has
shown that the most proactive way to deal with value conflicts is to work toward value
alignment (Lynn Fitzpatrick, 2007). Specifically, for security-related value conflicts, it is
important to create value alignment for all the parties involved in information security
management (ISM).
ISM has been recognized widely as strategically important to organizations (Ma et al.,
2009; Nazareth and Choi, 2015). The goal of ISM is to protect the confidentiality, integrity
and availability of information and to mitigate the various risks and threats to such
information (Chang et al., 2011; Posthumus and von Solms, 2004). Even though information
security has been consistently identified at the top of the information systems (IS) agenda
(Dutta and McCrohan, 2002), research on organizational perspectives of security
management is limited as yet, but it is beginning to emerge as a field of study (Ransbotham
and Mitra, 2009; Soomro et al., 2016).
In practice, ISM standards are among the most widely used methods of security
management. These standards aim to provide an international, authoritative and
comprehensive benchmark for IS security and have been considered as being the keystone
in any successful ISM activities (Von Solms, 1999). However, most ISM standards and
guidelines are fostered by an appeal to common practice, offering little evidence of their
usefulness and relevance in practice (Siponen, 2005). Practitioners have no way of
evaluating the reliability (or objectivity) of the claimed best practices (Siponen and Willison,
2009). Hence, there is a need for rigorous qualitative and quantitative empirical studies to
test and refine ISM methods in practical settings.
Effective ISM must implement organizational-level solutions to security problems in the
organization’s socio-organizational context (Kayworth and Whitten, 2010). Consequently,
practitioners and scholars have recognized that the emphasis of information security should
go beyond technical controls and incorporate business process and organizational issues
(Choobineh et al., 2007; Culnan et al., 2008; Kayworth and Whitten, 2010; Ma et al., 2009;
Parakkattu and Kunnathur, 2010; Siponen, 2005; Siponen et al., 2009; Van Niekerk and Von
Solms, 2010). To achieve an acceptable level of information security, an appropriate set of
security controls must be identified, implemented and maintained within the organization.
However, even with well-developed security controls, organizations may not achieve ISM
success if there is no organizational support and organizational awareness of security within
the organization. Because of the complexity of security management issues and value
conflicts, professional guidelines are very much needed. To address this research gap, this
study focuses on ISM at the organizational level. Using strategic value alignment approach,
we study the organizational factors that determine the success of ISM. In this study, ISM is
defined as a systematic process of effectively coping with information security threats and
risks in an organization, through the application of a suitable range of physical, technical or
operational security controls to protect information assets and achieve business goals.
Building on the IS literature and ISM standards, this study attempts to fill the void in the
understanding of ISM effectiveness by identifying critical success factors (CSFs) of ISM and
ICS developing an ISM performance model to empirically test the validity of the identified CSFs.
26,2 More specifically, this study tries to answer the following questions:
Q1. What are the critical factors that must be present to make ISM effective?

Q2. How do these factors contribute to the success of ISM?

152 The rest of the paper is organized as follows. In the next section, the research background
and theoretical foundation of this study are presented. Then a research model is developed,
along with relevant hypotheses. The related methodology for model verification is
discussed. Finally, following data analysis, discussion and conclusions highlight
implications of this work for future research and practice.

2. Research background
2.1 Value conflict and value alignment for information security management
According to Lynn (2007), values are defined as peoples’ preferences and priorities that
reflect what is important to them. Values are the foundation on which organizations are
built. Although organizational values were defined as the values shared by its members, it is
possible that not every member of the organization shares all its values to the same extent.
Conflict may occur when people have different ideas about what is important, as well as
different answers for something that requires resolution. Conflict can be either productive or
unproductive, depending on how collaboration is managed. Without a higher order
organizing principle, an organization may self-organize into various structural conflicts
(Fritz, 1999). To avoid unproductive conflict, there must be enough alignment between ends
and means values for progress toward the overall mission and vision to occur (Hultman and
Gellermann, 2002). In the case of ISM, value conflict may exist among managers, IT
departments, employees and consumers because of different priorities and a lack of security
awareness. Researchers have identified value conflict phenomena such as self-defense of
security violations with neutralization theory (Siponen and Vance, 2010) and conflict
resolving approaches such as sanctions to stop security violations based on deterrence
theory (D’Arcy et al., 2009). However, this approach may not be effective (Hu et al., 2011).
Reactive problem-solving approaches generally address symptoms rather than causes and
the “flurry of activity hides what is really going on” (Fritz, 1999, p. 9). A proactive value
alignment approach recognizes the importance of strategic alignment between a company’s
overall business strategy and its ISM strategy. This strategic alignment will tend to promote
top management support and bolster organizational awareness of security risks, thus
enhancing the implementation of security controls. This will result in achieving successful
ISM measured from balanced and interrelated perspectives including business value,
stakeholder orientation, internal processes and future readiness.
Current studies on ISM focus on the conceptual understanding of ISM, the performance
evaluation of ISM and the factors that affect the success of ISM. A few papers have provided
conceptual view of ISM at the organizational level from different perspectives: as an
integrated component in corporate governance (Johnston and Hale, 2009; Posthumus and
von Solms, 2004; Tsohou et al., 2015; von Solms and von Solms, 2006), as a form of risk
management (Chang et al., 2011; Dhillon and Backhouse, 2001; Webb et al., 2014) and as a
life cycle of dynamic multiple-phase decision-making (Ma et al., 2009; Nazareth and Choi,
2015; Nyanchama, 2005; Pipkin, 2000). A group of researchers has called for investigating
the quality of information security programs (Choobineh et al., 2007). Some scholars have
developed performance indexes for ISM based on a balanced scorecard (BSC) model with
limited testing (Herath et al., 2010). However, the comprehensive performance measurement
of ISM success needs to be further developed and empirically verified. Other papers have Strategic value
tried to examine the influence of organizational factors on the effectiveness of ISM alignment
implementation (Singh et al., 2014) in a specific context such as e-government (Smith and
Jamieson, 2006) or small- and medium-sized businesses (Chang and Ho, 2006; Singh and
Gupta, 2014; Smith and Jamieson, 2006; Yildirim et al., 2011). Indeed, some organizational
factors in ISM have been recognized in the literature (Kayworth and Whitten, 2010; Singh
et al., 2014; Soomro et al., 2016). However, there is a lack of empirical evidence or general
theoretical frameworks for ISM success especially from strategic value alignment 153
perspective. It has been suggested that empirical studies in relation to the issues of security
management and the development of secure IS based on suitable reference theories, are
particularly necessary (Siponen and Oinas-Kukkonen, 2007).

2.2 Critical success factor analysis of information security management

CSFs are defined as key areas in the firm that, if they are satisfactory, will assure successful
performance for the organization (Rockart, 1979). CSFs are a widely used approach to
identify performance requirements upon which the success of the firm depends (Rockart,
1982). They were one of the earliest and most actively researched management tools (Lee
and Ahn, 2008) and have been used as management measures in different areas such as
manufacturing industry (Mohr and Spekman, 1994; Psomas, 2016), project management
(Ahimbisibwe et al., 2017; Davies, 2002), quality management (Singh and Gupta, 2014) and
business intelligence system implementation (Yeoh and Popovi
c, 2016).
Identifying suitable CSFs for ISM requires a holistic view of the organization (Smith and
Jamieson, 2006). To integrate knowledge from academic study and industry practice in the
field of ISM, we reviewed both relevant literature and information security standard ISO/
IEC 27001: 2013. Trying to bridge the gap between literature and ISM practice, we identify
the socio-organizational issues which are often viewed as critical to the successful
implementation of ISM in both literature and information security standard. By combining
the results of our review and the perspective of value alignment, we group these issues into
four key factors: business alignment, top management support, organizational awareness
and security controls (Aksorn and Hadikusumo, 2008; Chang et al., 2011; Choobineh et al.,
2007; Herath et al., 2010; Hu et al., 2012; ISO/IEC, 2013; Kayworth and Whitten, 2010; Ma
et al., 2009; Maarop et al., 2016; Nazareth and Choi, 2015; Siponen and Oinas-Kukkonen,
2007; Smith and Jamieson, 2006; Spears and Barki, 2010; Van Niekerk and Von Solms, 2010;
Von Solms, 1999; Werlinger et al., 2009; Yildirim et al., 2011).
Although some CSFs have been recognized in literature and industry security standards,
the existing critical factor analysis approach does not provide a way to analyze the
relationships between factors and empirically verify how these factors affect the
organizations performance. Spears and Barki (2010) examined user participation in IS
security risk management (SRM) and its influence in the context of regulatory compliance
via a multi-method study at the organizational level. Their model examines the relationship
between certain organizational factors of SRM. It indicates that an alignment between SRM
and the business context contributes to greater organizational awareness of IS security,
which in turn contributes to perceived improvements in control development and the
perceived performance of security controls. In addition, improvements in control
development may influence the performance of security controls. Maarop et al. (2016)
reviewed literature on ISM system (ISMS) implementation success factors. Based on 20 of
the most relevant and recent studies, ten factors were extracted which can be considered
important in the ISMS implementation. In particular, staff awareness and training and top
management support are found to be the most crucial factors in determining the successful
ICS implementation of ISMS and the rating of the importance for both factors are almost equal.
26,2 They suggested that all factors identified can be hypothesized to influence the successful
implementation of ISMS in organizations; thus, all factors identified can be further evaluated
empirically by both qualitative and quantitative methodology.

2.3 A balanced scorecard for information security management performance measurement

154 Prior literature has indicated the importance of performance evaluation for ISM (Erkan,
2005; Herath et al., 2010; Huang et al., 2006; Martin et al., 2011; Nazareth and Choi, 2015).
How to measure the performance of ISM from an organizational perspective is a big
challenge. Performance measurement should reflect common values shared by managers,
stakeholders, employees and consumers. The BSC (Kaplan and Norton, 1992; Kaplan and
Norton, 1993) is a common organizational performance measurement system, which is
widely used in practice and has been extensively researched (Marr and Schiuma, 2003). The
generic BSC model has been applied in the IS domain to measure performance of IT
management (Bremser and Chung, 2005; Huang et al., 2006; Kaplan and Norton, 2004).
Huang et al. (2006) developed a general BSC model of ISM, translating the ISM strategy
map into a Scorecard model with four perspectives: financial, customer, internal process and
learning and growth. In their study, the 80 performance indicators acquired from previous
studies were transferred into 35 key performance indicators, 12 strategic themes and one
generic model of ISM strategy map. Herath et al. (2010) also established a conceptual
framework for strategic implementation of information security performance management
using a BSC approach. Four interrelated perspectives were presented: business value,
stakeholder orientation, internal process and future readiness. However, approaches that use
the BSC model for ISM need further empirical investigation and validation. In our study, we
will adapt the BSC model for evaluation of ISM and empirically verify it.

2.4 IT-business strategic alignment model

IT-business strategic alignment refers to the fit between IS strategy and business strategy in
terms of addressing the needs, demands, goals, objectives and/or structures of each strategy
and management (Gerow et al., 2014). In the industrial environment, chief information
officers have identified IT-business strategic alignment as the top management issue along
with security and privacy as the second (Luftman et al., 2006). Aligned firms are more likely
to invest in IT and allocate resources to projects tied to overall business objectives and thus
leverage IT to create competitive advantage (Cumps et al., 2009; Rivard et al., 2006). A meta-
analysis confirmed the positive relationships between the alignment dimensions and
performance outcomes (Gerow et al., 2014). Following the same logic, we expect that in the
ISM context when an organization’s information security strategy is better aligned with the
organization’s business strategy, more organizational support will be given to ISM and at
the operational level organizational awareness of information security will be improved,
security controls can be better developed and finally the organization’s ISM will be more
successful. According to the foregoing literature review, business alignment was found to be
one of the CSFs of ISM success and it is also correlated with other CSFs. Because ISM should
be viewed strategically from the top (Dutta and McCrohan, 2002), security–business
strategic alignment in ISM could be a starting point to organize all the CSFs toward ISM
success. Therefore, this model provides us with a solid theoretical basis to study the
relationships among business alignment, other CSFs and ISM performance. It also fits well
with the value alignment as a proactive approach to manage value conflict and promote
coordination between different parties in ISM.
3. Research model and hypothesis development Strategic value
Our research model (Figure 1) investigates how the CSFs contribute to the success of an alignment
organization’s ISM from a strategic value alignment perspective. This ISM success model
has five constructs, business alignment, top management support, organizational
awareness, security controls and ISM performance, which are measured from four
dimensions: business value, internal process, user orientation and future readiness.
Business alignment refers to the fit between ISM strategy and business strategy in terms
of addressing the needs, demands, goals, objectives and/or structures of ISM. An effective 155
ISM strategy should be strategically focused and thus information security is perceived as
an important core business issue (Kayworth and Whitten, 2010). It must secure information
assets while still enabling the business. Scholars have pointed out that the protection of
information assets from potential threats should be a part of business strategy because it
can give the organization a competitive edge (Soomro et al., 2016). The alignment component
refers to the collaborative efforts between information security and business managers that
can align ISM practices with business strategies of the organization (Chang et al., 2011). This
alignment could be achieved through information security planners’ understanding of
organizational objectives, mutual understanding between top management and information
security planners and a heightened view of the information security function within the
organization (Ma et al., 2009).
Top management support refers to the commitment from top management. Through
business alignment, information security initiatives are addressed at the strategic level and
thus are more likely to be recognized and supported by top management (Johnston and Hale,
2009). Top management can thereby be more convinced of the importance of information
security and more fully appreciate the importance of the ISM processes within the business
framework (Smith and Jamieson, 2006; Werlinger et al., 2009). Top management has a direct
corporate governance responsibility of ensuring that all the information assets of the
company are secure (Von Solms and Von Solms, 2004). A lack of fit between security
objectives and business objectives may lead to situations where information security
policies and budgets do not reflect the needs of the business (Kayworth and Whitten, 2010;
Siponen and Oinas-Kukkonen, 2007). In such cases, investment decisions are driven by
short-term priorities without well-conceived strategic priorities, and top management may
pay little attention to information security and allocate insufficient resources to ISM
(Kayworth and Whitten, 2010). Thus, the alignment helps to facilitate the acquisition and

Top
Management
Support ISM Performance
H7
H1
H5 Business Values
H3
Business H4 Security H9 Internal Process
Alignment Controls
User Orientation
H6
H2
H8
Future Readiness
Organizational
Figure 1.
Awareness
Research model
ICS deployment of the resources needed to support ISM. Business alignment facilitates top
26,2 management support for ISM, suggesting the hypothesis:
H1. Business alignment positively affects top management support of ISM.

Organizational awareness refers to organizational knowledge on information security

risks, policies and related procedures (Lebek et al., 2014). All employees should be
156 aware of possible security threats and have sufficient IT literacy to provide a baseline
level of key security concepts and vocabulary (Culnan et al., 2008). All relevant groups
in the organization should be provided with sufficient training and reference materials
to allow them to protect information assets effectively (Straub and Welke, 1998). The
awareness of information security needs to be recognized by not only staff but also
senior management. Indeed, security must be effectively marketed to all managers and
employees (Von Solms, 1999). Security policies and procedures that are integrated with
business objectives help to focus more attention on information security risks,
policies and related procedures in business processes (Spears and Barki, 2010). As
security policies and procedures gain alignment with the business environment,
the organization is more willing to invest in information security education and
training programs as the primary way of communicating information security policies,
procedures and requirements across the organization (Culnan et al., 2008). These
suggest the following hypothesis:
H2. Business alignment contributes to greater organizational awareness of information
security risks and controls.
Previous studies have indicated the positive role of top management in encouraging an
organizational security culture (Barling et al., 2002; Chan et al., 2005; Knapp et al., 2006). Top
management can make appropriate choices and adopt various approaches to shape the
culture of their organizations for the purpose of information security because senior
management has the authority and leadership to overcome cultural and organizational
barriers (Barlette and Fomin, 2009; Chang and Lin, 2007). Employees cannot be held
responsible for security problems if they are not informed about them and what can be done
to prevent them (Von Solms and Von Solms, 2004). Further, top management commitment
and efficient security structuring can enhance the whole organization’s awareness of
security risks and policies. This suggests that:
H3. Top management support raises organizational awareness of information security
risks and controls.
Security controls refer to the technical and procedural controls for information security,
including risk management, security policies and security standard application.
Organizations need to establish security controls and practice them to protect information
security. Security policies and countermeasures can protect IS from security risks. Studies
have asserted that an organization’s deployment of information security controls is affected
by strategic alignment (Doherty and Fulford, 2006; Hagen et al., 2008; Knapp et al., 2009;
Warkentin and Willison, 2009). Information security controls need to reflect and support the
organization’s overall business goals and objectives. The collaborative efforts between
information security objectives and business strategies help facilitate development and
implementation of security controls that are content with the organization’s business issues
and revenue considerations (Knapp et al., 2009). The decisions regarding adoption of
information security controls depend upon the strategic business needs, particularly
confidentiality and security requirements (Soomro et al., 2016). Therefore, we hypothesize:
 H4. Business alignment positively affects the deployment of information security Strategic value
controls. alignment
Taking information security as a management and business issue, top management can be
better aware of the importance of the development and implementation of information
security controls. Security controls implementation can be a very complicated and resource-
intensive process, which requires resources and expertise (Chang and Ho, 2006). Top
management support contributes to improvements in control implementation by providing 157
the information and resources that are necessary to support control designers. Top
management support positively influences security policy enforcement (Barlette and Fomin,
2009; Kayworth and Whitten, 2010; Knapp et al., 2009). Therefore, we hypothesize that:
H5. Top management support positively affects the deployment of information security
controls.
Prior literature suggests that information security policy will not be effective without
organizational awareness and training (Soomro et al., 2016). Empirical evidence indicates
that it is difficult to implement security controls if people have insufficient training about
best IT security practices (Werlinger et al., 2009). Whitman (2008) demonstrates that the
purpose of security awareness (and training) is to modify employee behavior so that the
individual performs according to organizational standards. The greater awareness gained
by users enables control designers to implement security controls more consistently (Spears
and Barki, 2010). All these suggest that security controls improve when there is greater
organizational awareness:
H6. Organizational awareness positively affects the deployment of information security
controls.
ISM performance refers to the progress of ISM toward achieving goals, which is measured
from organizational perspectives including business values, internal process, user
orientation and future readiness. Managers can play a very important role in an efficient and
effective safety program by taking charge of implementing safety actions, including issuing
safety policies, allocating sufficient resources, promptly reacting to safety suggestions and
complaints, attending regular safety meetings and training, regularly visiting the workplace
and following the same safety rules as others. (Aksorn and Hadikusumo, 2008). Top
management commitment establishes a focus on security within the highest levels of the
organization. Some empirical studies have found that the greater top management support
is, the more effective information security is in organizations, as more resources are spent to
avoid security incidents (Datta and Banerjee, 2011; Werlinger et al., 2009). Hence, top
management support can directly affect ISM performance:
H7. Top management support positively influences the performance of ISM.

Organizational training is the primary method of communicating information security

policies, measures, procedures and requirements across the organization (Culnan et al.,
2008). Through training sessions, employees must be convinced that they truly face
information security threats, and these threats can cause serious negative consequences to
their organization. They should also understand the user-friendliness and effectiveness of
information security policies so they can believe that complying with these policies will help
prevent security breaches (Siponen et al., 2009). Organizational awareness makes employees
aware of information security policies, procedures and countermeasures existing in the
company. If employees lack knowledge about security controls, they may misuse or
ICS misinterpret them, causing the security controls to fail (Van Niekerk and Von Solms, 2010).
26,2 Therefore, organizational awareness of security risks and controls enables the organization
to improve effectiveness and efficiency of the security management system (Spears and
Barki, 2010). We hypothesize that:
H8. Organizational awareness positively influences the performance of ISM.

158 The development and implementation of a set of effective information security controls
contributes to information security effectiveness (Chang and Lin, 2007; Doherty et al., 2009;
Singh et al., 2013). A clearly defined set of policies regarding proper and improper use of the
information system is a precondition to implementing effective security management
(Straub, 1990). Better designed and implemented controls will result in better control
performance from fewer errors or increased efficiency (Spears and Barki, 2010). To
determine whether ISM is meeting its goals, the organization needs to measure the progress
of all organizational security controls (Ma et al., 2009). In addition, complying with ISM
standards constitutes important drivers to success of ISM (Martins and Eloff, 2002). We
therefore hypothesize that:
H9. Effective security controls positively influence the performance of ISM.

4. Research method
All constructs were measured by multiple items. As very limited empirical studies have
been done on ISM at the organization level, few predefined scales were found for the
social-organizational factors of ISM. Thus, new multiple-item scales were constructed
for this study. Wherever possible, initial scale items were taken from validated
measures in the existing literature, reworded to relate to the context of ISM. The items
were scored on a five-point Likert scale, ranging from 1 (strongly disagree) to 5
(strongly agree).
A combination of methods was used on separate samples to examine how the CSFs of ISM
affect ISM performance. In the first phase, two interviews were conducted with IT
professionals who had worked on ISM to discern key information from practitioners about
critical factors that make ISM effective and about ISM performance measurement. The main
CSFs they mentioned were business alignment, top management support, organizational
security education and training, technical competence and formal information security controls.
These factors were consistent with most of the CSFs we abstracted from prior literature.
Because we tried to focus on the socio-organizational issues, we did not include technical
competence into our model. This interview information was then used to aid in research
instrument development. In the second phase, a pilot study (n = 99) was conducted in North
America for refining and validating the measurement scales derived partly from existing scales
which were adapted to the context of ISM. The results suggested that the scales of the five
reflective constructs were reliable and valid. All items were kept without modification, which
retained content validity. The final list of items is provided in Appendix.
In the third phase, statistical data were collected in a field survey. Participation in the
study was voluntary. Participants were chief information officers, chief security officers, IT
managers, information security managers and senior IT staff. All participants were actively
involved with decision-making regarding their company’s information security. Because of
the sensitivity of the topic and the difficulty of reaching IT managers directly, participants
were recruited by a commercial market research company, Empanel Online[1]. Finally, a
usable data set of 219 cases was obtained for testing the theoretical model. The demographic
characteristics of the participants are summarized in Table I.
Demographic Group Count (%)
Strategic value
alignment
Job position Chief information officer (CIO) 54 24.7
Chief security officer (CSO) 24 11.0
IT manager 87 39.7
Information security manager 22 10.0
Senior IT staff 23 10.5
Other 9 4.1 159
Industry Manufacturing 49 22.4
Retail and distribution 18 8.2
Financial Services 21 9.6
Technology 65 29.7
Health 23 10.5
Telecommunication 14 6.4
Travel, leisure and entertainment 1 0.5
Education 8 3.7
Utilities, energy and mining 4 1.8
Government 2 0.9
Other 14 6.4
Organization type Domestic 128 58.4
International 91 41.6
Organization size 1-50 18 8.2
Table I.
51-200 36 16.5
201-500 71 32.4 Demographic
Above 500 94 42.9 characteristics of
Applied security standard Yes 70 32.0 participants
No 149 68.0 (N = 219)

5. Data analysis
The research model was tested using partial least square (PLS) software, specifically
WarpPLS 5.0 (Kock, 2015). Analyses were performed to evaluate both the measurement and
the structural models.

5.1 Measurement model

There are five reflective constructs in the research model. For reflective constructs, the
measurement model provides indices for assessing convergent validity and discriminant
validity of the scale. First, descriptive statistics and reliability scores were calculated for the
reflective constructs. They are presented in Table II together with the intra-construct
correlations. Given the criteria that both Cronbach’s alpha and composite reliability scores

Construct Composite reliability Cronbach’s alpha AVE BA OS OA SC IP

BA Business alignment 0.84 0.71 0.63 0.80

OS Top management support 0.85 0.74 0.66 0.71 0.81
OA Organizational awareness 0.87 0.80 0.62 0.68 0.73 0.79
SC Security controls 0.85 0.74 0.66 0.75 0.73 0.72 0.81
IP ISM Performance 0.85 0.77 0.59 0.63 0.67 0.71 0.64 0.77
Table II.
Inter-construct
Notes: Off diagonal numbers are inter-construct correlations. Diagonal numbers are the square roots of correlations and
AVE (average variance extracted) square roots of AVEs
ICS should be greater than 0.70 (Fornell and Larcker, 1981; Johnston and Warkentin, 2010), the
26,2 reliability values of all the constructs are acceptable.
Next, the convergent and discriminant validity of the constructs were examined.
Convergent validity is generally demonstrated if:
 all item loadings are significant and greater than 0.70;
 average variance extracted (AVE, the amount of variance captured by a latent
160 variable relative to the amount caused by measurement error) for each construct is
above 0.50 (or square root of AVE is greater than 0.707); and
 composite reliability index for each construct exceeds 0.80 (Fornell and Larcker,
1981; Johnston and Warkentin, 2010).

All item loadings are greater than 0.70 and significant (p < 0.001). As shown in Table II,
AVE for each construct is greater than 0.50 and the square root of AVE for each construct
meets the criterion of 0.707. Furthermore, the composite reliabilities of all constructs are also
greater than 0.80. Based on the above criteria, the PLS results indicate a satisfactory level of
convergent validity.
Discriminant validity is verified by the difference between the AVE of a construct and its
correlations with other constructs. Discriminant validity is achieved if the square root of
each construct’s AVE is greater than its correlations with other constructs and item loadings
on their respective constructs are greater than their cross loadings on other constructs
(Fornell and Larcker, 1981; Johnston and Warkentin, 2010).
Item loadings on their corresponding constructs are greater than their cross loadings on
other constructs. The highest construct correlation is 0.75 and the lowest square root of AVE
is 0.77, which demonstrate that the square root of each construct’s AVE is greater than its
correlations with other constructs. Thus, the PLS results indicate an acceptable level of
discriminant validity.

5.2 Structural model

The hypotheses of the proposed theoretical model were tested by examining the PLS
structural model. The first measures were the R2 values of the dependent variables which
represent the predictive power of the theoretical model (Chin, 1998). As shown in Figure 2,
the research model accounted for 69 per cent of variance in security controls and 57 per cent
of variance in ISM performance. In addition, the R2 value for organizational support was
0.50, and R2 for organizational awareness was 0.59. The literature suggests that the R2 value
of a dependent variable should be at least 10 per cent to result in any meaningful
interpretation (Falk and Miller, 1992). Thus, the theoretical model demonstrated substantive
explanatory power.
Next, the significance of the path coefficients was measured. As hypothesized, ISM
performance was significantly determined by security controls ( b = 0.15, p < 0.05),
organizational support ( b = 0.29, p < 0.001) and organizational awareness ( b = 0.39, p <
0.001), providing support for H9, H7 and H8. Security controls were significantly
determined by organizational support ( b = 0.24, p < 0.001) organizational awareness ( b =
0.25, p < 0.001) and business alignment ( b = 0.42, p < 0.001). This supported H5, H6 and
H4. Furthermore, organizational support had a strong direct effect on organizational
awareness, as demonstrated by the significant path coefficient ( b = 0.49, p < 0.001).
Business alignment had a direct effect on organizational support ( b = 0.71, p < 0.001) and
organizational awareness ( b = 0.34, p < 0.001). Thus, H3, H1 and H2 were all supported.
The results of the data analyses show that the theoretical model is successful in capturing
 Top Management Strategic value
Support
(R 2 = 0.50)
alignment

161
Business 0.42*** Security Controls 0.15* ISM Performance
Alignment (R 2 = 0.69) (R 2 = 0.57)

Organizational
Awareness
(R 2 = 0.59) Figure 2.
PLS model
testing results
Notes: ***p < 0.001; *p < 0.05

the main antecedents of ISM performance. The proposed research model analysis verified all
the hypotheses, answering the two proposed research questions. The results from the model
also support the application of the BSC framework for measuring ISM performance. This
indicates that a BSC framework, which is widely used to measure common organization
performance, is also suited to measuring intangible assets such as ISM.

6. Discussion and conclusions

Findings from this study provide several theoretical contributions. First, using value
alignment as a proactive approach to manage value conflict in ISM, we developed a
theoretical model of the CSFs of effective ISM. This addresses information security issues at
the organizational level, from a strategic value alignment perspective. Although literature
has mentioned certain factors that may contribute to the success of ISM (Maarop et al., 2016),
to the best of our knowledge, this is the first comprehensive CSF model that has been
developed and empirically validated in the field of ISM. Despite the extensive efforts on ISM
initiatives, information security standards, policies, guidelines and procedures to guide
organizations in implementing ISM, organizations are still exposed to security threats and
risks because of ineffective ISM practices (Zammani and Razali, 2016). One possible cause of
this phenomenon is that organizations are unaware of the factors that influence the success
of ISM, especially the need for its value alignment with corporate strategy. Value alignment
is necessary for effective collaboration which reduces unproductive conflict in organizations
(Lynn Fitzpatrick, 2007). Our study made direct contribution toward this need.
Second, we have investigated relative importance of the factors that contribute to ISM
success. Our test results show that organizational awareness and top management support
made the most significant contributions to ISM success. This conforms to the literature
review that:
ICS [. . .] staff awareness and training and top management support are found to be the most crucial
factors in determining the successful implementation of ISMS and the rating of the importance for
26,2 both factors are almost equal (Maarop et al., 2016).
This study also provides empirical evidence that human factors are more important than
security controls for organizational ISM success. Compared with organizational awareness
and top management support, security control contributed less to ISM success. Without
162 support from both management and employees, even perfectly developed security measures
may not be implemented or performed properly. More importantly, different from previous
studies that merely list and rank the success factors, we investigated interrelationships
between success factors. We investigated business alignment at the strategic level for ISM
success. Our study shows that business alignment has significant impact on all three factors:
organizational awareness, top management support and security control. The study also
shows that top management support has significant impact on organizational awareness and
security control, and that organizational awareness has significant impact on security control
along with business alignment and top management support. These interrelationships are
very important because we could not treat and improve them independently.
Third, we developed and validated ISM performance construct following Huang et al.’s
(2006) and Herath et al.’s (2010) framework that measures ISM performance from four
perspectives. Our measurement reflects common values shared by managers, stakeholders,
employees and consumers as required for value alignment. It is less complex and easy to
assess from multiple perspectives. More importantly, we linked this ISM performance
measurement construct to the CSFs driven from strategic value alignment. From a
methodology perspective, this study has developed and validated new measurement scales
for several constructs. The validated scales can provide valuable inputs for future research
on ISM at the organizational level.
This study also provides organizational management with important implications about
ISM. Even having applied information security standards, many organizations may not be
able to distinguish the critical factors and less important factors for ISM success.
Information security standards are too complicated for general managers to learn and to use
for guiding their practice. Therefore, practitioners need simple and clear guidelines to
achieve ISM success.
First, based on strategic value alignment perspective, this study identifies several
organizational factors that are critical to the organization’s ISM success. The literature
indicates how unproductive conflict can have a negative impact on organizational
effectiveness (Lynn Fitzpatrick, 2007). These factors can help organizations shape their ISM
strategy with proactive value alignment approach and therefore reduce the unproductive
value conflicts. All these factors’ effects have been empirically verified. Thus, the findings of
this study can offer a practical guide to organizations’ ISM practice.
Second, as we have indicated, the CSFs are interrelated with each other. The results of
this study imply that business alignment is the solid foundation of any ISM practice. When
any security management activity or policy is designed or developed, it should be based on
business objectives, values or needs, as opposed to being technology asset-focused. Lack of
value alignment results in conflict and inefficiency (Lynn Fitzpatrick, 2007). It is important
for an organization to commit to a common purpose and a set of related performance goals
(Katzenbach and Smith, 2003). The organization’s top management should realize that the
aim of ISM is to support organizational objectives, although it may consume organizational
resources. The model in this study can be used to encourage general managers and
information technology managers, such as chief executive officers and chief information
officers, to collaborate and to align organizational ISM values with business strategies.
 Third, the results of this study show that organizational awareness has the most impact Strategic value
on ISM performance, with a larger effect size than other antecedents of ISM performance. alignment
Top management of an organization should recognize the importance of organizational
awareness, which means that all employees must be made aware of possible security threats
and security controls. Organizationally sponsored security awareness, training and
education program, which is the primary way of communicating information security
policies, procedures and requirements across the organization, should be provided to all
employees to improve their knowledge and skills on information security at work. In 163
addition, an organization should facilitate an organizational culture that is positive toward
carrying out ISM, by building shared values, beliefs and norms for ISM practices.
This study provides recommendations for future research avenues. First, future research can
make more effort toward using objective measurement to assess ISM performance. Second,
future research may explore more critical factors of ISM success and include more relationships
to get a complete picture of the mechanism that leads to ISM success. Third, the current
proposed theoretical model can be conducted in different countries from North America. Finally,
new methodologies can be applied in future research to study the CSFs of ISM performance.

Note
1. Available at: www.empanelonline.com

References
Ahimbisibwe, A., Ahimbisibwe, A., Daellenbach, U., Daellenbach, U., Cavana, R.Y. and Cavana, R.Y.
(2017), “Empirical comparison of traditional plan-based and agile methodologies: critical success
factors for outsourced software development projects from vendors’ perspective”, Journal of
Enterprise Information Management, Vol. 30 No. 3, pp. 400-453.
Aksorn, T. and Hadikusumo, B.H.W. (2008), “Critical success factors influencing safety program
performance in Thai construction projects”, Safety Science, Vol. 46 No. 4, pp. 709-727.
Barlette, Y. and Fomin, V.V. (2009), “The adoption of information security management standards: a
literature review”, IGI Global, pp. 119-140.
Barling, J., Loughlin, C. and Kelloway, E.K. (2002), “Development and test of a model linking safety-
specific transformational leadership and occupational safety”, Journal of Applied Psychology,
Vol. 87 No. 3, pp. 488-496.
Bremser, W.G. and Chung, Q. (2005), “A framework for performance measurement in the E-business
environment”, Electronic Commerce Research and Application, Vol. 4 No. 4, pp. 395-412.
Breward, M., Hassanein, K. and Head, M. (2017), “Understanding consumers’ attitudes toward
controversial information technologies: a contextualization approach”, Information Systems
Research, Vol. 28 No. 4, pp. 760-774.
Chan, M., Woon, I. and Kankanhalli, A. (2005), “Perceptions of information security in the workplace:
linking information security climate to compliant behavior”, Journal of Information Privacy and
Security, Vol. 1 No. 3, pp. 18-41.
Chang, S.E. and Ho, C.B. (2006), “Organizational factors to the effectiveness of implementing information
security management”, Industrial Management & Data Systems, Vol. 106 No. 3, pp. 345-361.
Chang, S.E. and Lin, C.-S. (2007), “Exploring organizational culture for information security
management”, Industrial Management & Data Systems, Vol. 107 No. 3, pp. 438-458.
Chang, S.E., Chen, S.-Y. and Chen, C.-Y. (2011), “Exploring the relationships between it capabilities and
information security management”, International Journal of Technology Management, Vol. 54
Nos 2/3, pp. 147-166.
ICS Chin, W.W. (1998), “The partial least squares approach to structural equation modeling”, in in Marcoulides,
G.A. (ed.), Modern Methods for Business Research, lawrence Erlbaum, Mahwah, NJ, pp. 295-336.
26,2
Choobineh, J., Dhillon, G., Grimaila, M.R. and Rees, J. (2007), “Management of information security:
challenges and research directions”, Communications of the Association for Information
Systems, Vol. 20 No. 1, pp. 958-971.
Culnan, M.J., Foxman, E.R. and Ray, A.W. (2008), “Why it executives should help employees secure
164 their home computers”, MIS Quarterly Executive, Vol. 7 No. 1, pp. 49-56.
Cumps, B., Martens, D., De Backer, M., Haesen, R., Viaene, S., Dedene, G., Baesens, B. and Snoeck, M.
(2009), “Inferring comprehensible business/Ict alignment rules”, Information & Management,
Vol. 46 No. 2, pp. 116-124.
D’Arcy, J., Hovav, A. and Galletta, D. (2009), “User awareness of security countermeasures and its
impact on information systems misuse: a deterrence approach”, Information Systems Research,
Vol. 20 No. 1, pp. 79-98.
Datta, S.P. and Banerjee, P. (2011), “Guidelines for performance measures of information security of it
network and systems”, International Journal of Research and Reviews in Next Generation
Networks, Vol. 1 No. 1, pp. 39-43.
Davies, T. (2002), “The ‘Real’ success factors on projects”, International Journal of Project Management,
Vol. 20 No. 3, pp. 185-190.
Dhillon, G. and Backhouse, J. (2001), “Current directions in is security research: towards socio-
organizational perspectives”, Information Systems Journal, Vol. 11 No. 2, pp. 127-153.
Doherty, N.F. and Fulford, H. (2006), “Aligning the information security policy with the strategic
information systems plan”, Computers & Security, Vol. 25 No. 1, pp. 55-63.
Doherty, N.F., Anastasakis, L. and Fulford, H. (2009), “The information security policy unpacked: a
critical study of the content of university policies”, International Journal of Information
Management, Vol. 29 No. 6, pp. 449-457.
Dutta, A. and McCrohan, K. (2002), “Management’s role in information security in a cyber economy”,
California Management Review, Vol. 45 No. 1, pp. 67-87.
Erkan, K. (2005), “Evaluating it security performance with quantifiable metrics”, available at: http://
citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.102.4000&rep=rep1&type=pdf
Falk, R.F. and Miller, N.B. (1992), A Primer for Soft Modeling, University of Akron Press, Akron, OH.
Fornell, C. and Larcker, D.F. (1981), “Evaluating structural equation models with unobservable
variables and measurement error”, Journal of Marketing Research, Vol. 18 No. 1, pp. 39-50.
Fritz, R. (1999), The Path of Least Resistance for Managers: Designing Organizations to Succeed,
Berrett-Koehler Publishers, Oakland, CA.
Gerow, J.E., Grover, V., Thatcher, J. and Roth, P.L. (2014), “Looking toward the future of it – business
strategic alignment through the past: a meta-analysis”, MIS Quarterly, Vol. 38 No. 4, pp. 1159-1185.
Guo, K.H., Yuan, Y., Archer, N.P. and Connelly, C.E. (2011), “Understanding nonmalicious security
violations in the workplace: a composite behavior model”, Journal of Management Information
Systems, Vol. 28 No. 2, pp. 203-236.
Hagen, M.J., Albrechtsen, E. and Hovden, J. (2008), “Implementation and effectiveness of organizational
information security measures”, Information Management & Computer Security, Vol. 16 No. 4,
pp. 377-397.
Herath, T., Herath, H. and Bremser, W.G. (2010), “Balanced scorecard implementation of security
strategies: a framework for it security performance management”, Information Systems
Management, Vol. 27 No. 1, pp. 72-81.
Huang, S.-M., Lee, C.-L. and Kao, A.-C. (2006), “Balancing performance measures for information
security management: a balanced scorecard framework”, Industrial Management & Data
Systems, Vol. 106 No. 2, pp. 242-255.
Hu, Q., Dinev, T., Hart, P. and Cooke, D. (2012), “Managing employee compliance with information Strategic value
security policies: the critical role of top management and organizational culture”, Decision
Sciences, Vol. 43 No. 4, pp. 615-660. alignment
Hu, Q., Xu, Z., Dinev, T. and Ling, H. (2011), “Does deterrence work in reducing information security
policy abuse by employees?”, Communications of the ACM, Vol. 54 No. 6, pp. 54-60.
Hultman, K. and Gellermann, W. (2002), Balancing Individual and Organizational Values: Walking the
Tightrope to Success, Jossey-Bass/Pfeiffer, San Francisco, CA.
ISO/IEC (2013), “Iso/Iec 27001:2013 information technology – security techniques – information
165
security management systems – requirements”, 2nd Ed., ISO/IEC, Geneva.
Johnston, A.C. and Hale, R. (2009), “Improved security through information security governance”,
Communications of the ACM, Vol. 52 No. 1, pp. 126-129.
Johnston, A.C. and Warkentin, M. (2010), “Fear appeals and information security behaviors: an
empirical study”, MIS Quarterly, Vol. 34 No. 3, pp. 549-566.
Kaplan, R.S. and Norton, D.P. (1992), “The balanced scorecard-measures that drive performance”,
Harvard Business Review, Vol. 70 No. 1, pp. 71-79.
Kaplan, R.S. and Norton, D.P. (1993), “Putting the balanced scorecard to work”, Harvard Business
Review, Vol. 71 No. 5, pp. 134-147.
Kaplan, R.S. and Norton, D.P. (2004), “The strategy map: guide to aligning intangible asset”, Strategy &
Leadership, Vol. 32 No. 5, pp. 10-17.
Katzenbach, J. and Smith, D.K. (2003), The Wisdom of Teams, 3rd Ed. HarperCollins Publishers,
New York, NY.
Kayworth, T. and Whitten, D. (2010), “Effective information security requires a balance of social and
technology factors”, MIS Quarterly Executive, Vol. 9 No. 3, pp. 163-175.
Knapp, K.J., Marshall, T.E., Rainer, R.K. and Ford, N.F. (2006), “Information security: management’s
effect on culture and policy”, Information Management & Computer Security, Vol. 14 No. 1,
pp. 24-36.
Knapp, K.J., Morris, F., Jr, Marshall, T.E. and Byrd, T.A. (2009), “Information security policy: an
organizational-level process model”, Computers & Security, Vol. 28 No. 7, pp. 493-508.
Kock, N. (2015), Warppls 5.0. Laredo, ScriptWarp Systems, Texas.
Lebek, B., Uffen, J., Neumann, M., Hohler, B. and Breitner, M.H. (2014), “Information security awareness
and behavior: a theory-based literature review”, Management Research Review, Vol. 37 No. 12,
pp. 1049-1092.
Lee, S. and Ahn, H. (2008), “Assessment of process improvement from organizational change”,
Information & Management, Vol. 45 No. 5, pp. 270-280.
Liang, H. and Xue, Y. (2009), “Avoidance of information technology threats: a theoretical perspective”,
MIS Qquarterly, Vol. 33 No. 1, pp. 71-90.
Lowry, P.B. and Moody, G.D. (2015), “Proposing the control-reactance compliance model (Crcm) to
explain opposing motivations to comply with organisational information security policies”,
Information Systems Journal, Vol. 25 No. 5, pp. 433-463.
Luftman, J., Kempaiah, R. and Nash, E. (2006), “Key issues for it executives 2005”, MIS Quarterly
Executive, Vol. 5 No. 2, pp. 81-99.
Lynn Fitzpatrick, R. (2007), “A literature review exploring values alignment as a proactive approach to
conflict management”, International Journal of Conflict Management, Vol. 18 No. 3, pp. 280-305.
Ma, Q., Schmidt, M.B. and Pearson, J.M. (2009), “An integrated framework for information security
management”, Review of Business, Vol. 30 No. 1, pp. 58-69.
Maarop, N., Thamadharan, K., Samy, G.N., Zainuddin, N.M.M., Azmi, A., Yusop, O.M. and Azizan, A.
(2016), “Information security management system implementation success factors: a review”,
Advanced Science Letters, Vol. 22 No. 10, pp. 3023-3026.
ICS Marr, B. and Schiuma, G. (2003), “Business performance measurement – past, present and future”,
Management Decision, Vol. 41 No. 8, pp. 680-687.
26,2
Martin, C., Bulkan, A. and Klempt, P. (2011), “Security excellence from a total quality management
approach”, Total Quality Management, Vol. 22 No. 3, pp. 345-371.
Martins, A. and Eloff, J. (2002), “Assessing information security culture”, Information Security South
Africa (ISSA), Johannesburg, South Africa, pp. 1-14.
166 Mohr, J. and Spekman, R. (1994), “Characteristics of partnership success: partnership attributes,
communication behavior, and conflict resolution techniques”, Strategic Management Journal,
Vol. 15 No. 2, pp. 135-152.
Nazareth, D.L. and Choi, J. (2015), “A system dynamics model for information security management”,
Information & Management, Vol. 52 No. 1, pp. 123-134.
Nyanchama, M. (2005), “Enterprise vulnerability management and its role in information security
management”, Information Systems Security, Vol. 14 No. 3, pp. 29-56.
Parakkattu, S. and Kunnathur, A.S. (2010), “A framework for research in information security
management”, 2010 Northeast Decision Sciences Institute Proceedings, pp. 318-323.
Pipkin, D.L. (2000), Information Security: Protecting the Global Enterprise, Prentice-Hall PTR, Upper
Saddle River, NJ.
Posthumus, S. and von Solms, R. (2004), “A framework for the governance of information security”,
Computers & Security, Vol. 23 No. 8, pp. 638-646.
Psomas, E. (2016), “The underlying factorial structure and significance of the six sigma difficulties and
critical success factors: the Greek case”, The TQM Journal, Vol. 28 No. 4, pp. 530-546.
Ransbotham, S. and Mitra, S. (2009), “Choice and chance: a conceptual model of paths to information
security compromise”, Information Systems Research, Vol. 20 No. 1, pp. 121-139.
Rhee, H.S., Ryu, Y.U. and Kim, C.T. (2012), “Unrealistic optimism on information security
management”, Computers & Security, Vol. 31 No. 2, pp. 221-232.
Rivard, S., Raymond, L. and Verreault, D. (2006), “Resource-based view and competitive strategy: an
integrated model of the contribution of information technology to firm performance”, Journal of
Strategic Information Systems, Vol. 15 No. 1, pp. 29-50.
Rockart, J.F. (1979), “Chief executives define their own data needs”, Harvard Business Review, Vol. 57
No. 2, pp. 81-93.
Rockart, J.F. (1982), “The changing role of the information systems executive: a critical success factors
perspective”, Sloan Management Review, Vol. 6 No. 1, pp. 3-13.
Singh, A.N. and Gupta, M.P. (2014), “Identifying factors of ‘organizational information security
management’”, Journal of Enterprise Information Management Decision, Vol. 27 No. 5,
pp. 644-667.
Singh, A.N., Gupta, M.P. and Ojha, A. (2014), “Identifying factors of ‘organizational information
security management’”, Journal of Enterprise Information Management, Vol. 27 No. 5,
pp. 1-24.
Singh, A.N., Picot, A., Kranz, J., Gupta, M.P. and Ojha, A. (2013), “Information securitymanagement
(Ism) practices: lessons from select cases from India Andgermany”, Global Journal of Flexible
Systems Management, Vol. 14 No. 4, pp. 225-239.
Siponen, M. and Vance, A. (2010), “Neutralization: new insights into the problem of employee
information systems security policy violations”, MIS Quarterly, Vol. 34 No. 3, pp. 487-502.
Siponen, M.T. (2005), “An analysis of the traditional is security approaches: implications for research
and practice”, European Journal of Information Systems, Vol. 14 No. 3, pp. 303-315.
Siponen, M.T. and Oinas-Kukkonen, H. (2007), “A review of information security issues and respective
research contributions”, The DATA BASE for Advances in Information Systems, Vol. 38 No. 1,
pp. 60-80.
Siponen, M.T. and Willison, R. (2009), “Information security management standards: problems and Strategic value
solutions”, Information & Management, Vol. 46 No. 5, pp. 267-270.
alignment
Siponen, M.T., Mahmood, M.A. and Pahnila, S. (2009), “Are employees putting your company at risk by not
following information security policies?”, Communications of the ACM, Vol. 52 No. 12, pp. 145-147.
Smith, S. and Jamieson, R. (2006), “Determining key factors in E-government information system
security”, Information Systems Management, Vol. 23 No. 2, pp. 23-32.
Soomro, Z.A., Shah, M.H. and Ahmed, J. (2016), “Information security management needs more holistic
approach: a literature review”, International Journal of Information Management, Vol. 36 No. 2,
167
pp. 215-225.
Spears, J.L. and Barki, H. (2010), “User participation in information systems security risk management”,
MIS Quarterly, Vol. 34 No. 3, pp. 503-522.
Straub, D.W. (1988), “Organizational structuring of the computer security function”, Computers &
Security, Vol. 7 No. 2, pp. 185-195.
Straub, D.W. (1990), “Effective is security: an empirical study”, Information Systems Research, Vol. 1
No. 3, pp. 255-276.
Straub, D.W. and Collins, R.W. (1990), “Key information liability issues facing managers: software piracy,
proprietary databases, and individual rights to privacy”, MIS Quarterly, Vol. 14 No. 2, pp. 143-156.
Straub, D.W. and Welke, R.J. (1998), “Coping with systems risk: security planning models for
management decision making”, MIS Quarterly, Vol. 22 No. 4, pp. 441-470.
Tsohou, A., Karyda, M., Kokolakis, S. and Kiountouzis, E. (2015), “Managing the introduction of
information security awareness programmes in organisations”, European Journal of
Information Systems, Vol. 24 No. 1, pp. 38-58.
Van Niekerk, J.F. and Von Solms, R. (2010), “Information security culture: a management perspective”,
Computers & Security, Vol. 29 No. 4, pp. 476-486.
Von Solms, B. and Von Solms, R. (2004), “The 10 deadly sins of information security management”,
Computers & Security, Vol. 23 No. 5, pp. 371-376.
Von Solms, R. (1999), “Information security management: why standards are important”, Information
Management & Computer Security, Vol. 7 No. 1, pp. 50-58.
von Solms, R. and von Solms, S.H.B. (2006), “Information security governance: a model based on the
direct–control cycle”, Computers & Security, Vol. 25 No. 6, pp. 408-412.
Warkentin, M. and Willison, R. (2009), “Behavioral and policy issues in information systems security:
the insider threat”, European Journal of Information Systems, Vol. 18 No. 2, pp. 101-105.
Webb, J., Maynard, S., Ahmad, A. and Shanks, G. (2014), “Information security risk management: an
intelligence-driven approach”, Australasian Journal of Information Systems, Vol. 18 No. 3, pp. 391-404.
Werlinger, R., Hawkey, K. and Beznosov, K. (2009), “An integrated view of human, organizational, and
technological challenges of it security management”, Information Management & Computer
Security, Vol. 17 No. 1, pp. 4-19.
Whitman, M.E. (2008), “Security policy: from design to maintenance”, in Straub, D.W., Goodman, S.
and Baskerville, R.L. (Eds), Information Security: Policy, Processes, and Practices, M. E. Sharpe,
Armonk, NY, pp. 123-151.
Yeoh, W. and Popovi
c, A. (2016), “Extending the understanding of critical success factors for
implementing business intelligence systems”, Journal of the Association for Information Science
and Technology, Vol. 67 No. 1, pp. 134-147.
Yildirim, E.Y., Akalp, G., Aytac, S. and Bayram, N. (2011), “Factors influencing information security
management in small-and medium-sized enterprises: a case study from Turkey”, International
Journal of Information Management, Vol. 31 No. 4, pp. 360-365.
Zammani, M. and Razali, R. (2016), “Information security management success factors”, Advanced
Science Letters, Vol. 22 No. 8, pp. 1924-1929.
ICS Appendix
26,2
Construct Item
BA Business My organization’s
alignment information security
168 management objectives
reflect business objectives
My organization’s security
policies and controls are
based on business
objectives, value or needs
In my organization,
business users routinely
contribute a business
perspective to information
security management
OS Top In my organization, top
management management actively
support supports information
security management as a
vital enterprise-wide
function
In my organization,
sufficient funding and
resources are allocated to
information security
management
A formal organizational
unit for information
security is established
within my organization
OA Organizational In my organization,
awareness information security
educational and training
programs are provided to
employees periodically
In my organization,
employees are aware of
potential security threats
and understand the need for
information security
management
In my organization,
employees are aware of
policies, procedures or
countermeasures for
information security
In my organization,
employees exhibit a sense
of proactiveness in
protecting information
Table AI. security
Construct measures
Source Literature
Self-developed Chang et al. (2011),
Choobineh et al. (2007),
Herath et al. (2010),
Kayworth and Whitten
Spears and Barki (2010) (2010), Ma et al. (2009),
Siponen and Oinas-
Kukkonen (2007), Smith
and Jamieson (2006),
Spears and Barki (2010) Spears and Barki (2010),
Van Niekerk and Von
Solms (2010), von Solms
(1999)
Self-developed Aksorn and Hadikusumo
(2008), Kayworth and
Whitten (2010), Ma et al.
(2009), Nazareth and Choi
(2015), Smith and
Jamieson (2006), Straub
Self-developed (1988), Straub and Collins
(1990), von Solms (1999),
Werlinger et al. (2009),
Yildirim et al. (2011)
Self-developed
Self-developed Aksorn and Hadikusumo
(2008), Culnan et al. (2008),
Kayworth and Whitten
(2010), Ma et al. (2009),
Nazareth and Choi (2015),
Self-developed Siponen et al. (2009),
Smith and Jamieson
(2006), Spears and Barki
(2010), van Niekerk and
von Solms (2010), von
Solms (1999), Werlinger
Spears and Barki (2010) et al. (2009), Yildirim et al.
(2011)
Spears and Barki (2010)
(continued)
 Strategic value
Construct Item Source Literature alignment
SC Security In my organization, a Self-developed Chang and Ho (2006),
controls formal risk management Herath et al. (2010),
program has been designed Nazareth and Choi (2015),
and implemented Siponen and Oinas-
In my organization, formal Self-developed Kukkonen (2007), Smith 169
security policies have been and Jamieson (2006),
defined and implemented Straub and Welke (1998),
In my organization, specific Self-developed von Solms (1999), Yildirim
ISM standards have been et al. (2011)
applied to enhance
information security
management
IP ISM My organization’s ISM is Self-developed based on Herath et al. (2010), Huang
performance cost-effective, i.e. the cost is the four perceptions of et al., 2006
justified by the potential balanced ISM
benefit performance measures
In my organization,
employees comply with
information security
policies
My organization’s
information security
policies are effective and
efficient to protect
information asset
My organization’s ISM
program is positioned to
meet future needs Table AI.

About the authors

Dr Cindy Zhiling Tu is an Assistant Professor of Information Systems in the School of Computer
Science and Information Systems at Northwest Missouri State University. She received her PhD
degree in information systems from DeGroote School of Business, McMaster University, Canada. She
has published several research papers in professional conference proceedings and in journals such as
Information & Management, the International Journal of Mobile Communications and International
Journal of Electronic Commerce. Her research interests are in the areas of information systems
security and privacy, mobile commerce, technology acceptance and usage and information systems
perceptions. Cindy Zhiling Tu is the corresponding author and can be contacted at: cindytu@
nwmissouri.edu
Dr Yufei Yuan is a Professor of Information Systems in the DeGroote School of Business at
McMaster University, Canada. He received a PhD in computer information systems from the
University of Michigan, USA, and a BS in Mathematics from Fudan University, China. His research
interests are in the areas of security and privacy, emergency response systems, mobile commerce,
Web-based negotiation support systems, business model of electronic commerce, fuzzy logic and
expert systems and information systems in health care. He has more than 80 papers published in
journals including MIS Quarterly, Journal of Management Information Systems, European Journal of
Information systems, Information & Management, Communications of the ACM, IEEE Security and
Privacy, Decision Support Systems, International Journal of Electronic Commerce, International
ICS Journal of Mobile Communications, Group Decision and Negotiation, Fuzzy Sets and Systems,
International Journal of Human–Computer Studies, European Journal of Operational Research,
26,2 Management Science, Decision Sciences and others.
Dr Norm Archer is a Professor Emeritus in the DeGroote School of Business at McMaster
University and Special Advisor to the McMaster eBusiness Research Center (MeRC). His main
research interests are in the adoption and use of electronic health records, personal health records and
chronic disease self-management by patients and consumers.
170 Dr Catherine E. Connelly (PhD Queen’s) is a Canada Research Chair and an Associate Professor of
organizational behavior at the DeGroote School of Business at McMaster University. She is also an
Associate Editor of Human Relations and a member of the College of New Scholars of the Royal
Society of Canada. Her research has been published in the Journal of Management Information
Systems, Information & Management, the Journal of Applied Psychology, the Journal of Management
and the Journal of Organizational Behavior.

For instructions on how to order reprints of this article, please visit our website:
www.emeraldgrouppublishing.com/licensing/reprints.htm
Or contact us for further details: permissions@emeraldinsight.com