An Information Security Performance Measurement Tool for Senior Managers: Balanced Scorecard Integration for Security Governance and Control Frameworks

Herath, Tejaswini; Herath, Hemantha S. B.; Cullum, David

doi:10.1007/s10796-022-10246-9

Cited by 11 publications

(10 citation statements)

References 69 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Whereas literature (see Table 1) shows that organisations have tried to implement technical security practices like proper configuration of firewalls, locking down servers, implementation of intrusion detection services, cryptographic solutions, network security etc., available studies have equally demonstrated that less attention has been given to managerial information security practices such as the implementation of policy, awareness and training, compliance with security standards, etc. (Alshaikh, 2016;Ahimbisibwe and Nabende, 2022;Herath et al, 2022).…”

Section: Literature Reviewmentioning

confidence: 99%

“…Information Security Management Practices (ISMPs) in organisations have become one of the major concerns as evidenced by some studies (Whitman and Mattord, 2014;Alshaikh et al, 2014;Carcary et al, 2016;Maynard et al, 2018;Schinag and Shahim, 2020;Culot et al, 2021;Ahimbisibwe and Nabende 2022;Herath et al, 2022). Findings from these studies demonstrate that not all organisations implement the recommendations suggested.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

The Institutionalisation of Information Security Management Practices in selected Organisations in Uganda

Ahimbisibwe

Nabende

2023

Int. j. adv. res.

View full text Add to dashboard Cite

The study aimed at examining the extent to which information security management practices were institutionalised in corporate organisations. Evidence shows that failure by organisations to entrench the information security management practices (ISMPs) into organisations’ structures opens the gateway for attacks, threat actors and information breaches to cause harm to information assets with ease. The study explored the phenomenon in its social setting hence the adoption of descriptive research design as the research methodology. The institutional theory was adopted as a new dimension in examining information security management in organisations. This theory suggests that control gears like coercive, normative, mimetic and management commitment could be used to effectively entrench security guidelines in organisations. Methodical scrutiny of the institutionalisation process: development, implementation and maintenance, and evaluation were also carried out. The researcher relied on human experience to make sense of the institutionalised processes. Extant literature was reviewed, and survey questionnaires were developed based on the eleven ISMPs and administered to purposively selected respondents from the two organisations. The eleven ISMPs covered include state of information security policy, asset management, secure information sharing, supply chain security, access management, network security controls, portable and removable media security, remote access security, protective monitoring of information systems, implementation of information security back-ups, and security accreditation by professional bodies. Data analysis was done using SPSS. Findings indicate that organisations have not fully incorporated all the eleven ISMPs covered as best practices and standards. Based on the results from the field, answers to the research questions were partly realised. Recommendations like the implementation of ISMPs to check deficiencies identified, customisation of security guidelines to protect information assets and institutionalisation of security practices at all levels were suggested. Overall, the study was a positive step towards the institutionalisation process of ISMPs in organisations

show abstract

Section: Literature Reviewmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

The Institutionalisation of Information Security Management Practices in selected Organisations in Uganda

Ahimbisibwe

Nabende

2023

Int. j. adv. res.

View full text Add to dashboard Cite

show abstract

“…IT refers to technology that is capable of enhancing enterprises' productivity and market competitiveness, including devices, systems, networks, data, etc. When an enterprise sustains its operation by relying on IT, it must build a mechanism to control and protect it [6,7]. Otherwise, the exposure of enterprises to threat will increase.…”

Section: Research Background and Motivementioning

confidence: 99%

Identification of SMEs in the Critical Factors of an IS Backup System Using a Three-Stage Advanced Hybrid MDM–AHP Model

Chen

Chou

Lin³

et al. 2023

Sustainability

View full text Add to dashboard Cite

Backup system work represents “the last mile” of information security (IS). To avoid data loss or damage, enterprises should execute data backup periodically to ensure the integrity and availability of such data. Additionally, due to the continuous emergence of IS incidents featuring malicious attacks in recent years, major firms in countries around the world have successively reported being under attack by ransomware viruses. In particular, small and medium enterprises (SMEs) became the potential targets of malicious attacks based on their different types of IS awareness and degrees of digitalization; therefore, IS work has become one of the essential topics with special significance for numerous SMEs. To this end, this paper studied the factors influencing SMEs’ adoption of IS backup systems in the hope that the critical decision-making behaviors of SMEs regarding the issue of IS could be learned. Practical suggestions can be made for the marketing schemes adopted by IS manufacturers concerning the planning of IS backup systems. Thus, this study used three methodological stages to address the exciting issue of IS backup systems for SMEs. In the first stage, 11 factors at two hierarchies involving three constructs influencing SMEs’ adoption of IS backup systems were summarized via a literature review. The constructs included financial consideration (FC), the IS incident, and business IS decision making (BISD-M). In the second stage, an expert questionnaire was applied; an advanced hybrid modified Delphi method (MDM) and analytic hierarchy process (AHP) with expert input were constructed to identify the sorting of overall weights based on the 11 factors included in the first stage. Following the empirical conclusions, the top three critical factors were “disaster loss amount”, “enterprise’s downtime”, and “supplier’s contractual requirements”. The conclusions of this study indicated that two factors were included in the FC construct; thus, the FC construct influenced IS the most, and the BISD-M construct took second place. In the final stage, through re-checking three actual cases, the results of this study were verified with specific respect to the FC. In conclusion, to popularize IS backup systems among SMEs and fully implement IS, manufacturers may start from the FC in the hope that the severe impact caused by IS incidents featuring malicious attacks can be slowed down and the losses encountered can be lowered. The empirical results and conclusions of this study can be used for reference by SMEs, and both theoretical and empirical foundations have been provided for further studies in academic circles; the results above also show a significant application contribution of this study.

show abstract

“…The cybersecurity governance framework should mainly focus on the responsibilities and practices that should be exercised and addressed by top-level management of organizations (board and executive management) having the following main goals: provide strategic direction towards securing the IT system that supports the business operation; ensuring that security objectives are well defined and achieved; making sure that security risks are analyzed and managed appropriately; and validating that company resources are optimally used and spent for securing the company assets [6,7].…”

Section: Introductionmentioning

confidence: 99%

A Dynamic and Adaptive Cybersecurity Governance Framework

Melaku

2023

JCP

View full text Add to dashboard Cite

Cybersecurity protects cyberspace from a wide range of cyber threats to reduce overall business risk, ensure business continuity, and maximize business opportunities and return on investments. Cybersecurity is well achieved by using appropriate sets of security governance frameworks. To this end, various Information Technology (IT) and cybersecurity governance frameworks have been reviewed along with their benefits and limitations. The major limitations of the reviewed frameworks are; they are complex and have complicated structures to implement, they are expensive and require high skill IT and security professionals. Moreover, the frameworks require many requirement checklists for implementation and auditing purposes and a lot of time and resources. To fill the limitations mentioned above, a simple, dynamic, and adaptive cybersecurity governance framework is proposed that provides security related strategic direction, ensures that security risks are managed appropriately, and ensures that organizations’ resources are utilized optimally. The framework incorporated different components not considered in the existing frameworks, such as research and development, public-private collaboration framework, regional and international cooperation framework, incident management, business continuity, disaster recovery frameworks, and compliance with laws and regulations. Moreover, the proposed framework identifies and includes some of the existing frameworks’ missed and overlapped components, processes, and activities. It has nine components, five activities, four outcomes, and seven processes. Performance metrics, evaluation, and monitoring techniques are also proposed. Moreover, it follows a risk based approach to address the current and future technology and threat landscapes. The design science research method was used in this research study to solve the problem mentioned. Using the design science research method, the problem was identified. Based on the problem, research objectives were articulated; the objective of this research was solved by developing a security governance framework considering different factors which were not addressed in the current works. Finally, performance metrics were proposed to evaluate the implementation of the governance framework.

show abstract

An Information Security Performance Measurement Tool for Senior Managers: Balanced Scorecard Integration for Security Governance and Control Frameworks

Cited by 11 publications

References 69 publications

The Institutionalisation of Information Security Management Practices in selected Organisations in Uganda

The Institutionalisation of Information Security Management Practices in selected Organisations in Uganda

Identification of SMEs in the Critical Factors of an IS Backup System Using a Three-Stage Advanced Hybrid MDM–AHP Model

A Dynamic and Adaptive Cybersecurity Governance Framework

Contact Info

Product

Resources

About