Computing and Information Systems - Theses

Permanent URI for this collection

Search Results

Now showing 1 - 1 of 1
  • Item
    Thumbnail Image
    Information security management practices in organisations
    Alshaikh, Moneer ( 2018)
    Developing an information security capability is rapidly becoming a priority for organisations as security threats become more complex and sophisticated in the modern era. There has been much research aimed at developing information security tools and techniques to combat security threats. However, less research has focused on developing security management practice, a critical part of security capability. This research project focuses on Information Security Management Practices (ISMPs), the set of strategic-level activities, including planning, organising, directing and controlling organisational resources (human, financial, physical and information) that are directed towards the application of managerial security controls in pursuit of information security objectives. In this thesis, three common deficiencies are identified in ISMP oriented guidelines and models for organisations. These three deficiencies are (1) poor conceptualisation around ISMP, (2) lack of comprehensive guidance on ISMP for organisations, and (3) lack of empirical work in the ISM area, more specifically in managerial practices. The three deficiencies identified constitute various aspects of a common problem: namely the lack of comprehensive, coherent and empirically tested guidance for organisations on information security management practices. This thesis takes a managerial practice based perspective to investigate how organisations manage their information security program. The formal research question under investigation is: How can information security management be practiced in organisations? To answer this question, two sub-questions also are addressed: 1. How are Information Security Management Practices related to each other? 2. To what extent are Information Security Management Practices institutionalised in organisations? The primary contribution of this thesis is the development of a rigorous, practice oriented, and empirically tested framework of information security management practices (ISMP). The proposed framework supports and guides organisations towards improving their management of information security. The framework was developed through a comprehensive review and analysis of the ISM literature. It was subsequently refined and validated qualitatively through thirty-four semi structured interviews with information security experts. This research has four key contributions: • The research provides the most complete, comprehensive and empirically backed framework of ISMPs for organisations; the framework complements fragmented best-practice advice on ISM in industry standards • The research project explains why organisations choose to adopt formal or informal approaches to the implementation of ISMPs and the consequences of adopting said approach. • The research identifies the relationships between ISM areas, provides empirical evidence for the relationships, justifies the interdependencies between ISMPs, and explains the impact of inconsistent levels of quality among ISM practices • The research identifies a set of activities (Intra Organisation Liaison (IOL) management practices) undertaken by organisations to increase the level of stakeholder involvement and participation in the ISM process. The identification of the IOL management practices provides guidance to organisations on how to increase the level of stakeholders’ involvement and cultivate a culture of security. The research contends that the management of information security program can be improved by: (1) implementing ISMPs in a holistic and comprehensive manner through using the proposed ISMP framework as standardized and formal checklist to benchmark and the ISMPs interdependencies framework; (2) assessing their current maturity level of the implementation of ISMPs and allocating the required resources to achieve more structured and formal implementation of ISMPs; (3) establishing formal communication process between security personnel and internal stakeholders through the implementation of IOL practices. This leads to effective management of information security where ISMPs are implemented in a holistic and collective manner with the support and participation of employees in the organisation.