Abstract
Decision-making in the context of organizational information security is highly dependent on various information. For information security managers, not only relevant information has to be clarified but also their interdependencies have to be taken into account. Thus, the purpose of this research is to develop a comprehensive model of relevant management success factors (MSF) for organizational information security. First, a literature survey with an open-axial-selective analysis of 136 articles was performed to identify factors influencing information security. These factors were categorized into 12 areas: physical security, vulnerability, infrastructure, awareness, access control, risk, resources, organizational factors, CIA, continuity, security management, compliance & policy. Second, an interview series with 19 experts from the industry was used to evaluate the relevance of these factors in practice and explore interdependencies between them. Third, a comprehensive model was developed. The model shows that there are key-security-indicators, which directly impact the security-status of an organization while other indicators are only indirectly connected. Based on these results, information security managers should be aware of direct and indirect MSFs to make appropriate decisions.
Highlights
Today, most businesses are based or even fully dependent on information such as financial data for banks to stay at the market and be competitive (Knapp et al, 2006)
The purpose of this research is to develop a comprehensive model of relevant management success factors (MSF) for organizational information security
This research is suggesting a comprehensive model of management success factors (MSFs) for information security decisionmakers
Summary
Most businesses are based or even fully dependent on information such as financial data for banks to stay at the market and be competitive (Knapp et al, 2006). Information security was purely a technical concern and technical employees were responsible for information security issues within an organization (Willison and Backhouse, 2006). There, over 146 million personal information were stolen because of an unpatched system, which was a technical shortcoming This causes, that the company gets rid of their CEO, CIO, and CSO by the “retirement” of them right after the breach (Bernard and Cowley, 2017). This goes further in manifesting the management responsibility within laws like the German Stock Corporation Act (§91 Section 2) which requires an active risk management within companies. Information security management is often build based on international standards or best practices (Hedström et al, 2011). The terms “standard” and “best practice” are often used as synonyms but “standards” are usually checked by an international standardization organization while “best practices” and other frameworks are published independently
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
