Abstract
PurposeThe purpose of this study is to determine the main challenges that IT security practitioners face in their organizations, including the interplay among human, organizational, and technological factors.Design/methodology/approachThe data set consisted of 36 semi‐structured interviews with IT security practitioners from 17 organizations (academic, government, and private). The interviews were analyzed using qualitative description with constant comparison and inductive analysis of the data to identify the challenges that security practitioners face.FindingsA total of 18 challenges that can affect IT security management within organizations are indentified and described. This analysis is grounded in related work to build an integrated framework of security challenges. The framework illustrates the interplay among human, organizational, and technological factors.Practical implicationsThe framework can help organizations identify potential challenges when implementing security standards, and determine if they are using their security resources effectively to address the challenges. It also provides a way to understand the interplay of the different factors, for example, how the culture of the organization and decentralization of IT security trigger security issues that make security management more difficult. Several opportunities for researchers and developers to improve the technology and processes used to support adoption of security policies and standards within organizations are provided.Originality/valueA comprehensive list of human, organizational, and technological challenges that security experts have to face within their organizations is presented. In addition, these challenges within a framework that illustrates the interplay between factors and the consequences of this interplay for organizations are integrated.
Highlights
Recent research has recognized that technological factors are not the only key to the effectiveness of information security controls; there is a need to understand the impact of hubman and organizational factors (Beznosov and Beznosova, 2007; Botta et al, 2007; Rayford et al, 2001)
We found that security processes should consider that IT security practitioners have to effectively communicate security issues to other stakeholders who have different perceptions of risks and do not have security as a first priority within the organization
Koskosas and Paul (2004) study how risks are communicated in financial organizations. They concluded that risk communication “plays a significant role at the macro-goal level of security management.”. Our study extends this result by showing that the implementation of security processes should consider the organizational culture and the views different stakeholders have about security risks
Summary
Recent research has recognized that technological factors are not the only key to the effectiveness of information security controls; there is a need to understand the impact of hubman and organizational factors (Beznosov and Beznosova, 2007; Botta et al, 2007; Rayford et al, 2001). Our results validate and extend other studies that address challenges facing security practitioners, and provide an integrated framework that classifies these challenges. This framework can help organizations identify their limitations with respect to implementing security standards and determine if they are spending their security resources effectively. Our results build upon prior work that addresses a subset of the human, organizational, and technological elements that challenge the adoption of IT security within organizations. We define human aspects as those related to cognition at the individual level, as well as culture and interaction with other people Organizational aspects are those related to the structure of the organization, including size and managerial decisions around IT security. They conclude that reporting on security issues is both a science and an art, with much human judgement necessary to interpret the reports from security tools
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
