Evaluating the Perceived Impact of Collaborative Exchange and Formalization on Information Security

Abstract

INTRODUCTION Today, in large part, information security is the implementation of controls and best practices suggested by consultants, standard governing bodies (i.e. National Institute of Standards & Technology) (NIST), International Organization for Standardization / International Electrotechnical Commission (ISO/IEC), etc.), the organization's information security department and, sometimes, the organization's employees. While the use of global standards of practice, top management and the information security department within the organization to guide information security planning and implementations may be useful, existing research consistently shows a positive relationship exists between user involvement in planning and the effectiveness of the information systems function within organizations (Gottschalk, 1999; Sambamurthy et al., 1994; Segars & Grover, 1998). A deliverable of the information security planning process is the organization's information security policies and procedures. Standard governing bodies (NIST, ISO/IEC) and researchers (Bidgoli, 2003; Garrison & Posey, 2006) stress the importance of creating information security policies and provide guidance on the different types of information security policies that an organization may need. This research attempts to examine the impact of end-user involvement and formalized information security policies on the effectiveness of the information security function within organizations. Specifically, this study focuses on two antecedent variables, collaborative exchange and formalization, and how it impacts the effective utilization of the information security strategies of deterrence, detection and recovery. Collaborative exchange is an assessment of the extent of collaboration between upper-level management, end users and the information security function. Formalization is an assessment of the extent of established formal information security policies within an organization. The purpose of this research is twofold. First, this research aims to examine the individual effects of formalization and collaborative exchange on the effectiveness of information security detection, deterrence, and recovery activities. Much of the effort expended in the management of information security is in developing and enforcing information security policies. By examining formalization separately, the impact of information security policy development on effective utilization of information security strategies can be assessed. The second aim of this research is to examine the impact of collaborative exchange and formalization in concert on the effectiveness of information security detection, deterrence, and recovery activities. Evaluating complementary effect of collaborative exchange and formalization on effective utilization of information security strategies provides evidence supporting the importance of establishing information security policies with input and effort from all major constituencies within the organization. This study makes several contributions to the literature and practice. First, this research provides insight into how management choices in regards to establishing formal communication channels and developing information security policies may impact the effectiveness of the information security function. Second, the presence of the dependent variable, effectiveness of detection, deterrence and recovery activities, gives academics and practitioners a success measure which can guide more effective decision making in the information security domain. The remainder of this manuscript is organized as follows. The next section discusses the literature supporting the constructs of interest in this study. The following two sections will present the methodological approach taken in this study and the results of data collection. The next section will present the efforts in data analysis. The last section will present a discussion of the important findings and limitations of this research. …