Information security management objectives and practices: a parsimonious framework

Abstract

PurposeAs part of their continuing efforts to establish effective information security management (ISM) practices, information security researchers and practitioners have proposed and developed many different information security standards and guidelines. Building on these previous efforts, the purpose of this study is to put forth a framework for ISM.Design/methodology/approachThis framework is derived from the development of an a priori set of objectives and practices as suggested by literature, standards, and reports found in academia and practice; the refinement of these objectives and practices based on survey data obtained from 354 certified information security professionals; and the examination of interrelationships between the objectives and practices.FindingsThe empirical analysis suggests: four factors (information integrity, confidentiality, accountability, and availability) serve as critical information security objectives; most of the security areas and items covered under ISO 17799 are valid with one new area – “external” or “inter‐organizational information security”; and for moderately information‐sensitive organizations, “confidentiality” has the highest correlation with ISM practices; for highly information‐sensitive organizations, “confidentiality”, “accountability”, and “integrity” are the major ISM objectives. The most important contributor to information security objectives is “access control”.Research limitations/implicationsThis study contributes to the domain of information security research by developing a parsimonious set of security objectives and practices grounded in the findings of previous works in academia and practical literature.Practical implicationsThese findings provide insights for business managers and information security professionals attempting to implement ISM programs within their respective organizational settings.Originality/valueThis paper fulfills a need in the information security community for a parsimonious set of objectives and practices based on the many guidelines and standards available in both academia and practice.