What are some of the variables that determine how a given organization chooses to construct its InfoSec program?

journal article

MIS Quarterly

Vol. 34, No. 3 (September 2010)

, pp. 523-548 (26 pages)

Published By: Management Information Systems Research Center, University of Minnesota

https://doi.org/10.2307/25750690

https://www.jstor.org/stable/25750690

Read and download

Log in through your school or library

With a personal account, you can read up to 100 articles each month for free.

Already have an account? Log in

Monthly Plan

• Access everything in the JPASS collection
• Read the full-text of every article
• Download up to 10 article PDFs to save and keep

Yearly Plan

• Access everything in the JPASS collection
• Read the full-text of every article
• Download up to 120 article PDFs to save and keep

Purchase a PDF

Purchase this article for $14.00 USD.

How does it work?

1. Select the purchase option.
2. Check out using a credit card or bank account with PayPal.
3. Read your article online and download the PDF from your email or your account.

Abstract

Many organizations recognize that their employees, who are often considered the weakest link in information security, can also be great assets in the effort to reduce risk related to information security. Since employees who comply with the information security rules and regulations of the organization are the key to strengthening information security, understanding compliance behavior is crucial for organizations that want to leverage their human capital. This research identifies the antecedents of employee compliance with the information security policy (ISP) of an organization. Specifically, we investigate the rationality-based factors that drive an employee to comply with requirements of the ISP with regard to protecting the organization's information and technology resources. Drawing on the theory of planned behavior, we posit that, along with normative belief and self-efficacy, an employee's attitude toward compliance determines intention to comply with the ISP. As a key contribution, we posit that an employee's attitude is influenced by benefit of compliance, cost of compliance, and cost of noncompliance, which are beliefs about the overall assessment of consequences of compliance or noncompliance. We then postulate that these beliefs are shaped by the employee's outcome beliefs concerning the events that follow compliance or noncompliance: benefit of compliance is shaped by intrinsic benefit, safety of resources, and rewards, while cost of compliance is shaped by work impediment; and cost of noncompliance is shaped by intrinsic cost, vulnerability of resources, and sanctions. We also investigate the impact of information security awareness (ISA) on outcome beliefs and an employee's attitude toward compliance with the ISP. Our results show that an employee's intention to comply with the ISP is significantly influenced by attitude, normative beliefs, and self-efficacy to comply. Outcome beliefs significantly affect beliefs about overall assessment of consequences, and they, in turn, significantly affect an employee's attitude. Furthermore, ISA positively affects both attitude and outcome beliefs. As the importance of employees' following their organizations' information security rules and regulations increases, our study sheds light on the role of ISA and compliance-related beliefs in an organization's efforts to encourage compliance.

Journal Information

The editorial objective of the MIS Quarterly is the enhancement and communication of knowledge concerning the development of IT-based services, the management of IT resources, and the use, impact, and economics of IT with managerial, organizational, and societal implications. Professional issues affecting the IS field as a whole are also in the purview of the journal.

Publisher Information

Established in 1968, the University of Minnesota Management Information Systems Research Center promotes research in MIS topics by bridging the gap between the corporate and academic MIS worlds through the events in the MISRC Associates Program.

Every organization, regardless of size or revenue generated, needs an information security program.

It’s an essential collection of initiatives that form the basis for any cyber security initiative involving confidential data. Having a well-developed information security program enables your organization to take an inclusive approach to protecting data like protected health information (PHI), personally identifiable information (PII), and more.

However, not all organizational leaders can define an information security program, nor pinpoint the crucial components that make up an effective set of projects. Without this foundational knowledge, confidential information may be susceptible to exposure or theft by cyber criminals.

This blog post will highlight the important parameters and provide insight into how a robust information security program can keep your organization’s sensitive data safe.

An information security program consists of a set of activities, projects, and initiatives that support an organization’s information technology framework. These initiatives also help organizations accomplish all related business objectives and meet corresponding benchmarks.

Your information security program practices allow you to safeguard key business processes, IT assets, and employee data from potentially prying eyes. It also identifies individuals or technological assets that may impact the security or confidentiality of those assets.

Constructing an effective program involves identifying your information security goals. The more specific these objectives are to your organization’s reality, the more meaningful and dynamic the underlying initiatives will be. Once those are established, you can define the IT tools and other information security assets needed to create, launch, and successfully maintain each project.

The Elements of an Effective Information Security Program

While the strength of your information security program will depend on the goals you aim for and the assets at your disposal, there are several common elements that will put you in a position to succeed.

Essentially, the program should go beyond merely assessing risk and offering a handful of prevention recommendations. Your information security strategy must play an active role in targeting issues (especially those related to human risk) and mitigating risk through diverse, inclusive projects.

Outlined below are the steps to follow when defining an information security program.

First, it is necessary to determine the expected results that come with accomplishing desired information security goals. These can be defined according to security objectives or the desired state in terms of security.

Then, it’s necessary to determine your organization’s current state of information security. In conjunction with a business impact assessment or security audits, a risk assessment will provide a clear understanding of the current security situation, as well as the weak points in that infrastructure. Again, the more details you drill down in the beginning, the easier this process will be.

After that, a gap analysis determines the difference between the current state and the desired state and facilitates a security strategy aimed at achieving the desired state. A roadmap can be produced to promote the development of the security program that will realize this strategy.

This roadmap generally includes the people, the processes, the technology, and any other required resources. It is used to describe the approach to be followed and the steps that should be taken to execute the strategy.

The next step is to effectively manage the security program to achieve the objectives and meet the expected results. The program in questions must be designed to provide an appropriate level of availability, integrity, and company information confidentiality. A program also requires various resources, as well as the proper support of your organization’s management.

Here are some more detailed elements that should be included in a security program:

• Policies, standards, procedures, and security guidelines are the principal tools for guiding such a program’s implementation and management. These can be based on recognized standards, such as COBIT, ISO 27002, ITIL, etc.
• A security architecture (including people, processes, and technology) provides a framework for the effective management of the complexity that can arise during the integration of various security elements and projects.
• The classification of information assets to highlight their criticality and sensitivity.
• An appropriate risk management process includes risk identification, evaluation and treatment, and a business impact analysis (BIA).
• An effective response to incidents and emergencies.
• A security awareness training program for all users.
• The involvement of a security team in the development process (Software Development Life Cycle or SDLC) of projects and change management.
• The definition and monitoring of metrics to assess the achievement of security objectives.

The information security program must have an exact assignment of roles and responsibilities concerning security.

It should be noted that information security awareness training is a critical element of the strategy because users are often the weakest security link. Therefore, they must know and understand the policies, standards, and procedures to adopt safe practices and be vigilant against various threats.

Various laws and regulations now require an awareness and training program. However, evidence suggests that employees, in many organizations, are still not sufficiently aware. Multiple studies have demonstrated that cyber security awareness training provides more effective control in improving overall security.

Learn more about setting up a security awareness program and team in this eBook:

Download The Human Fix to Human Risk eBook

Download “The Human Fix to Human Risk,” to learn about Terranova’s simple five-step framework for implementing a comprehensive security awareness campaign that effectively changes employee behavior.

Which of the following variables is the most influential in determining how do you structure an information security program?

What are some major components of an information security program?

What is IT called when an organization chooses to accept a certain amount of risk?

What is included in the InfoSec planning model?