IT SECURITY PLANNING

Information Technology Security Planning

Abstract

Organizations integrate information security measures through information security planning and policy development. This study aims to examine how the extent of collaborative exchange within the organization and extent of formalization of the information security function impact the effective utilization of well-established information security objectives. The security objectives of interest, described in general deterrence theory, are deterrence, detection and recovery. This study finds that organizations that exhibit higher levels of collaborative exchange and develop and implement more information security policies are more effectively utilizing the information security strategies of detection, deterrence and recovery. This study highlights the importance of the complementary nature of collaborative exchange and formalization within the information security discipline.

Table of Contents

Abstract2

Introduction4

Literature Review6

IT Sector7

Overcoming Barriers8

Core Transformation Process11

Research Problem Development12

Collaborative exchange and formalization12

Method15

Results18

Data Analysis19

PLS Analysis22

Discussion And Limitations23

References26

Information Technology Security Planning

Introduction

Today, in large part, information security is the implementation of controls and best practices suggested by consultants, standard governing bodies (i.e. National Institute of Standards & Technology) (NIST), International Organization for Standardization / International Electrotechnical Commission (ISO/IEC), etc.), the organization's information security department and, sometimes, the organization's employees. While the use of global standards of practice, top management and the information security department within the organization to guide information security planning and implementations may be useful, existing research consistently shows a positive relationship exists between user involvement in planning and the effectiveness of the information systems function within organizations.

A deliverable of the information security planning process is the organization's information security policies and procedures. Standard governing bodies (NIST, ISO/IEC) and researchers stress the importance of creating information security policies and provide guidance on the different types of information security policies that an organization may need.

This research attempts to examine the impact of end-user involvement and formalized information security policies on the effectiveness of the information security function within organizations. Specifically, this study focuses on two antecedent variables, collaborative exchange and formalization, and how it impacts the effective utilization of the information security strategies of deterrence, detection and recovery. Collaborative exchange is an assessment of the extent of collaboration between upper-level management, end users and the information security function. Formalization is an assessment of the extent of established formal information security policies within an organization.

The purpose of this research is two fold. First, this research aims to examine the individual effects of formalization and collaborative exchange on the effectiveness of information security detection, deterrence, and recovery activities. Much of the effort expended in the management of information security is in developing and enforcing information security policies. By examining formalization separately, the impact of information security policy development on effective utilization of information security strategies can be assessed. The second aim of this research is to examine the impact of collaborative exchange and formalization in concert on the effectiveness of information security detection, deterrence, and recovery activities. Evaluating complementary effect of collaborative exchange and formalization on effective utilization of information security strategies provides evidence supporting the importance of establishing information security policies with input and effort from ...