The challenges of information security management A qualitative study on the organizational factors influential to the implementation of an Information Security Management System
No Thumbnail Available
In today’s era, there is a need for information security management in organization to protect the organization’s information. A structured way by which information security management can be approached is through the implementation of an Information Security Management System, an ISMS, which consists of a set of policies, methods, and processes that organizations implement to protect their information security. Many standards, studies and best practices prescribe how such an ISMS should be implemented to ensure information security. However, whether organizations succeed at implementing such an ISMS and what organizational factors may influence this ISMS implementation within an organization has not been examined thoroughly. Within this qualitative study, it was examined how organizational factors influence these ISMS implementations. As a result, three organizational factors and the interdependencies between and within these factors were identified: 1) the Human Factor, 2) the Resource and Approach Factor, and 3) the Top Management Factor. The Human Factor reflects the influence employees and key internal stakeholders involved in the ISMS have on the implementation. The Resource and Approach Factor concerns the resources that are available for the ISMS, the approach the organization takes to ensure an effective ISMS implementation and reflects on the role of and possible dependency on external parties as part of this process. The Top Management Factor is concerned with establishing top management’s commitment and includes the top management’s motivation for and perception of information security. This is further affected by the effectiveness of the issue selling of information security to top management, by key stakeholders involved in the ISMS, which often requires external help. It was concluded that the Human Factor and the Resource and Approach Factor both directly influence ISMS implementations and each other, while the Top Management Factor indirectly influences ISMS implementations through its influence on these Human Factor and Research and Approach Factor. Moreover, three characteristics of information security were identified as explaining why organizations sometimes face difficulties with their information security management: 1) the broadness in the scope of information security in organizations, 2) the understandability of information security, and 3) the difficulty of quantifying information security.
Faculteit der Managementwetenschappen