Assessment of information security maturity. An exploration study of Malaysian public service organizations
| Pages | 23-57 |
| DOI | https://doi.org/10.1108/13287261211221128 |
| Date | 17 March 2012 |
| Published date | 17 March 2012 |
| Author | Suhazimah Dzazali,Ali Hussein Zolait |
| Subject Matter | Information & knowledge management |
Assessment of information
security maturity
An exploration study of Malaysian public
service organizations
Suhazimah Dzazali
National Institute of Public Administration, Cyberjaya, Malaysia, and
Ali Hussein Zolait
Department of Information Systems, College of Information Technology,
University of Bahrain, Sakhir, Bahrain
Abstract
Purpose – The purpose of this paper is to examine the basis factors involved in the information
security management systems of Malaysian public service (MPS) organizations. Therefore, it proposes
an empirical analysis which was conducted to identify the antecedents of the information security
maturity (ISM) of an organization; and to clarify the relationship between ISM and the social and
technical factors identified.
Design/methodology/approach – This study uses quantitative approach, convenience sampling
and the required data collected from 970 key players’ managers in information security, in a total of
722 government agencies, through a self-administrated survey. Research adopted the Wallace et al.
process to develop and validate the study’s instrument.
Findings – The paper provides empirical insights and reveals a number of underlying dimensions of
social factors and one technical factor. The risk management was found to be the formal coping
mechanism adopted in the MPS organizations and is the leading factor towards ISM. The social factors
have the most influence on MPS organizations’ ISM. Findings demonstrate that two independent
variables, risk management and individual perception, discriminate between those organizations that
have high and low ISM.
Research limitations/implications – The research results may lack generalization; therefore,
researchers are encouraged to test the proposed propositions further in a different context.
Practical implications – The paper includes implications for the development of a powerful
instrument in explaining the ISM. Moreover, it helps internal stakeholders of an organization to
formulate a more appropriate policy or give a more effective focus on issues that are really relevant to
MPS information security management.
Originality/value – This paper fulfils the identified need to explore determinants of information
security maturity.
Keywords Malaysia, Datamanagement, Risk management, Datasecurity, Information security,
Public service organizations, Securitymanagement, Security assessment,Security maturity,
Security awareness
Paper type Research paper
1. Introduction
It has been established that information is one of the most important assets which an
organization may possess. Since most organizations have made the move from the
physical world into cyberspace this asset has been under attack from a multitude of new
sources (Jessup and Valacich, 2008). Consequently, information securit y has propelled
The current issue and full text archive of this journal is available at
www.emeraldinsight.com/1328-7265.htm
Information
security maturity
23
Received 23 April 2011
Revised 8 November 2011
Accepted 25 January 2012
Journal of Systems and Information
Technology
Vol. 14 No. 1, 2012
pp. 23-57
qEmerald Group Publishing Limited
1328-7265
DOI 10.1108/13287261211221128
itself into the limelight as the preferred method to secure the organization’s information
assets. However, because of the fact that information security is a complex, dynamic and
multifaceted discipline in which no single component may be ignored, the effective
management of this discipline is pivotal for any organization wishing to survive and
thrive in the information age.
Many studies have concentrated on the issue of how to protect information systems
from cyber threatsmostly from the technical angle (Hovavand D’Arcy, 2003; ISO 27001,
2005; Jessup and Valacich, 2008). Meanwhile, information related to the security
management issues in the information system domain are mostly derived from
international standards, guidelines and conceptual papers (Eloff, 2002; Fulford and
Doherty, 2003; COBIT, 2002; SSE-CMM, 2003 ). The author of this research, however,
was motivated to address another issue related to the topic of information security
management: given the constraints and challenges confronting most organizations
in meetingtheir goals and managingdaily operations,what would be the pragmaticsocial
management approach to adopt in order to protect their information assets and ensure
businesscontinuity?Question arose fromthis: what are the factorsthat contributetowards
attaining information security management maturity? In addition, do the social factors
(i.e. organization structure, individual perception on informa tion security, awareness and
trainingculture, socialbarriers, and technicalbarriers) havepositive relationshipswith the
technical factor (risk management mechanism) in the context of information security
maturity (ISM)applied to the organizations in theMalaysian public service (MPS).
2. Literature review
Some information security experts asserted that, the level of information security sought
in any particular situation should be commensurate with the value of the information
and the loss, financial or otherwise, that might ensue from whatever improper use,
disclosure, degradation, or denial of information asset (Peltier, 2001; Schneier, 2002). In
any case, as the statement is a formally stated policy, MPS organizations have a huge
challenge in their hands. Mainly that, the organizations must secure their information
assets in the face of increasing complexity, uncertainty, and interconnection brought by
intensifying reliance on technology to accomplish the own mission. MPS organizations
must also be mindful of the regulations and directives coming from the central agencies.
Informationsecurity is a business or organizationalproblem that must be framed and
solvedin the context of the organization’sstrategic driversthat includes its mission,goals,
and objectives. Two renowned researchers, Solms and Solms (2004) identify that
organizations needto realise that protection of information is a business issue and not a
technical. They added that information security management is a multi-dimensional
discipline, and that all dimensions must be taken into account to ensure a proper and
secureenvironment for organizationinformation assets.Some of the dimensions identified
are corporate governance, organizational, policy, best practice, ethical, compliance, legal,
personnel/human,awareness, and technology, measurement/metrics and audit.
2.1 Information security maturity
Eloff (2002) highlighted that an organization will have to use a code of best practice to
assess a policy and related procedures; combine that with benchmarking methods
to be able to compare with other organizations; and include the compliance results of
internal guidelines to determine if the security objectives are met. The interest in
JSIT
14,1
24
assessing the security posture has seen some development in other mechanisms adopted
from the engineering knowledge domain. One such mechanism is the measurement of
information security process maturity. In order to have a better understanding of the
ISM concepts and dimensions, researchers discussed three related models on ISM.
The first model is Control Objectives for Information and Related Technology
(COBIT) Part 3: The Management Guidelines (COBIT, 2002). It considers all aspects of
information and information communication technology (ICT) infrastructure, the usage
has also been expanded to the management of the organizations as it can be used to help
to provide appropriate guidance for ICT governance. The guideline is meant to assist
senior management to implement an appropriate information security management
capability, without detracting from the strategic advantages that can be gained by the
organization in facilitating business growth through the sensible use of technology.
The second model is the System Security Engineering-Capability Maturity Model
V3.0 (SSE-CMM, 2003) which targets the processes used to attain information
technology systems, specifically on the maturity of those processes. It is used to
improve and assess security engineering capability that covers activities crossing the
entire trusted product or secure system life cycle, including concept definition,
requirements analysis, design, development, integration, installation, operations,
maintenance, and decommissioning. The SSE-CMM and the appraisal method for
applying the model are intended as a tool for engineering organizations to evaluate
their security engineering practices and define improvements to them.
The third model is the Information Security Management Maturity Model (ISM3)
Version 1.0. Aceituno (2004) defines maturity in terms of information security
management processes and three broad levels of management responsibility; strategic,
tactical and operational. Strategic management deals with broad goals and the provision
of resources, while the tactical level deals with specific goals and the management of
resources while the operational level deals with activities for achieving defined goals.
ISM3 looks for evidence of the existence of processes in these three categories.
The comparison of the three models is summarized in Table I.
Althoughthe goals and scope of coverageof the maturity assessmentdiffer slightly, all
the maturitymodels are process-orientedstandards thatuse maturity levels. Processesare
allocatedto maturity levelsto show a spectrum of development.The adopted processesset
a qualitystandard for each maturity level.Documentation and documentmanagement are
requiredto ensure that selected processesconform to the standard,are repeatable, and are
subject to review.The specific information securitymanagement processes implemented
determine the benefits obtained at eachmaturity level. COBIT is more similarto ISM3 in
that the target domain is all aspects (management and technical) of information and the
supporting ICT system. SSE-CMM is targeted at the technical aspect of ICT and
engineering. SSE-CMM advocates the view that the security phenomenon should be
quantified and controlled. As a whole, the maturity criterion is to identify industrial
practices wherethere is an effort to recognize cause-effect relations, and turn these into a
form of maturity standard. While technical approach is sufficient for pure computer
systems with no social dimensions, it is inadequate for addressing information systems
security, where there is a human or social component.
As COBIT and ISM3 cover the environment and mission of the organization, these
models appear to include social dimensions in addition to the technical dimension
of ICT. COBIT is more explicit in defining these dimensions although it is briefer and
Information
security maturity
25
To continue reading
Request your trial