Documente Academic
Documente Profesional
Documente Cultură
management
Kwo-Shing Hong
Department of Management Information Systems, National Cheng-Chi University,
and Overall Planning Department, Control Yuan of Republic of China, Taiwan
Yen-Ping Chi
Department of Management Information Systems, National Cheng-Chi University,
Taiwan
Louis R. Chao
Institute of Management Science, Tamkang University, and Control Yuan of
Republic of China, Taiwan
Jih-Hsing Tang
Tak Ming College, Taipei, Taiwan
Keywords
Information systems,
Control systems,
Risk management,
Systems theory,
Contingency planning
Abstract
1. Introduction
Information is one of the most important
enterprise assets. For any organization,
information is valuable and should be
appropriately protected (BS 7799-2, 1999).
Security is to combine systems, operations
and internal controls to ensure the integrity
and confidentiality of data and operation
procedures in an organization. With the
advent of information technology, users'
roles in information systems have evolved
from IT specialists for access information
facilities, to non-IT personnel for regular
operations, to unspecified individuals from
outside. That is to say, with the serious
threat of unauthorized users on the Internet,
information security is facing unprecedented
challenges, and effective information
security management is one of the major
concerns (Eloff and Solms, 2000; Schultz et al.,
2001).
Although there is plenty of security
technology research, surprisingly few
information security management studies
are found in the literature. It wasn't until
1995, when the British Standard Institution
(BSI) established BS7799-1, ``Information
Security Management Part I: Code of
Practice for Information Security
Management'', that a more complete
management framework for information
security emerged. Because of the lack of
information security management theory,
there are few empirical studies conducted to
examine the effectiveness of management
strategies and tools. Thus, the authors would
like to combine five related theories
information policy theory, risk
management theory, control and audit
theory, management system theory, and
contingency theory to develop an integrated
theory of information security management
(ISM) which may be used as a foundation for
The Emerald Research Register for this journal is available at
http://www.emeraldinsight.com/researchregister
2. Literature review
2.1 Definitions and coverage
[ 243 ]
[ 244 ]
.
.
.
.
[ 245 ]
3. An integrated theory
3.1 The construction of a theory
Table I
Summary of information security management theories
Theory
Managerial activities
Source
Security policy
theory
Sequential
Periodic
Flynn
Gupta et al.
Kabay
Risk management
theory
Risk assessment
Risk control
Review and modification
Sequential
Periodic
Luthans
Wright
Sequential
Periodic
ISO/IEC
17799
COBIT
Sequential
BS7799
Schultz et al.
Contingency theory
Contingency
Drazin et al.
Kaplan
Lee et al.
Tudor
[ 246 ]
Policy strategy
Risk management strategy
Control and audit strategy
Management system strategy
Figure 1
A diagrammatical illustration of integrated system theory
[ 247 ]
4. Conclusion
Organizations nowadays rely heavily on
information technology and information
security has caught a great deal of attention;
however, few information security strategies
and guidelines could be found for
practitioners. This may result from a lack of
coherent and comprehensive information
security management theory. The paper
integrates different perspectives from
security policy, risk management, control
and auditing, management systems and
contingency theories and builds an IST,
which may lay a more solid foundation for
further empirical studies. The contribution
of this study is as follows:
.
It provides rich information security
strategies, procedures and theories for
researchers, information security
decision makers, planners, providers and
users; thereby they can get a better
understanding of information security in
terms of different perspectives.
.
It explains organizational behavior
regarding information security
management, and provides alternatives
for organizational security management
strategies.
.
The theory proposed in this paper could
be applied to predict the organizational
attitudes and behavior towards
information security management, and
could be beneficial for information
security decision making.
.
The theory could be a building block for
further information security management
researchers and be a guidance of future
empirical studies.
References
[ 248 ]