Institutionalizing Information Security Risk Management: A Multi-Method Empirical Study on the Effects of Regulation

Open Access
Spears, Janine L.
Graduate Program:
Business Administration
Doctor of Philosophy
Document Type:
Date of Defense:
September 21, 2007
Committee Members:
  • Russell Richard Barton, Committee Chair
  • Johann Baumgartner, Committee Member
  • John Watson Bagby, Committee Member
  • Peng Liu, Committee Member
  • Timothy Grant Pollock, Committee Member
  • institutional theory
  • information security
  • risk management
  • regulation
  • multi-method
  • Sarbanes-Oxley
Information security has traditionally focused on known vulnerabilities to technological assets in order to safeguard organizational information from external threats, such as hackers and viruses. However, the majority of information security breaches are believed to be caused by internal employees, suggesting that more attention may be needed in managing internal people and process-related threats and vulnerabilities. In recent years, a series of regulations has forced organizations to manage various aspects of information security-related risk. The research question examined is: How does regulation affect information security risk management? A multi-method study was conducted. Interviews with twenty practitioners across ten organizations were conducted as part of a qualitative interpretive study. Informants included participants in Sarbanes-Oxley compliance and information security experts. Interpretive results informed a theoretical model that was tested in a subsequent positivist study. Institutional theory and process maturity were applied to examine the effects of regulation on institutionalizing information risk management practices. Two hundred and eighteen completed survey responses were obtained from ISACA members, a professional association specialized in IT audit and governance. A multi-dimensional model was examined using structural equation modeling. The model contained both causal and effect indicators, resulting in a model that is both descriptive and predictive. Findings from both the interpretive and positivist studies suggest that regulation may contribute to institutionalized risk management in at least two ways. First, regulation encourages a more formalized risk management process because organizations must be able to provide documented proof of their practices for compliance. Secondly, regulation raises the level of organizational awareness of information risk management when business managers are explicitly held accountable or when the regulation is aimed at business processes. Mature risk management practices and business participation in managing risk were found to result in an organizational culture that exhibits a shared language, heightened awareness, and business ownership of risk management. Results from the interpretive study suggested that information security has two dimensions: management and practice. Support for these two dimensions was found in the positivist study. Institutionalized information security risk management was found to result in improved performance of operational and technical security controls from increased efficiency.