Institutionalizing Information Security Risk Management: A Multi-Method Empirical Study on the Effects of Regulation
Open Access
- Author:
- Spears, Janine L.
- Graduate Program:
- Business Administration
- Degree:
- Doctor of Philosophy
- Document Type:
- Dissertation
- Date of Defense:
- September 21, 2007
- Committee Members:
- Russell Richard Barton, Committee Chair/Co-Chair
Johann Baumgartner, Committee Member
John Watson Bagby, Committee Member
Peng Liu, Committee Member
Timothy Grant Pollock, Committee Member - Keywords:
- institutional theory
information security
risk management
regulation
multi-method
Sarbanes-Oxley - Abstract:
- Information security has traditionally focused on known vulnerabilities to technological assets in order to safeguard organizational information from external threats, such as hackers and viruses. However, the majority of information security breaches are believed to be caused by internal employees, suggesting that more attention may be needed in managing internal people and process-related threats and vulnerabilities. In recent years, a series of regulations has forced organizations to manage various aspects of information security-related risk. The research question examined is: How does regulation affect information security risk management? A multi-method study was conducted. Interviews with twenty practitioners across ten organizations were conducted as part of a qualitative interpretive study. Informants included participants in Sarbanes-Oxley compliance and information security experts. Interpretive results informed a theoretical model that was tested in a subsequent positivist study. Institutional theory and process maturity were applied to examine the effects of regulation on institutionalizing information risk management practices. Two hundred and eighteen completed survey responses were obtained from ISACA members, a professional association specialized in IT audit and governance. A multi-dimensional model was examined using structural equation modeling. The model contained both causal and effect indicators, resulting in a model that is both descriptive and predictive. Findings from both the interpretive and positivist studies suggest that regulation may contribute to institutionalized risk management in at least two ways. First, regulation encourages a more formalized risk management process because organizations must be able to provide documented proof of their practices for compliance. Secondly, regulation raises the level of organizational awareness of information risk management when business managers are explicitly held accountable or when the regulation is aimed at business processes. Mature risk management practices and business participation in managing risk were found to result in an organizational culture that exhibits a shared language, heightened awareness, and business ownership of risk management. Results from the interpretive study suggested that information security has two dimensions: management and practice. Support for these two dimensions was found in the positivist study. Institutionalized information security risk management was found to result in improved performance of operational and technical security controls from increased efficiency.