An Information Security Performance Measurement Tool for Senior Managers: Balanced Scorecard Integration for Security Governance and Control Frameworks

2023 | Information Systems Frontiers | Citations: 0

Authors: Herath, Tejaswini C.; Herath, Hemantha S. B.; Cullum, David

Abstract: As organizations have become increasingly reliant on information systems, senior ... Expand

Abstract: As organizations have become increasingly reliant on information systems, senior managers are keen in assessing the progress of implemented information security strategies. Although the balanced scorecard approach has been suggested for security governance, a critical issue affecting information security practitioners is complexity, as there are many standards and frameworks, with duplication and overlaps to adhere to when organizing the data. Consequently, the article attempts to develop a more inclusive framework for information security governance, a research gap recently identified in the literature. The article maps five governance and control frameworks (COBIT, SABSA, ISG, ITIL, and ISO 27000) to the information security balanced scorecard (InfoSec BSC) to develop a conceptual design of an effective information security performance measurement tool that can be used by senior managers. Using a real-life case application and interviews with a panel of experts, the article identifies IS initiatives, performance measures for each of the mapped objectives derived from governance and control frameworks that may provide guidance for practitioners. Collapse

Topics: data security COBIT IT security ITIL information security management

Methods: qualitative interview case study personal interview survey delphi study

Theories: theory of everything

Guiding the Development of Interoperable Health Information Systems: A Conceptual IT Governance Framework

2023 | DESRIST | Citations: 0

Authors: Matshaba, Lebogang; Nxozi, Monelo; Herselman, Marlien

Abstract: In the midst of dynamic healthcare needs, health information systems’ lack of in ... Expand

Abstract: In the midst of dynamic healthcare needs, health information systems’ lack of interoperability continues to hinder the health sector’s ability to provide healthcare services. For instance, the recent COVID-19 epidemic has sparked discussion about the health department’s ability to meet healthcare needs and the readiness of the National Health Insurance initiative in South Africa. Moreover, operating in resource-constrained circumstances presents a further obstacle and raises questions as to whether quality healthcare services can be delivered to patients. Following the Design Science Research Methodology (DSRM) process, this paper developed an IT governance conceptual framework, termed the HISIG-CF, to inform the interoperability of health information systems. The HISIG-CF was developed using literature and insights garnered from qualitative data using expert reviews from practitioners in the healthcare industry. The results indicated a need for more guidance to inform interoperability interventions and strengthen current health information systems through the use of well-defined IT Governance frameworks and mechanisms. Furthermore, the HISIG-CF was deemed adequate to improve health information systems interoperability within the healthcare sector in the North West, with prospects for usage across South Africa. Collapse

Topics: health information system IT governance COBIT

Methods: design science structured literature research literature study qualitative content analysis design artifact

Theories: institutional theory

An assimilation maturity model for IT governance and auditing

2022 | Information & Management | Citations: 0

Authors: Dutta, Amitava; Roy, Rahul; Seetharaman, Priya

Abstract: This study develops a conceptual model of organizational IT assimilation maturit ... Expand

Abstract: This study develops a conceptual model of organizational IT assimilation maturity based on constructs in the IS literature, qualitative data analysis of three exploratory case studies, and general morphological analysis (GMA). We inductively extract four dimensions of IT assimilation – business processes, information architecture, IT processes, and end-users – and characterize different maturity levels for each dimension. Applying Zwicky’s GMA on the combinatorially large space of IT assimilation configurations, we prune the space to a more limited number of internally consistent and empirically feasible IT assimilation maturity profiles. We discuss how the model can support IT audit and governance activities. Collapse

Topics: IT governance business process management information system use IT workforce information technology infrastructure

Methods: qualitative interview case study conceptual modelling grounded theory personal interview

Impact of IT governance process capability on business performance: Theory and empirical evidence

2022 | Decision Support Systems | Citations: 1

Authors: Joshi, Anant; Benitez, Jose; Huygh, Tim; Ruiz, Laura; De Haes, Steven

Abstract: In the digital economy, firms’ IT resource investments represent a significant p ... Expand

Abstract: In the digital economy, firms’ IT resource investments represent a significant portion of their capital investments. IT governance processes are critical for companies to decide what and how to deploy IT resources and measure and achieve the expected business benefits. This study introduces and measures the concept of IT governance process capability, which is defined as the firm’s ability to identify, design, implement and leverage the following IT governance processes: IT decision-making, IT planning, IT infrastructure modernization, IT services delivery, and IT monitoring. We propose that IT governance process capability can improve IT performance, which in turn can improve business performance. Using a unique dataset from 881 global companies, we found support for the proposed research model. This paper contributes to the Information Systems (IS) literature on business value of IT by conceptualizing, evaluating, and introducing the construct of IT governance process capability and theorizing and proving how this core IT capability positively affects IT performance to enhance business performance. Collapse

Topics: IT governance organizational productivity IT productivity COBIT organizational value

Methods: survey theory development triangulation partial least squares regression statistical hypothesis test

Designing a Thrifty Approach for SME Business Continuity: Practices for Transparency of the Design Process

2022 | Journal of the Association for Information Systems | Citations: 6

Authors: Järveläinen, Jonna; Niemimaa, Marko; Zimmer, Markus

Abstract: Business continuity (BC) management is an organizational approach to preparing ... Expand

Abstract: Business continuity (BC) management is an organizational approach to preparing information systems (IS) for incidents, but such approaches are uncommon among small and medium-sized enterprises (SMEs). Past research has indicated a gap in approaches that are designed for SMEs since BC management approaches tend to originate from larger organizations and SMEs lack the resources to implement them. To fill this gap, and to respond to a practical need by an IT consultancy company, we employed design science research (DSR) to develop a BC approach for SMEs coined as the thrifty BC management approach. Jointly with the company's practitioners, we developed a set of metarequirements for BC approaches for SMEs anchored in prior BC literature, practitioners' practical expertise, and the theories of collective mindfulness and sociotechnical systems. We evaluated our thrifty BC management approach with multiple SMEs. These evaluations suggest that the designed approach mostly meets the defined meta-requirements. Moreover, the evaluations offered ample opportunities for learning. The design process, unfolding in a real-world setting, was precarious, rife with contingencies and ad hoc decisions. To render the design process transparent, we adapted four writing conventions from the confessional research genre familiar to ethnographic research but novel to DSR. We offer a threefold contribution. First, we contribute to SMEs' BC with meta-requirements and their instantiation in a new BC approach (artifact); second, we contribute with four practices of confessional writing for transparency of DSR research; and third, we contribute with reflections on our theoretical learning from throughout the design process.Marko Niemimaa is an associate professor at the University of Agder and an adjunct professor at the University of Turku. His research focuses on the organizational aspects and implications of cybersecurity and philosophical aspects of IS research, including sociomateriality. His work has been published in top-tier IS outlets, such as Collapse

Topics: mindfulness business continuity planning business process management decision making pseudonymity

Methods: design process design artifact design theory design requirement ethnography

Theories: sociotechnical systems theory socio technical theory

Together or Not? Exploring Stakeholders in Public and Permissionless Blockchains

2022 | HICSS | Citations: 1

Authors: Schmid, Roman; Ziolkowski, Rafael; Schwabe, Gerhard

Abstract: The emergence of blockchain projects enables new ways of collaboration between u ... Expand

Abstract: The emergence of blockchain projects enables new ways of collaboration between untrusted parties. Each of these projects, however, only exists because stakeholders of these projects find common ground. If this common ground is not found, blockchains are forked – organizationally and technically – which endangered major blockchain systems like Bitcoin or Ethereum. To assure the operation of such projects and, thus, to improve their governance, it is crucial to understand their stakeholders. This research conducted a literature review and a survey to (1) identify blockchain stakeholders and to (2) understand their interests as well as underlying motives for their interests. This research has two main contributions: a stakeholder map, which serves as a lens to study stakeholders of public blockchains, and exemplary insights from the application of this lens comprising of 74 survey responses. Consequently, this research provides a novel tool for stakeholder analysis in academia and practice to improve blockchain governance. Collapse

Topics: blockchain COBIT IT governance data security smart contract

Methods: survey literature study survey design literature sample mixed method

The Impact of Executives’ IT Expertise on Reported Data Security Breaches

2021 | Information Systems Research | Citations: 0

Authors: Haislip, Jacob; Lim, Jee-Hae; Pinsker, Robert

Abstract: Data security breaches (DSBs) are increasing investor and regulator pressure on ... Expand

Abstract: Data security breaches (DSBs) are increasing investor and regulator pressure on firms to improve their IT governance (ITG) in an effort to mitigate the related risk. Drawing on upper echelon theory, we argue that DSB risk cannot be mitigated by one executive alone, but, rather, is a shared leadership responsibility of the top management team (TMT; i.e., Chief Executive Officer (CEO), Chief Financial Officer (CFO), and Chief Information Officer (CIO)). By examining a sample of DSBs from 2005 to 2017, our study finds that CEOs with IT expertise are associated with fewer DSBs, with some evidence of a focus on DSBs containing consumer information. Our evidence also suggests that CFOs with IT expertise are less likely to report a DSB in general, as well as DSBs involving employee information or instigated by a person outside of the firm and, to a weaker extent, DSBs containing consumer information. Further, the presence of a CIO as part of the TMT is significantly associated with reduced DSBs of all types examined. Our results are robust to endogeneity concerns and an alternative propensity score matched sample. This study contributes a granular investigation of DSB risk involving executives with IT expertise that extends the upper echelon and ITG literatures. Collapse

Topics: Chief Information Officer data security risk management IT manager COBIT

Methods: propensity score method survey Compustat logistic regression experimental group

A Flexible Method for COBIT 2019 Process Selection

2020 | Americas Conference on Information Systems | Citations: 0

Authors: Fernandes, André; Almeida, Rafael; Silva, Miguel Mira da

Abstract: COBIT (Control Objectives for Information and Related Technologies) provides a ... Expand

Abstract: COBIT (Control Objectives for Information and Related Technologies) provides a framework that supports enterprises in achieving their objectives in the governance and management of enterprise IT. The current method for the selection and prioritisation of Management Objectives in COBIT 2019 does not provide enterprises with the flexibility to customise their Design Factors, which means that it is not possible to adapt the framework to their context. In this research, we propose an alternative method to the current one provided by COBIT 2019, which aims to solve this problem. We use a multicriteria decision-making method called the Analytic Hierarchy Process (AHP) in combination with the COBIT 2019 Design Factors to help organisations establish their priorities for a better implementation of COBIT 2019. In the evaluation step, we conduct a simulation and compare the results from both the current method and our proposed method against the decision of domain experts. Collapse

Topics: COBIT usability IT skill organizational value IT alignment

Methods: qualitative interview computational algorithm literature study simulation trade-off analysis method

Benchmarking Methodology for Information Security Policy (BMISP): Artifact Development and Evaluation

2020 | Information Systems Frontiers | Citations: 3

Authors: Kang, Martin (Dae Youp); Hovav, Anat

Abstract: The benchmarking of information security policies has two challenges. Organizati ... Expand

Abstract: The benchmarking of information security policies has two challenges. Organizations are reluctant to share data regarding information security and no two organizations are identical. In this paper, we attempt to propose an artifact for a benchmarking method of information security policy, which can resolve the above challenges. We employ design science methodology, activity theory and international standards to design the artifact as a proof of concept. The artifact facilitates the implementation of efficient information security policies. Organizations can utilize the artifact to analyze and benchmark information security policies. We illustrate the completeness and reliability of the artifact through a case study using information security policies from six companies. Collapse

Topics: security policy data security extensible markup language digital rights management ITIL

Methods: design artifact case study data modeling design science meta design

Theories: activity theory

Outsourcing in the Age of Digital Transformation

2020 | Americas Conference on Information Systems | Citations: 3

Authors: Rueckel, David; Krumay, Barbara; Schwarzgruber, Sabrina

Abstract: Past and current attempts in digital transformation are enduringly changing bus ... Expand

Abstract: Past and current attempts in digital transformation are enduringly changing business, requiring flexible strategic approaches and fast decisions. Companies seem to tend to rely on outsourcing for tackling this challenge. Consequently, companies need IT/IS outsourcing strategies fitting requirements. However, it remains unclear, how decisions on outsourcing contribute to strategic goals and supports successful digital transformation. Hence, in this study we aim at designing a model that enables companies to make their decisions in developing their outsourcing strategy considering digital transformation requirements. By adopting a design science approach, an artifact -the strategic outsourcing contribution (SOC) modelwas developed and partially evaluated within one case company. The model provides a structured approach to the development of an outsourcing strategy by integrating transparent decision making. In addition, it provides mechanisms to assess the contribution of the model to strategic goals influenced by digital transformation initiatives and attempts. Collapse

Topics: outsourcing digital transformation strategic management information systems strategy decision making

Methods: focus group qualitative content analysis design process trade-off analysis method analytic hierarchy process