ContentslistsavailableatScienceDirect
Computers & Security
journalhomepage:www.elsevier.com/locate/cose
A comprehensive model of information security factors for decision-makers
Rainer Diesch
a,b,∗, Matthias Pfaff
a,b, Helmut Krcmar
bafortiss GmbH, Guerickestr. 25, 80805 Munich, Germany
bTechnical University of Munich, Boltzmannstr. 3, 85748 Garching, Germany
a rt i c l e i n f o
Article history:
Received 9 January 2019 Revised 9 December 2019 Accepted 4 February 2020 Available online 4 February 2020 Keywords:
Key Security Indicators Security Success Security Model
Security Management Decision-Making Expert Interview
a b s t r a c t
Decision-makinginthecontextoforganizationalinformationsecurityishighlydependentonvariousin- formation.Forinformationsecuritymanagers,notonlyrelevantinformationhastobeclarifiedbutalso theirinterdependencieshavetobetakenintoaccount.Thus,thepurposeofthisresearchistodevelop acomprehensivemodelofrelevantmanagementsuccessfactors(MSF)fororganizationalinformationse- curity.First, aliteraturesurveywith anopen-axial-selectiveanalysis of136articleswas performedto identifyfactors influencinginformationsecurity.Thesefactorswerecategorizedinto12areas:physical security,vulnerability,infrastructure,awareness,accesscontrol,risk,resources,organizationalfactors,CIA, continuity,securitymanagement,compliance&policy.Second,aninterviewserieswith19expertsfrom theindustrywasusedtoevaluatetherelevanceofthesefactorsinpracticeandexploreinterdependen- ciesbetweenthem.Third,acomprehensivemodelwasdeveloped.Themodelshowsthattherearekey- security-indicators,whichdirectlyimpactthe security-status ofanorganization whileotherindicators areonlyindirectlyconnected.Basedontheseresults,informationsecuritymanagersshouldbeawareof directandindirectMSFstomakeappropriatedecisions.
© 2020TheAuthors.PublishedbyElsevierLtd.
ThisisanopenaccessarticleundertheCCBYlicense.(http://creativecommons.org/licenses/by/4.0/)
1. Introduction
Today, mostbusinesses are based oreven fully dependent on informationsuchasfinancialdataforbankstostay atthemarket andbecompetitive(Knappetal.,2006).Accordingtothycotic,62
% ofall cyber-attacksarehitting small-andmid-sizedbusinesses of which60% are going out ofbusinesses sixmonths aftersuch an attack (Thycopic Software Ltd., 2017). 53 % ofthe attacks are causing$500.000ormore(CiscoSystemsInc.,2018)whiletheav- eragecost ofa databreachwas$3.86million (Ponemon Institute LLC, 2018). Notjust financial lossesare a risk butalso legal and reputationrepercussions(TuandYuan,2014).Therefore,itisnec- essaryfororganizationstokeep theirinformationandtheunder- lyingtechnologysecureagainstbusiness-harmingattacks.
In the past, information security was purely a technical con- cernandtherefore,technicalemployeeswereresponsibleforinfor- mation securityissueswithinan organization(WillisonandBack- house,2006).Thisperspectivefailswhenitcomestoacomprehen- siveandholisticviewandtheoverallsecuritystrategy.Thus,inthe pastyears,therewasashiftfromtheexecutivetechnologyexpert
∗ Corresponding author at: Guerickestr. 25, 80805 Munich, Germany.
E-mail address: [email protected] (R. Diesch).
toamanagementresponsibilityandamorebusiness-focusedview protecting information (Ashenden, 2008; Ransbotham and Mitra, 2009; Yeh and Chang, 2007). Nowadays, security managers are fullyresponsible to considerandrespond toinformation security issues (Abu-Musa,2010; Soomro et al., 2016). Various cases like the“Equifaxbreach” hadshowntheconsequencesforthetopman- agementincaseofinformationsecuritydisregards.There,over146 millionpersonalinformationwerestolenbecauseofanunpatched system, whichwasa technicalshortcoming. This causes,that the companygetsridoftheirCEO,CIO,andCSObythe“retirement” of themrightafterthebreach(BernardandCowley,2017).Thetech- nical personal was not affected. This goes further inmanifesting themanagementresponsibilitywithinlawsliketheGermanStock CorporationAct(§91 Section2)whichalsorequiresan activerisk managementwithincompanies.
Because of the shift from a technical to a management per- spective,the research focusalso changed fromstudies ina tech- nical context to exploring the management role (Soomro et al., 2016).Managersmustbe abletotaketechnicalthreatsaswellas other factors like human behavior into account to take the right and effectiveactions to mitigate threats (Coronado et al., 2009).
To provide necessary funds, make good decisions and argue to thebusiness,it isnecessaryforinformationsecurity managersto https://doi.org/10.1016/j.cose.2020.101747
0167-4048/© 2020 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY license. ( http://creativecommons.org/licenses/by/4.0/ )
understand the complexityof information security (Willison and Backhouse, 2006) and have a comprehensive view on the topic (Soomro etal., 2016).This comprehensiveview withspecific fac- torsandtheirinterdependenciesaswellastheimpactonthesecu- ritystatusofanorganizationisstillagapinresearch(Dieschetal., 2018;Horneetal., 2017;Kraemeretal., 2009;NormanandYasin, 2013;Soomro etal., 2016). Therefore, thisstudyhasthe purpose toidentifythekeyfactors,evaluatethemandexploreinterdepen- denciestofinally generatea comprehensivemodeltounderstand theinformationsecurity complexityandthus providegood infor- mationsecuritymanagementdecisions.
The remaining research article is structured as follows. In Section 2,previous work on management practices andmanage- ment success factors (MSF) in information security is described and the need for a comprehensive information security model with current shortcomings is shown. In Section 3, the three- step methodology which contains the literature survey, the lit- eratureanalysis, and the expertinterview series is presented.In Section 4, the evaluated MSFs are provided. The MSFs in con- junctionwithinterdependenciesareproposedasacomprehensive modelinSection5.InSection6,acriticaldiscussionoftheresults andareasforfutureresearcharehighlighted.Aconclusionisgiven inSection7.
2. Backgroundandmotivation
Thischapterisdividedintothreesections.InSection2.1,stan- dardsandbestpractices in informationsecurity management for practitionersandtheirshortcomingsaredescribed. InSection2.2, thetermMSFandthecurrentstateoftheartinresearchregarding thistopicisintroduced.InSection2.3theneedforpractitioners,as well asthegapin theliterature, are highlightedto motivate this research.
2.1.Standardsandbestpractices
Information security management is often build based on in- ternationalstandardsorbestpractices(Hedströmetal.,2011).The terms“standard” and“best practice” areoftenused assynonyms but“standards” are usuallycheckedby aninternationalstandard- izationorganization while “best practices” andother frameworks arepublishedindependently.
The mostcommonstandard fromsuch an organization isthe ISO/IEC 27000-series (ISO/IEC, 2018). This standard is widely ac- cepted,play animportantroleanditispossibletocertifytheor- ganizationalinformation securitybased onit (SiponenandWilli- son, 2009). The ISO/IEC 27000-series defines basic requirements inorder to implementan informationsecurity management sys- tem. Also, control guidance, implementation guidance, manage- ment measures, and the risk management approach is specified.
Specialsub-normsarealsoincludedintheseries,forexample,the ISO/IEC27011 which dealsespecially withtelecommunicationor- ganizations.
In addition to theinformation securitymanagement standard, thereareframeworksorbestpractices liketheNIST SP800-series (NIST, 2018b), the Standard of Good Practices from the Informa- tion Security Forum (ISF) (ISF, 2018) or the COBIT framework (ISACA, 2012).These bestpractices are usedto implementan in- formation security management system (ISMS), define and de- velop controls and address the most pressing problems regard- ing information security with an overview for their risk mitiga- tionstrategy(Mijnhardtetal.,2016).Allinall, securitystandards providea common basis for organizationsto help reducing risks bydeveloping,implementingandmeasuringsecuritymanagement (ErnestChangandHo,2006).
Informationsecuritymanagement certificatesdoprovidea ba- sic assurance level and show that some security measures are available. But in practice, expertsare skepticalabout certificates.
Experts mentioned, that standards do help with compliance but not always help to reduce risk or improvesecurity (Johnson and Goetz,2007).Leeetal.(2016)show,thatahighersecuritystandard doesnotnecessarilyleadtoa highersecuritylevel.Thefollowing shortcomingsofstandardswerehighlightedinthepastliterature:
(1) Well known standards are very generic in scope and tend tobe veryabstract(SiponenandWillison,2009).Forthese standards, concrete countermeasures and combinations of themaremissing,whichleadstoinefficientorevenmislead- ingriskmitigationstrategies(Fenzetal.,2013).
(2) Standardsconsistsofahugeamountofinformation.Forex- ample, the ISO 27000-series consists of 450 items with 9 focus areas. This complexity and the fact, that there are rarelyfully implementedstandards insmall-andmedium- sized businesses in place, leads to a fall back to ad-hoc implementations. An easy to understand toolkit is missing (Mijnhardtetal.,2016).
(3) The defined controls and countermeasures of the frame- worksare often implementedwithout sufficient considera- tionofthedailyworkortheirneed(Hedströmetal.,2011).
This is because the organization usually do not consider therelationshipsbetweenthesecurityconcepts (Fenzetal., 2013)anddonotcheckwhetheracontrolisreallynecessary orless critical (Bayuk andMostashari, 2013; Tuand Yuan, 2014).
(4) Rigorous empirical studies which consider different factors which may affectthe decisions and validate the standards and best practices are missing in literature (Diesch et al., 2018;SiponenandWillison,2009).
(5) There are regional differences in the use and contexts of frameworks. Forexample, the NIST SP800-series is “devel- opedtoaddressandsupportthesecurityandprivacyneeds ofU.S.FederalGovernmentinformationandinformationsys- tems” (NIST,2018b)while thecurrentstandardinAustralia istheIS0/IEC27000-series(Smithetal.,2010).Thereforethe NISTSP800framework“isindividuallyusefulbut(outsideof theU.S.) do notprovide a cohesiveandexplicit framework tomanageinformationsecurity” (Smithetal.,2010).
2.2. Informationsecuritysuccess
Besidesstandardsandbestpracticeswhichweredescribedbe- fore,thereare theoriesandconcepts inthe literaturewhich help decision-makers ininformation security. Managersneed to know thecurrentinformationsecurity statusoftheir organizationalas- sets tomakedecisions.Ifthere arenot well protected,they need possiblesetsofcontrolswiththeconsiderationoftherelatedcosts toimprovetheinformationsecuritysituation(Dieschetal.,2018;
Horne etal.,2017; Johnson andGoetz,2007; TuandYuan,2014;
vonSolmsetal.,1994).
TheliteraturedealswithMSFstodescribethestateofinforma- tionsecuritywhichisneededinpractice.Thetermwasusedfirst in 1987to describe factors which take into account as “catalysts togeneratenewandmoreeffectivesystemssecurity activities” in thesecurity context(Wood, 1987).After that the theoryofinfor- mation systemssuccessofDeLone andMcLean(1992)dealswith differentdependentandindependentvariables,whichareindicat- ingasuccessfulinformationsystemsstrategyandthattheycanbe categorized into dimensions. Recent studies used other terms in thecontextofinformationsecurity:
1. “Informationsystemssecuritymanagementsuccessfactors” are factorsto showthe state ofelements,which hastoanticipate
preventinginformationsecurityfailureinthee-commercecon- text(NormanandYasin,2013).
2. “Critical success factors” describe factors, which influence the successfulimplementationofan informationsecuritymanage- mentsystem(TuandYuan,2014).
3. “Critical successfactorsare describedaskeyareasinthe firm that,iftheyaresatisfactory,willassuresuccessfulperformance fortheorganization” (Tuetal.,2018).
Inthisresearch,managementsuccessfactors(MSF)aredefined as factors to show the state of elements, which hasto take into account in order to make appropriate management decisions in theinformationsecuritycontextofanorganization.Ifthesecurity decisions are appropriate, it assures a successful security perfor- mancefortheorganization.
Current literature mostlylooks on factors which influence se- curity separately.Tohighlightjustaview studies,they separately dealwithorganizationalfactors(ErnestChang andHo, 2006;Hall etal., 2011; Kankanhalli etal., 2003; Kraemer etal., 2009; Mijn- hardtetal., 2016;NarainSinghetal., 2014),policycomplianceis- sues(Bossetal.,2009;GoelandChengalur-Smith,2010;Höneand Eloff,2002;Ifinedo,2012;Johnstonetal.,2016;LowryandMoody, 2015a)orhumanfactors(Alavietal.,2016;AlHogail,2015;Ashen- den,2008;GonzalezandSawicka,2002;Kraemeretal.,2009).The reason forthe separation is,that securityis managed ina sepa- ratemannerin differentdepartmentswhichincludesinformation security, risk management, business continuity, operational secu- rity (Tashi and Ghernaouti-Hélie, 2008). This showsthat various studiesareavailablewhichdodiscussdifferentfactorsingreatde- tailbut donot includea integral view onthem. Thereare justa view attempts to consolidate the body of knowledge in compre- hensiveMSFs.Theinformationsystemssuccesstheoryexplainssix factorswhicharecontributingtothesystemssuccess(DeLoneand McLean, 1992). Thisview doesnot includespecific security con- siderationsincludingthecostsandavailablecountermeasuresthat amanagermustconsider.Theauthorsself-criticizedtheproposed theory because ofthe missingevaluation. The onlyother success factor model was a model of factors, influencing the successful implementation of an information security management system (NormanandYasin,2013) andnotthesecurity decisionsofman- agersitself.
2.3. Shortcomingsinliteratureandpractice
AstheSections2.1and2.2suggest,thereareaviewshortcom- ings in literature for supporting decisions on the security man- agement level. A recent survey of McKinsey & Company with 1125 managers involved in 2017 identified three main problems, managers face in order to deal with information security issues (Boehmetal.,2017).Thesearethelackofstructurewithin reports withdozensofindicatorswithinconsistentandtoo-highlevelsof details.Thelackofclaritybecauseofreports,whicharetootechni- cal whichamanagertypicallynot understand.Alackofconsistent real-timedata.
The lack of clarity within reports is not just presentin prac- tice.Managersdo notknowall technicaldetails anddo notneed them becauseoftheir teams andexperts(Fenz etal., 2013;May, 1997). But they have to establish a security establishment and have to improve the security status by using a security dash- board (Dogaheh, 2010). The reports and dashboards have to be ontheneedforinformationsecuritymanagers(WilkinandChen- hall, 2010) but there are no standards for the content of such dashboards (Bayuk and Mostashari, 2013). The lack of structure is related to the first problem and causes in the high diversity andcomplexityoftheinformationsecurityproblemwhichcauses uncertainty and confusion among top managers (Savola, 2007;
2009;vonSolmsetal.,1994;WillisonandBackhouse,2006).This causesinthefact,thatmanagersdonotmakedecisionsbasedon databutontheir experience,judgmentandtheir bestknowledge (Chai etal., 2011).Therefore, currentresearchasks foracompre- hensiveapproachtoinformationsecuritymanagement(Abu-Musa, 2010;NazarethandChoi,2015;Savola,2007;2009;2013;Soomro etal., 2016;Tuand Yuan, 2014) which capturesthe definitionof
“factors that have a significant impact on the information secu- rity” (Bayuk,2013;LeonandSaxena,2010;RansbothamandMitra, 2009; Soomro etal., 2016) andthe established relationshipsbe- tweenthesefundamentalobjectives(DhillonandTorkzadeh,2006;
Huet al.,2012; Soomro etal., 2016). This research addressesthe describedneedswiththedevelopmentofthefirsttheoryofinter- relatedMSFs,whichgiveabasisfordecision-makerstounderstand the complexity of information security on an abstract level and alsocouldbe thebasisofmultiplefutureneedsalsodescribedin literaturelikethegoalbasedsecuritymetricsdevelopment(Bayuk, 2013; Boss et al., 2009; Diesch et al., 2018; Hayden, 2010; Ja- farietal.,2010;Johnson andGoetz,2007;Pendleton etal.,2017;
Savola,2007;Zalewskietal.,2014).
3. Methodology
Todevelopacomprehensivemodelofinformationsecurityfac- torsfordecisionmakersthemethodologyofthisworkconsistsof twosteps. Fig.1illustrates thesteps. Thefirststep istofindrel- evant literature with the help of a literature search process de- scribedin Section 3.1. Thesecond step isto analyzethe relevant literature forfactors which have an influence on informationse- curitydecisions.Theresultsarecategorizedandhigh-levelimpact factorswhicharederivedfromliterature.Thisstepisillustratedin Section 3.2. The third step contains a semi-structuredexpert in- terview in order to evaluate the relevance of the impact factors inpracticeandexplore interdependenciesbetweenthem.The re- sultsare evaluatedandrelevantMSFsinpracticeaswell asinter- dependencieswhichresultsin thecomprehensivemodel ofMSFs fordecision-makers. In Section 3.3 the description of the expert interviewmethodologyisshown.
3.1. Literaturesearch
The search process is performed based on the method of WebsterandWatson(2002). Theliterature search consistsof the search scope followed by a keyword-search which endsin a for- ward and backward search. To provide high-quality articles, the scope isset tohighlyranked journalswithin the informationse- curity domainand theinformation systemsmanagement domain becauseof the relationto the management view.Journals of the managementdomainwereselectedfromtheSeniorScholars’Bas- ketof Journals(AISMembers, 2011). Thejournals ofthe security domainwere selectedfrom the ScimagoJournal & Country Rank (SJR) (SJR, 2018) with the condition that they need to be part of the following categories: security, safety, risk or reliability. To not limit the search onlyto Journals, thescope wasextended to several databases. These are ScienceDirect, OpacPlus and Google Scholar.OpacPlusisawrapperofmultipledatabasesincludingSco- pus,Elsevier,Wiley,andACMDigitalLibrary.TheresultsofGoogle Scholarwere limitedby 100 hits becausethe mostrelevant arti- clescanbe found withinthefirst sites(SilicandBack,2014).Af- ter the scope definition, the following search string was used to findarticles:“(itORinformationORcyber)AND(resilienceORse- curity)AND(factorsORkpiORmeasures ORmetrics ORmeasure- ment OR indicator OR management)”. Because the management literatureis notinformation securityspecific,the search stringof thesejournalswasadjustedtothefirsttwoparts:“(itORinforma- tion OR cyber)AND (resilience OR security)”. Another adjustment
Fig. 1. Methodology of theory development.
wasdonebysearchingjustforthetitleandabstractwithininfor- mationsecurityspecificsourcesbecauseoftheunderlyingdiverse topic. The selection of relevant articles out of the first keyword search wasdone based on thetitle and abstract.Including crite- riawas, that thereare factors describedormentioned whichare influencinginformationsecuritydecisions.The forwardandback- wardsearch wasappliedtoallselectedarticleswhiletheforward search was based on the “cited by” function of Google Scholar.
The literature identification methodology results in 136 articles.
Thecompletesearchmatrixwiththeappliedsource,thekeyword- searchhitsandtheselectedrelevantarticlenumbers isshownin AppendixA.
3.2.Literatureanalysis
The analysiswasdone basedonthe “open-axial-selective” ap- proachofCorbinandStrauss,1990whichisagroundedtheoryap- proachbasedonGlaserandStrauss(1967)andwasrecommended asa rigorousmethod foranalyzing literature (Wolfswinkel etal., 2013).Thisapproachhastheadvantage,thatthewholecontextof anarticlecanbeanalyzedinordertoextractfactors.Websterand Watson(2002)alsosupportaliteratureanalysisbutwiththecate- gorizationofawholearticleinordertoidentifygapsinthelitera- ture,pointingoutthestateoftheartandexplainingpastresearch.
Toextractspecificknowledge andcategorizethis, thecodingona textuallevelofarticlesismoreappropriateinthiscase.Thecoding followsthefollowingsteps:
(1)Assignmentoftextsegmentstoa“first-ordercode”.Forex- ample, thetext segment those organizationsthat havehad a systemssecurityfunction forsome timeshouldusethese assessmentmethodstovalidatetheresultsofothermethods andtocross-checkthatthey havenotoverlookedsome im- portantvulnerability” (Wood,1987)wasassignedthecluster
“vulnerabilityassessment” asafactorwhichinfluencesinfor- mationsecurity.
(2)Combines synonymous and their meanings to a “second- ordercode”.
(3)Categorize the “second order codes” to clusters based on overlapping meanings (infrastructure overview and asset knowledge), overlapping functions (management support andmanagement standards) ortheoretical constructs(con- fidentiality,integrity,andavailability).
3.3.Expertinterview
Previous research hasbeen criticizedin orderof missingsup- port of reliability andvalidity by empirical studies (Siponen and Willison,2009;TuandYuan,2014).Thefirstgoaloftheexpertin- terviewwastoevaluatethefactorsoftheliteratureandthusgen- erateMSFs which are relevant in practice.The second andmain goalistheexploration ofinterdependenciesbetweenMSFstode- velopthecomprehensivemodelofMSFs.
There are various ways to design an expert interview. This study is designed as a semi-structured interview (Bortz and
Döring, 1995) to combinethe advantagesofstructured and open interviews.The interviewer isable to give room forexplanations butalsoensures,thatallanswersaregiven.Withtheseconsidera- tions,theexpertinterviewitselfconsistsofthreesteps whichare theoperationalizationofthedescribedgoals(chapter3.3.1),these- lectionofexperts(Section3.3.2)andtheanalysisoftheexpertin- terviews(Section3.3.3).
3.3.1. Operationalization
The interview guidegives the interviewer an orientation and ananalysisismorecomparablethanwithoutanystructure.Tode- velop the survey instrument, the rules ofgood expertinterviews were considered (Bortz and Döring, 1995). The beginning of the interviewwasdonewithanopenquestiononthemostimportant factor,theintervieweeconsidersfortheinformationsecurityinthe organization(Q0).Thefollowingareaswerediscussedwiththeex- pertstosupportthegivengoalsandcontrolaswellasconfirmthe validityofthefactors:
• Evaluationoffactors:
Adiscussion about the meaning ofeach factor froma practi- cal perspective wasdone in order to evaluate the content of thefactors(Q1.1).Thepracticalrelevance wastestedby asking abouttheimportance ofeach factorfortheinformationsecu- rityoftheorganization(Q1.2).
• Explorationofinterdependencies:
Toexplore theinterdependencies betweenthefactors andget insightsinto them,a discussionaboutthe practical usageand how the experts deal with each factor was done (Q2.1). To crosscheck the givenstatements, expertswere askedfor each factor,ifthefactorhasadirect impactontheinformationse- curityoftheorganization(Q2.2).
• Controlquestions:
Questionsabouttheabsence ofnot mentioned importantfac- tors(Q3.1)andiftheexpertsconsiderafactorwhichwasdis- cussedto beunimportant (Q3.2) are usedto controlthe com- pletenessofthegivenfactorsandfurtherconfirmtheexplored results.
3.3.2. Expertselection
An expert is a person withspecific practical or experimental knowledge about a particular problem area or subject area and is able to structure this knowledge in a meaningful and action- guidingwayforothers(Bogneretal.,2014).Theselectionofinter- vieweeswasderivedbythisdefinition.Therefore,anexpertshould haveseveralyearsofexperience inthe fieldofinformation secu- rity which points to specific practical knowledge in the field of information security. The expert should have a leading position within the organization which testifies the ability to the mean- ingful and action-guiding structuring of the information for oth- ers. Also, a leadingposition supports the underlying comprehen- sive view whichis requiredforthegoal ofthisresearch. The se- lectionresultsin19participants.Theyweremainlychiefinforma- tionsecurityofficers(12)andinformationsecurityofficers(4).The
others were onechief executiveofficer, one chiefinformationof- ficer,anda technicaldeliverymanager. Allexpertshad5yearsof experienceatminimum,16yearsataverageand30yearsatmaxi- mum.Thisshows,thattheselectedintervieweesmeettherequire- mentsandaresuitableforthisapproach.Theparticipantsworked inthefollowingindustriesatthispoint intime:finance,automo- tive, diversified, aircraft, metal and electrical, services, hardware andsoftware,andothers.Allbutoneorganization hadmorethan 2000employees. Thiswas theresult ofthe requirementsfor ex- perts whichmean, that theorganization hasto hadatminimum an information security team, which is typically not available in smallbusinesses.
3.3.3. Interviewanalysis
TheinterviewswereanalyzedaccordingtoMayring(2015).The basis foreachquestionwasafull transcriptoftheinterview.The processcontainsofthefollowingsteps:
1. Paraphrasing
• Paintingofcomponentsthatdonotcontributeorhavelittle content.
• Standardizelanguagelevel.
• Generategrammaticalshortforms.
2. Generalization
• Generalizeparaphrasesonanabstractlevel.
• Generalizepredicatesinanequalform.
• Generateassumptionsincaseofdoubt.
3. Reduction(canbedonemultipletimes)
• Deletephraseswhichhavethesamemeaning.
• Combinephrasesofsimilarmeaning.
• Selectphrasesthatareverycontent-bearing.
• Generateassumptionsincaseofdoubt.
To analyze quantitative aspects or interdependencies, Mayring (2015) also suggests two methods which are called
“valence orintensity analysis” (V) and“contingency or interrela- tionanalysis” (I)andusedtoanalyzetheinterviews.Bothmethods containmainlythesamesteps:
1. Formulateaquestion.
2. Determinethematerialsample.
3. Definethevariables(V)/textmodulesforinterrelation(I) 4. Definethescale(V)/rulesforinterrelation(I)
5. Coding 6. Analysis
7. Presentationandinterpretation 4. Managementsuccessfactors
The prerequisite foracomprehensive modelofMSFsis evalu- ated MSFs, which have an influence on information security de- cisions. In Section 4.1, the results of the literature analysis are shown. Theseare factorswhichhavean influenceoninformation security decisions fromthe literature perspective. After that, the factorshavetobeevaluatedandprovedfortheirrelevanceinprac- tice which resultsin evaluated MSFs.These resultsare shownin Section4.2.
4.1. Factorsderivedfromtheliterature
Theanalysisof136relevantarticlesfromthesearchmethodol- ogyresultedin188first-ordercodes.Acodeisatupleof“factorin literature”-“author”.Soforeachauthor,thedifferentimpactfactors werecoded.Thesecodesappearinthefollowingsituations:
(1) Theyappeardirectlywithintheliterature.Anexampleisthe followingsentenceofAtoumetal.(2014)“enrichtheframe- work in other related dimensions such as human resource,
organizationstructures,global governance,regulationregimes, awarenessprogramsandthusprovideamoredetailedframe- work”.This resultdirectly inthe corresponding listof first ordercodes.Mostofthesedirectcodesappearinenumera- tionswithintheintroductionorfutureworksectionsofthe analyzedliteratureandarenotfurtherexplained.
(2) The first order codes are part of a theory. The first order codesare part ofa hypothesis constructwitha underlying theoryandare testedwithquantitative orqualitative stud- ies.Aexamplework isKankanhalli etal.(2003)whichde- scribesthe impactof theorganizational size,the topman- agementsupportandtheindustry type onthe information systems security effectiveness. This example results in the correspondingfirst-ordercodes.
(3) Indirectly within the articles or because of their focus.
Theseappearancesarederivedfromtheoverallclassification ofthe articles or some descriptions within the text which arenotdirectlymentionthefirstordercodebutthemean- ingwaschosentonameit.Thearticlewiththetitle“design and validation of information security culture framework”
(AlHogail,2015) isnamed“securityculture” as afirst-order code.Aotherexampleforindirectmentionsisthoseorgani- zationsthat havehadasystems securityfunctionforsome time should usethese assessment methodsto validate the resultsofother methodsandtocross-check thatthey have notoverlookedsomeimportantvulnerability” (Wood,1987) whichis“vulnerabilityassessment” asafirst-ordercode.
The aggregation of the 188 first-order codes results in 44 second-ordercodes.The followingaggregationcriteriawereiden- tified:
(1) Articlesdescribeoften,thatthecodeshavethesamemean- ing. An example is given by Jafari etal. (2010) which de- scribed“Safeguards:Protectivemeasuresprescribedtomeet the security requirements [...], synonymous with counter- measures”. This in conjunction with “improving the over- allinformation securitystate by selecting thebest security countermeasures(controls) to protect their informationas- sets” (Yuliantoetal.,2016)aresafeguards,countermeasures, andcontrolsasecond-ordercode.
(2) Certain first-order codes are part of or included in other first-ordercodes whichresults ina second-order code.Ex- amples in literature are “Value delivery (i.e. cost opti- mization and proving the value of information security)”
(Yaokumah, 2014), “aside from the personnel measures whichfocuson humanbehavior” (SowaandGabriel,2009) or “threats, which form part of such risk” (Willison and Backhouse, 2006). This indicates, that threats are part of risks.
(3) First-ordercodesareaggregatedinorderoftheirunderlying object.An exampleis“organizational size”,“industry type”
and“organizational structure” which are all features of an organization and thus are aggregated to the second-order code“organizationalfactors”.
Theaggregationofthesecond-ordercodestoclustersandthus theoverallfactors,influencingsecuritydecisions,isbasedoncom- montheoriesinliterature.Anexampleisthetheoryoftheprotec- tion goals of informationsecurity which is supported by various authors:“withagoaltocompromiseConfidentiality,Integrity,and Availability (CIA)” or “it also coincides with the Confidentiality- Integrity-Availability (CIA) framework” (Goldstein et al., 2011) or
“oneview,whichgainedespeciallywidepopularity,iscalledC-I-A triad” (Zalewskietal.,2014).Thistheoryresultsintheconsolida- tionofprotectiongoalsinthefactor“CIA”.
The result of the literature analysis is 12 factors influencing securitydecisions,namely:“Vulnerability”,“Compliance& Policy”,
“Risk”,“Physicalsecurity”,“Continuity”,“Infrastructure”,“CIA”,“Se- curity management”, “Awareness”, “Resources”, “Access control”
and“Organizational factors”.The detailedcodesandthe aggrega- tionstepsareavailableinAppendixB.
The literature analysis confirms the assertions made in Section 2.3 which say that various individual factors are men- tioned, enumeratedor examined. However, up to now, there has beenno comprehensiveview onthem,adiscussion ofthepracti- cal relevance ismissing andthe interdependenciesof thefactors among each other are not described. The result of this chapter givesan abstractview of currentfactorsin literature,influencing informationsecuritydecisions.
4.2.EvaluationofFactors
TheexploredfactorsofthelastSection4.1arethebasisforthe following evaluation and therefore to transform these factors to MSFsforinformationsecuritydecision-makers.InSection4.2.1the practical view of experts on the factors is compared to the lit- erature view which is derived out of the literature analysis in Section 4.1. In addition,challenges ofpractitioners are supported foreachfactor.Theresultoftherelevancevalidationispresentin Section4.2.2.Section4.2.3containstheresultofthecontrolques- tionsandthusconfirm thevalidityandrelevance oftheexplored factors.
4.2.1. ContentvalidationofMSFs
Therelevanceofthefactorsinpracticeandtheirvaliditymakes themtoMSFs.Thegeneralcontextanalysis(Section3.3)wasused todeterminethepracticalusageandmeaningofthedifferentfac- tors out of theliterature. To analyze them,the scope was setto thewholeinterviewtranscriptswhilethemainanswers aregiven bytheguidingquestionQ1.1oftheinterviewguide.Becauseofthe methodologydesignofasemi-structuredinterview,thechallenges andproblemsofeachfactorinpracticeisaside-resultandalsore- portedhere.ThefollowingitemizationshowseachMSFwithade- scriptionoftheliterature view,a consolidatedpractical view and thechallengespractitionersfaceregardingeachMSF.Theliterature viewis aconsolidation ofdefinitions andopinionsoutof thelit- eratureanalysis 3.3.3. The practical view and thedescriptions of the challengesare a consolidation ofthe main opinion of all 19 experts.
• Vulnerability
1. Literature: The definitionof a vulnerability inliterature is generallya“weaknessofanassetorcontrolthatcanbeex- ploited by one or morethreats” (ISO/IEC, 2018). This defi- nitionisvery genericandcanbe technicalaswell asnon- technical.NIST givesamoredetaileddefinitionasa“weak- nessinan informationsystem, systemsecurityprocedures, internalcontrols,orimplementationthatcouldbeexploited ortriggered byathreatsource” (NIST,2018a).Commonus- ageofthetermintheanalyzedliteratureis,thatvulnerabil- itiesaretechnicalinnature.Morespecifically,“avulnerabil- ityisasoftwaredefectorweaknessinthe securitysystem whichmight beexploitedby a malicioususercausingloss orharm” (JohandMalaiya,2011).
2. Practice: Vulnerabilitiesfromthe management perspective are always technical in nature. Specifically, known vulner- abilities within systems and software are meant by them.
The common understanding of the experts was that vul- nerability is a topic of patch management and a prob- lem of not patched systems. All organizations do have patch management in place and try to minimize the vul- nerabilities in the infrastructure. The assessment of them is done with vulnerability-scanners, penetration-tests, au- tomatic scans, audits and the definition of toxic software
whichisdetectedonsystems.Patchingandtheelimination of vulnerabilities are done based on the given assessment methods.
3.Challenges: A problem is, that the vulnerabilities have to be known first. Notjust theknowledge of the vulnerabili- tiesisa problembutalso theknowledgeoftheassetsand thewholeinfrastructureofanorganizationisachallengein practice.Justifanorganizationknowsthewholeassetsand infrastructure,itispossibletodetermine,ifthereareknown vulnerabilitiesornot.
• Infrastructure
1.Literature:Infrastructuredoeshavedifferentaspects.Com- ponents are technical systems which itself try to protect the underlying assets or are there to identify attacks. Ex- amples are firewalls, intrusion detectionsystems, informa- tionvisibility,compromisedetection,defensemodeling,and other solutions.Asecond importantconcernisthepreven- tion of attackswithout anyknown vulnerabilities. Thisin- cludesarchitecturaldecisionstosegmentthenetwork,limit open accesspointsorexternalconnections,hardenthesys- tems,encryptthecommunicationorcleanconfigurationis- sues. Sincetheseare nospecific vulnerabilitiesbutconsid- eredasweaknesses,thistopicisastand-alonefactor.
2.Practice: Some of the experts see this factor as a vulnerability-topic but most of them associate more than that withthe infrastructure factor. It is about knowing all systems and software as well as the connections between them and if they are secured or not. It is also about the
“hardening” of all available systems, make threat models andsecurethe infrastructureineach networklayer. Toac- complish that,theexpertsusehardening-guidelines,secure deployment, installation routines, design reviews andcon- figurationmanagementdatabases.
3.Challenges:Problemsarethecomplexityoftheactivity,that it is difficult to check the wright implementation of the hardening guidelinesandthe above-mentioned problemof the difficulty toknow all available systemsand their con- nections.
• Compliance&Policy
1.Literature:Security policiesarean“aggregate ofdirectives, regulations,rules, andpracticesthat prescribes howan or- ganization manages, protects, and distributes information”
(NIST, 2013). Allactivities concerning compliance andpoli- cieslikepolicydeployment,policy effectiveness,legalcom- pliance, andregulatory requirementsare subsumed inthis factor. The literature describesalso multiple characteristics forgoodandbadpoliciesandcontrolswhichhaveaninflu- enceontheinformationsecurityoforganizations.
2.Practice: Thisfactormeanstheimplementationofrequire- ments which are given from external and internal. These include laws, policies from the management and require- ments from standards to get certificates. Practitioners use frameworks toimplementthemandauditsaswell asself- assessments to check them. This frameworks and policies help organizationswhichhavenot thecommonknowledge toconsiderallaspectsofsecurity.
3.Challenges: 100% compliance does not mean 100%secure.
Thisfactoralonedoesnothelpincaseofsecuritybutwith- out, it is not possible to make audits or push measures through.
• Securitymanagement
1.Literature:Thisfactorsubsumesallprocessactivitieswithin the information security management system and opera- tionaltaskslikechangemanagement,incidentmanagement, processeffectivenessmeasurementandtheimplementation of security standards. All aspects ofthe Plan-Do-Check-Act
approach of the ISO/IEC 27000 (ISO/IEC, 2018) are part of thesecuritymanagementfactor.Theotherpartarestrategic topicslikegoaldefinition,topmanagement support,gover- nance,andstrategicalignmentaswellasthedocumentation oftheseactivities.Also, animportantaspectinliteratureis the communication with employees and the top manage- ment. The ISO/IEC 27000 defines security management as a “systematicapproach forestablishing, implementing,op- erating, monitoring, reviewing,maintaining and improving an organization’s information security to achieve business objectives” (ISO/IEC, 2018). This definition shows that the monitoringpartisalsoestablishedwithinthisfactor.There are differentmethods and processes describedto continu- ously improvethe informationsecurity of an organization.
Thiscoverstheimplementationofmetricsandthetopicof compromisedetection.
2. Practice: There are two management approachesin place.
The risk-based and the control-based approach. There are various processes in place to support the two different approaches. Therefore the experts control their manage- ment processes with audits and using the Plan-Do-Check- Actframework fromtheISO/IEC 27000(ISO/IEC,2018).The nextimportantaspectfortheintervieweeswasthebusiness (top) management support andtheir understanding of the riskstheorganizationisfacing.
3. Challenges: A problem is the missing knowledge of con- cepts behind the security processes and also the lack of knowledgeofavailableactionsforimprovements.Thesecu- rity management doesnot havean impact on thesecurity ofanorganizationwithoutthisknowledge.
• Awareness
1. Literature:Thedefinitionofawarenessinliteratureistobe awareofsecurity concerns (NIST, 2013).Awareness inaca- demicliterature isdiscussedindifferentsubjects.Including inthisfactor arebehavioral topicslike employee behavior, useractivities, userinteractionbutalso userreaction,user errors, and faults. All parts depending on knowledge like skills,education,training,andcompetencearealsoincluding inthe awareness factor.Awareness inliterature is not just aboutpeoplesbehaviorbutalsothepersonalneedsofthem, privacy issues, trust concerns as well as cultural thoughts andthesocialenvironment.
2. Practice: All topics that concerning people and can not be treated with technology are subsumed by awareness.
Typical understanding is the employee as a vulnerability withhuman errors,humanbehaviorornot enoughknowl- edge. Atypical countermeasureis web-based and conven- tionaltraining.Practitionerstest theiremployeeswithown phishing-campaigns or check click-rates on their proxy- servers. Cultural and privacy concerns are not oftentaken intoconsideration.
3. Challenges: Challenge in practice is,that awareness activ- ities are very resource heavy and the effects are not that huge.Countermeasures oftendonotleadtomeasurableef- fects, they lead to annoyed employees and therefore, em- ployeesmoreoftenfailthesametests.
• Risk
1. Literature: The risk factor is discussed as an overall risk management concern with possible threats, the likelihood of their occurrence and the possible impact on the orga- nization. Literature mostly discusses the risk management processandthepossiblehandlingofpresentriskslikepre- vention, tolerance, exposure, prediction, and perception. A comprehensivedefinitionisgivenbytheNIST SP800-37:“A measureofthe extent towhich an entityisthreatened by apotential circumstanceor event, andtypically a function
of: (i) theadverse impacts that wouldarise ifthe circum- stanceoreventoccurs;and(ii)thelikelihoodofoccurrence”
(NIST,2018a).
2. Practice: Experts use thesame definitionand understand- ingofriskasinliterature.Ariskisaseverityandlikelihood combinedwithanissue.Informationsecurityistheapplied risk management because it is used to prioritize and de- finecountermeasures.Therefore,alloftheexpertshaverisk managementbasedoncertainstandardslikeISO/IEC27000 orNISTinplace.
3. Challenges:Notallriskscanbemitigated,becauseofmiss- ingresourcesorotherrestrictions.Somemanagersalsohave problemstodefineriskswhichareunderstandablefortech- nicalemployeesorevenforthetopmanagement.Also, the availability of the underlying data is a challenge in prac- tice.Anexampleofthisistheconsolidatedviewonpossible threats. Therearevarioustechnicalsolutionslikethreat in- telligenceplatformsavailable onthemarketwhichhelpsto consolidatethesedata.Theproblemcomeswiththecombi- nationofthe differentfactors todefinetherisk. Apossible threat alone is not important forthe information security management.Thechallengeistoanalyzetheunderlyingas- setsandtheirvulnerabilitiesandcheckifthethreatcanex- ploit one ofthese. After this combination, the risk can be definedandisusefulforaninformationsecuritymanager.
• Accesscontrol
1. Literature: Access control is not mentioned as a part of countermeasures.Thistopicissuch importantthat itoften emerges asan independent andimportant factorforsecu- rity.Accesscontrolcontainsaccount management,software accesscontrolaswell asaccessrights.It means“to ensure that accessto assetsis authorizedand restrictedbased on businessandsecurityrequirements” (ISO/IEC, 2018).
2. Practice:Access control isthemanagement andregulation of accessto systems,applications, data, andinfrastructure.
Itisnotjustabouttheaccessbutalsothekeymanagement, role administration, classification ofdata andthe manage- ment of the identities within organizations. Therefore the expertshaveproceduresper applications,trytoimplement thecommonprinciplesliketheneed-to-know-ortheleast- privilege-principle. Theycheck the available accesses, have identity andaccess management in placeand usetools to monitorthem.
3. Challenges: Challenges occur in case of on-, off-boarding anddepartmentchangesaswellasthemoreandmoreopen culture oforganizationswith “bringyour own device” and
“cloud infrastructure”. Not just the open culture but also technologies and trends like the “internet of things” and
“mobile devices” are increasingly a problemforthis factor becauseeach ofthesedevicesalsohasanidentity.Thisin- creasesthecomplexityofmanagingaccesscontrolandhas tobeconsideredbychoosingsuchtechnologies.
• CIA
1. Literature: This factor is based on the overall theoretical construct of the protection goals of information security.
Therefore the codings confidentiality, integrity, availability, as well as underlying goals like the non-repudiation, are subsumedinthisfactor.Articlesaboutsecuritymetricsand securitysuccessaremostlybasedonthisfactorandplaysa hugeroleinthesecuritydiscussion.
2. Practice: In practice, this factor is a theoretical construct withthesamedefinitionasinliterature.Itisusedtocom- municate with the business management, to classify the needforprotectionorisnotusedinpracticeatall.
3. Challenges:Theprobleminpracticeisthattheseclassescan notbeuniquelyassignedtocountermeasures.Manyexperts
considerthisfactorasanacademicconstruct,whichisout- datedandnotreallypracticable.
• Organizationalfactors
1. Literature:Theorganizationalfactoritselfmeans theprop- ertiesofan organizationwhichhasaninfluenceonthese- curityofthisorganization.Therearemultipleauthorswhich mentionedtheinfluenceofseveralfactorsliketheorganiza- tional size, the industry type or the internal and external structureoftheorganization.
2. Practice:Thesefactorhasthesamemeaninginpracticelike inliterature.Mostoftheexpertsarenotdealingwithitbe- causetherearenopossibilitiestochangethe characteristic oftheorganizationfromtheirperspective. Butitisconsid- ered in other factors like risks or in consideration of the implementation countermeasures. Practitioners say, that it mightinfluencethepossibilitiesofanorganization.
3. Challenges:Achallengeis,thatsomeattacksurfacesarenot influenced by anytype of character an organization could have.Agoodexampleofthisisransomwarewhichdoesnot evenlookatthevictimtheyattack.
• Physicalsecurity
1. Literature:Thisfactorhaveinfluenceinreducingtheoppor- tunity to accessassetsphysicallyin formof physicalentry controls, the protectionofthe environment, buildingsecu- rity with fences or other countermeasures, travel security andall activitiesaround this. The literaturedoesnot men- tionthisfactorveryoftenbutconsideritasreallyimportant fororganizationsandtheirmanagement.
2. Practice: Physical security is the physical protection of buildings,offices,servers,andhardware.Italsocontainsthe protection of the environment, persons, traveling and en- vironmentaldisasters. Intervieweesdo work together with otherdepartmentsdealingwiththisfactor.Itismainlynot thepartofthesecuritydepartmentofanorganization.
3. Challenges: The topic gets less important in times of the changing environment like mobile offices, roaming-users, homeofficesandcloudcomputing. Thischangebringswith itotherchallenges.
• Continuity
1. Literature:Continuity issplitinbusinesscontinuityandIT continuity.Incaseofcybersecurity,theterm“referstothe abilitytocontinuouslydelivertheintendedoutcomedespite adversecyberevents” (Björcketal.,2015).Thebusinesscon- tinuityisonamoreabstractlevelthancyberoritcontinu- itiy andis definedas a “predeterminedset of instructions orproceduresthatdescribe howanorganization’s mission- essentialfunctionswillbesustained[...]beforereturningto normaloperations” (NIST,2013).Resilienceisnotoftenrep- resentedintheliteratureandhasalreadybeenidentifiedas aresearchgap(Dieschetal.,2018).
2. Practice:This factorisunderstoodasthe goalofthe busi- ness as well as a partial goal ofinformation security. Im- portantisacontinuousIT andadisasterandrecoveryplan whichshouldbetestedfromtimetotime.There areoppo- siteopinionsinrelationtobusinesscontinuitymanagement (BCM).Some expertssay, thatrequirementscomefromthe BCM to the information security management and others say,thattheyarebeingsubmittedtotheBCM.
3. Challenges:Achallengeisfindingacommonunderstanding andeffectivecommunicationbetweenBCMandITcontinu- ity.
• Resources
1. Literature:Resourcesarenotjustmoneybutalsotheavail- ability ofgood skilled andwell-educated employees.More general resources are “information and related resources, suchaspersonnel,equipment,funds,andinformationtech-
Table 1
Importance of MSFs for the information security of organizations (number of experts).
MSF not imp rather not imp rather imp imp
Vulnerability 0 0 7 12
Resources 0 0 7 12
Awareness 1 0 6 12
Access Control 0 1 8 10
Physical Security 1 0 11 7
Infrastructure 0 1 12 6
Risk 0 1 12 6
Continuity 1 1 13 4
Security Management 3 1 8 7
Organizational 3 4 11 1
CIA Triad 7 1 8 3
Compliance & Policy 6 3 7 3
nology” (NIST,2013).Theliteraturedescribesthisfactorasa limitationandmostlyina negativeway.The perspectiveis giventhat,ifyoudonothaveenoughresources,theorgani- zationisnotabletoimplementsecuritywhichasanegative influence.Asecondpartisthecost-effectivenessofcounter- measuresandthereturnonsecurityinvestments(ROSI).
2.Practice: Inpractice,thisfactoris mostlyaddictedto bud- get,whichhastobegivenbybusinessmanagement.Asmall part is also the number of employees with good knowl- edge anda appropriate education.Therefore, experts have applied budget-processesandrecruitmentcampaigns.Cost- effectivenessandROSIisnotmentionedbythepractitioners.
3.Challenges:Problemsareofteninplaceofbuyingexpensive toolsandequipmentinthesecurityfieldandtheargumen- tation of their adding value. It is often a tensionbetween businessmanagementandsecuritymanagement.
Partialaspects ofindividualfactors arenot coveredby thelit- erature or are not considered in practice. However, the contents andthe understanding of the factors fromthe literature analysis agreewiththoseoftheexperts.Thechallengesarenot supported by alloftheexperts,becausethiswasnoexplicitquestion. Thus, theywere justincluded,iftherearemorethan2mentionsofthe samechallenge.Thechallengesfurtherindicate,thatacomprehen- sivemodelofthemcouldhelp,improvingtheunderstandingofin- formationsecurity withinorganizationsandalsotohelp, improv- ingspecificfactors.
4.2.2. RelevancevalidationofMSFs
The“valenceorintensityanalysis” (Section3.3)wasusedtonot justvalidatethefactorsconcerningtheircontentbutalsotodeter- minetheir relevance inpracticetotheinformationsecurity ofan organization. Therefore,the scope ofthe analysiswas alsoset to thewholeinterviewtranscriptsbutthemainquestionsupporting thisvalidationisQ1.2.A4-pointLikert-scalewhichpointsoutthe importanceofthefactorfortheinformationsecurityoftheorgani- zationisused.Thecodingofthescaleisfromnot important(not imp)toimportant(imp).Table1showsanassortedviewofthere- sult.Theassortionisbasedonthesumofthecodingsfor“notim- portant” and “rathernot important” inconjunctionwiththesum of thecoding “rather important” and “important”,descending by theimportanceoftheMSFs.
Thisresultsupport,thatallfactorsarerelevantinpractice.The last three factorsare “Organizationalfactors”, “CIA” and “Compli- ance & Policy”. Forall of them,the experts dohave an explana- tion, why they are less important than the other factors. “Com- pliance&Policy” arenotimportantfortheinformationsecurityof theorganizationitselfbutarenecessarytocomplywiththelaw,to enforcecountermeasuresandtoalign thetopmanagementofthe organization.The“CIA” factorisagoalfactorandisusefultocom-
Informaon Security
CIA Connuity
Vulnerability
Infrastructure Awareness Access control Physical
security
goal
direct impact
Counter- measure
improve
define and implement
Risk
Security management Compliance
& Policy
Organizaonal
factors Resources
considered in
considered in
part of
influence priorize
define influence enforce
Fig. 2. A comprehensive model of MSFs for information security decision-makers.
municateandexplaindifferentrisksorattacks andtheir impacts.
“Organizationalfactors” arelessimportantbecausetherearecases, inwhichthesefactorsareimportantbuttherearealsoattacksce- nariosinwhichthisfactorisnotimportant.Themanagementhas to consider all the factors in order to make good decisions. The proposed factors are valid intheir context aswell as relevantin practicefordecision-makersandthusarenowcalledmanagement successfactors(MSFs).
4.2.3. Controlquestions
The main control questionsQ3.1 and Q3.2are used to ask for factors,whichareimportanttomakedecisionsandarenotpresent intheinterviewguideaswellasaconsiderationofthemostunim- portantfactor.Themostexperts(12)donothaveafactor,whichis reallyunimportant. Theonly mentionsoffactors were the“Com- pliance & Policy” as well as “CIA” which agree withthe ranking on the previous result. The questionof missingfactors resultsin a similar situation like before. 10 experts do not mention miss- ingfactors.Theother factorswhicharemissingare“management support”, “external interfaces”, “threat landscape” and “strategy”
whicharepartofthecodingandthusincludedintheaggregation oftheliteratureanalysis.
5. AcomprehensivemodelofMSFs
The purpose of thisresearch was the developmentof a com- prehensive modelofMSFsforinformation securitydecisionmak- ers. Thisresultsection combinesthe previous resultswithevalu- atedandrelevantMSFsandaddsinterdependenciesbetweenthem.
Theinterdependencieswereexploredwiththehelpofthe“contin- gencyorinterrelationanalysis” method(Section3.3).The scopeis thewholeinterviewwhichwasanalyzed.Thefollowingtextmod- ulesareexamplestoidentifyinterrelations:
• ...haveadirectimpacton...
• ...isabasisto...
• ...isessentialfor...
• ...isthegoalfrom...
• ...isconsideredin...
Fig.2showsallMSFswiththeirinterrelationsbasedontheex- pertinterview.SolidovalsarerepresentativesfortheMSFs.Dotted ovalsare representatives ofconcepts necessary toexplain certain interdependencies.Inthis case,“Information security” istherep- resentativeforthe informationsecuritystatusof an organization.
The statement behind this is, that certain factors do have a di- rectimpactontheinformationsecuritystatusoftheorganization.
Thedottedoval“Countermeasures” isapartofthefactor“Security management” buthaveimportantinterdependencieswhichareex- plainedbytheexperts.Thus,thesecuritymanagementitselfdoes nothaveahugeimpacton otherfactors,buttheydefine andim- plementcountermeasureswhichdohaveaninfluenceontheMSFs giveninthefigure.Rectangleswithinthepictureclustersmultiple MSFs withthe same interdependency to other MSFs.The dotted linewithintherectanglesindicates,thatallMSFswhichareleftof thisline,arenottheprimary partoftheinformationsecurityde- partmentofanorganization.Theyarefromotherdepartmentslike the cooperate-security in the case of “Physical security” and the businesscontinuityin caseof“Continuity”. However, thecollabo-
rationbetweenthe departmentsisvery closeandtheMSFs must certainlybeconsideredininformationsecurityaswell.
Key security indicators. The term key security indicator is not presentin literature butismentioned by practitioners.Key secu- rityindicatorsareMSFs,whichhaveadirect impactonthesecu- ritystatus ofthe organization.Therefore,the rectanglewhich in- cludes the MSFs “Physicalsecurity”, “Vulnerability”, “Access con- trol”,“Awareness” and“Infrastructure” arekey securityindicators.
Becauseofthedirectconnection totheinformationsecurity con- cept, these factors are considered as indicators of the actual in- formationsecuritystatusofanorganization.Securitymanagement hastoimplementcountermeasurestoactively improvethesefac- tors.Thesearethe mostimportantfactors becauseoftheir direct impact.
Securitygoals.TheMSFs“Continuity” and“CIA” aretheprotec- tiongoalsofinformationsecurity.Thisclusterisconsideredinthe
“Risk” MSF by dataclassification aswell asa communication in- strumentwhichdescribestheimpactofcertain riskstotopman- agersortechnicalemployees.Disastersandcontinuitythoughtsare alsoconsideredasriskswhicharethebasisforrecoveryplans.The security goals are considered as the least important part of the MSFmodelbyexperts(Section4.2.2)becausetheydonotactively improvethesecuritystatusandjusthelpbyprioritizingrisksand communicatethemtothebusinessmanagement.
Risk. The MSF “Risk” have the most interrelations and is the basicinput for“security management”. Ituses security goalslike describedbefore. Aprerequisite andapartofrisks arekey secu- rityindicators.Theyshow thecurrentinformationsecurity status ofwhichweaknesseswerederiving.This,incombinationwithpos- siblethreats,theimpactontheorganization,andthelikelihoodof occurrenceis a risk. Risks are influencing the “Security manage- ment” andis a basis to prioritize and define “Countermeasures”.
Themanagementmostlyusesstandardsandbestpracticeslikethe ISO/IEC 27000 (ISO/IEC, 2018), NIST SP800-30 (NIST, 2015), NIST SP800-37 (NIST, 2018a) or others to deal with risks and derive countermeasuresinastructuredway.
Security management.The cluster with“Organizationalfactors”
aswell as “Resources” are MSFs which cannot be directly influ- enced by the experts. They are either given in case of “Organi- zational factors” or are set by the business management in case of“Resources”.Theyareconsideredinthe“Securitymanagement”
in conjunction with the “Risk” MSF which are the basis to de- velopandimplementcountermeasureswhichshould improvethe keysecurityindicators.“Compliance&Policy” areaidswhichhelp toenforcecountermeasureswithemployees andare necessaryto complywithlaws.“Compliance&Policy” issplitintoexternaland internalrules which causesthe interdependency inboth waysto andfromthe“Securitymanagement” MSF.“Securitymanagement”
definerulesandexternalrulesare influencingthe“Securityman- agement”.Theserulesareconsideredastheleastimportantbythe experts(Section4.2.2)becausetheyarenotactivelyimprovingthe securitysituationbutarehelpfulto enforcecountermeasuresand helptodealwiththetopic.
6. Discussionandfutureresearch
The results of this research propose a comprehensive model of MSFs with their interdependencies for information security decision-makers.TheMSFsweresupposedbasedontheliterature andare evaluatedby expertsfrompractice.Theseinterviews also supportinterdependenciesbetweentheMSFs.Thecombinationof theseresultsin thedevelopment ofthe comprehensivemodel of MSFs.
Practitioners, as well as the literature, stated the need for a comprehensiveview of theinformation security oforganizations.
Theproposed modeldoessupportan abstractandcomprehensive view ofthecomplextopicofinformationsecurityfromthe man- agementperspective.ThedifferentMSFsarenotexplainedingreat detail but the interdependencies between them and the overall decision-making process are presentin this research. The model givesabasis todecision-makers,whichwithinformationsecurity management and help to decide if certain countermeasures are necessary oreven useful. It isnot justa basis for security man- agers butalso forthe business management as well astechnical employees.With the help ofthis model,they are able to under- standthedifficulties andretrace certaindecisionsbetter. Abetter understandingalsoleadstobetteralignmentandawareness.
The resultsare related toseveral other studies.Past literature doessupportagreatexplanation andstudyofdifferentfactorsin detail andstatedthe importance of them.Studies also dealwith models ofdifferent factors like awareness andtheir components.
Thisresearchsupportsacomprehensiveoverviewofhigh-levelfac- tors (MSFs) and a validation of them as well as a discussion of therelevanceofthesefactorswhichhasbeencriticizedasmissing inpast articles. Theresearch adds value to theresearch commu- nityby exploring interdependenciesbetweenthe evaluated MSFs andproposeacomprehensivemodelfromtheperspectiveofinfor- mationsecurity decision-makers.Bestpracticesandstandardsare very generic and mostlydescribe processes. But,a complete im- plementation doesnot necessarilylead tobetter securityandthe standards have been criticized, also by experts in the interview, thattheyarejustframeworkstobecompliant.Theinterdependen- cies of thecomprehensive model in thisresearch help to decide whichcountermeasuresareappropriate andwhichare notneces- sary.Thestandardsandbestpracticesgiveactionproposalsforim- provementsoftheMSFsandthuscompletethisresearch withthe nextstepafterthedecisionwasmade.
Current standardsandbestpractices, forexample,theISO/IEC 27000-series, the NIST SP800-series or the ISF are important to structure the processes of improving the information security of anorganization.Thesedocumentseitherdescribeprocessesbased onariskmanagementapproachtoimplementcountermeasuresor definecontrolswhichhavetobeimplementedtocomplywiththe standard.The mostexpertsintheinterviews saidthat theycom- bine two or more of them and uses the concepts they need or areappropriate forthemto improvetheinformationsecuritysta- tusoftheorganization.Theproposed modelinthisresearchcon- tributestothesestandardsbyimprovingtheoverallunderstanding andtheinterdependenciesbetweentheconcepts describedinthe standards. Also, the model isa possibility to report theinforma- tionsecuritystatusbasedontheMSFs.Suchareportingismissing inthecurrentstandardsandbestpracticesaswell asinresearch articles.Themissingreportingstandardorsuggestionsforthatisa needwhichalloftheinterviewedexpertshave.Expertsalsostrug- gle toreport theinformation securitydecisionsandstatusto the businessmanagementinanabstractandunderstandableway.The current solution of the interviewed experts is that they develop theirownreportingstandard.Thesereportsdonotcontainaspects which can be compared with other businesses or even business units.The resultsofthisresearch supporttheseneedsandcanbe used asa basis forsuch a reporting standard. Experts also look- ing fordedicated technical solutions like threat intelligence plat- forms,securityincident managementsystemsandinformationon indicatorsofcompromisetomentionjustthree.Thesetechnologies help to consolidate various informationand presentthem to the management.Eachtechnologyisusefulforaspecificarea.Thisre- searchcanhelp toarguetheimplementationofspecifictechnolo- gies, to illustratetheir role inthe overallsecurity context andto identify gapswithin the security landscapeof an organization in whichtechnologiescouldhelp.
The resultcanalso beinterpreted fromtheperspective ofthe informationsecuritystatusofan organization.From thisperspec- tive, themodelindicates, that thekey securityindicatorsare im- portant to improvetheinformation securitystatusof theorgani- zation.Thisinterpretationinmind,small-andmedium-sizedbusi- nesseswithfewerresourcesandnotthat muchcompetencecould implementlight-weight countermeasures,whichfocus onthekey security indicators. It could be a quick-win for the decisions in those organizationsto focus on the key security indicators. This does not mean, that the standards and best practices or even the other factors of the model should be ignored by small- and medium-sizedbusiness.Tocontinuously improveandmonitorthe informationsecuritystatusinastructuredway,theprocessesand conceptsofthesestandardshavetobeimplementedandused.The proposed modelcanhelp thesebusinessesandtheir management withlessexpertiseinthefieldofsecuritytounderstandtheinter- dependenciesbetweenrelevantconcepts,understandwhichfactors are influential andalso which factors a manager hasto consider by makingdecisions.Evenwhichfactorshaveto keepinmindto makewell-informeddecisions.
This study uses a mixed method approach with a literature analysis followed by a semi-structured interview to generatethe results.Althougharigorousmethodologywasused,thestudyhas severallimitations.Despitethevalidationandthediscussion with experts,abiasintheinterpretationofthetextsandthecreationof thecodes cannotbe excluded.Surveyedexpertsare mainlyactive inlargeorganizations.Someofthemwerepreviouslyemployedin smallerbusinesses,buttheinclusionofopinionsfrommanagersof smallerorganizationscould changetheoutcomesandimportance ofindividualfactors.
The results give many opportunities for future research. The proposedmodelisbasedoninterdependencies,whichareexplored by a qualitative study. The interdependencies should be further tested withquantitative approachesto ensure their validity. Cer- tain MSFswere clusteredintorectangles. Therecould be interde- pendencies betweenthe containingMSFson deeperlevels,which are not be explored inthisstudy. Also, alook deeperwithin the certain proposed MSFswouldbe apossibility forfutureresearch.
Openquestionfrompastliteraturecouldbesolvedwithamorefo- cusedapproachbasedonthisresults.LeonandSaxena(2010)iden- tifiedagapofthesecuritymetricsapproach,whichwasnotgoal- focused in thepast andsuggestedthe developmentofa goal-list which could improve further security metrics development. This comprehensive model and their MSFs could be considered as a list ofsecurity goals from themanagement perspective andthus canbethebasisofsuchresearch.Also,pastmetricapproachesare mainlybasedontheindividual securityprocessesandthusisnot appropriate forcross-organizationalcomparisons (Bayuk,2013).A metricsapproachbasedona comprehensivemodelcouldbe suit- able for this. Also, the interview partner requested a dashboard and reporting standard for key security indicators which is not presentinstandards,bestpracticesorresearcharticles.Toreduce theshortcomings,afuturestudyispossible,whichincludessmall- andmedium-sizedbusinessesandintegratethemintheproposed model.
Informationsecuritymanagersshouldconsideralltheexplored MSFs by taking decisions. The countermeasures and processes should not only be adoptedbecause oftheir appearance instan- dardsandbestpractices,buttheyshouldappropriateinthegiven situation.Acommonpracticeisalsothefallbacktoriskacceptance (Bayuk,2013)whichdonotimprovethesecuritystatusatallbutis veryeasytoimplement.Theresultsofthisstudyfacilitatetheun- derstandingof thecomplextopicofinformationsecurity anden- ablemorepeopletomakeappropriatedecisionsandtaketheright actionswithintheircurrentsituation.
7. Conclusion
This research is suggesting a comprehensive model of man- agementsuccessfactors (MSFs)forinformationsecuritydecision- makers.Therefore,aliteratureanalysiswithanopen-axial-selective approachof136articlesisusedtoidentifyfactorswhichhavean influenceontheinformationsecuritydecisionsofmanagers.Aval- idation ofthese factors,as well as thecheck fortheir relevance, was supported by conducting an interview series of 19 experts frompractice.Thisresultsin12MSFs.Tofinallydevelop thecom- prehensivemodel,theinterviewsarethebasistoexploreinterde- pendenciesbetweentheMSFs.
Thisresearch suggests that “Physicalsecurity”, “Vulnerability”,
“Accesscontrol”,“Infrastructure” and“Awareness” arekeysecurity indicatorswhichhaveadirectimpactontheinformationsecurity statusofanorganization.The“Securitymanagement” havetocon- sider“Risks”,“Organizationalfactors” andavailable “Resources” in ordertogeneratecountermeasures,whichhaveaninfluenceonthe keysecurityindicators.“Compliance&Policy” isanaidtoenforce countermeasuresandbecompliantwithlaws.The welldiscussed MSF“Risk” isconsideringthesecuritygoals“CIA” and“Continuity”
andalso isusingkeysecurityindicatorsto determinearisk level whichisusedtoprioritizecountermeasures.
Thisresearch offers a high-level view of thecomplex topicof informationsecuritydecision-makingfromtheperspectiveofsecu- ritymanagementexperts.ThecomprehensivemodelofMSFshelps themandotheremployeesaswellasthebusinessmanagementto betterunderstandthesecurityneedsandcertaindecisionsinthis contextandthus improvetheir awareness.Futuredevelopmentof goal-orientedmetricsandmethodstoquantifythestatusofinfor- mation security aswell asmethods to aggregate them based on thekeysecurityindicatorsarenotjustinterestinginresearchbut alsoaskedbypractitioners.
DeclarationofCompetingInterests
Theauthorsdeclarethattheyhavenoknowncompetingfinan- cialinterestsorpersonalrelationshipsthatcouldhaveappearedto influencetheworkreportedinthispaper.
AppendixA
Table 2
Literature search matrix.
Resource Hits Relevant
MIS Quarterly 7 1
European Journal of Information Systems 20 3
Information Systems Journal 27 4
Information Systems Research 22 5
Journal of AIS 11 5
Journal of Information Technology 25 0 Journal of Management Information Systems 1 0 Journal of Strategic Information Systems 14 5 Journal of Management Information Systems 26 2
Decision Sciences 18 2
Information & Management 53 5
Information and Computer Security 99 10 IEEE Trans. on Dependable & Secure Computing 8 1 IEEE Trans. on Information Forensics and Security 7 0
Computers & Security 84 15
Google Scholar 100 11
ScienceDirect 41 6
OpacPlus 110 19
Backward 10
Forward 32
SUM 673 136
