Information security management objectives and practices: a parsimonious framework

Purpose – As part of their continuing efforts to establish effective information security management (ISM) practices, information security researchers and practitioners have proposed and developed many different information security standards and guidelines. Building on these previous efforts, the purpose of this study is to put forth a framework for ISM. Design/methodology/approach – This framework is derived from the development of an a priori set of objectives and practices as suggested by literature, standards, and reports found in academia and practice; the refinement of these objectives and practices based on survey data obtained from 354 certified information security professionals; and the examination of interrelationships between the objectives and practices. Findings – The empirical analysis suggests: four factors (information integrity, confidentiality, accountability, and availability) serve as critical information security objectives; most of the security areas and items covered under ISO 17799 are valid with one new area – “external” or “inter-organizational information security”; and for moderately information-sensitive organizations, “confidentiality” has the highest correlation with ISM practices; for highly information-sensitive organizations, “confidentiality”, “accountability”, and “integrity” are the major ISM objectives. The most important contributor to information security objectives is “access control”. Research limitations/implications – This study contributes to the domain of information security research by developing a parsimonious set of security objectives and practices grounded in the findings of previous works in academia and practical literature. Practical implications – These findings provide insights for business managers and information security professionals attempting to implement ISM programs within their respective organizational settings. Originality/value – This paper fulfills a need in the information security community for a parsimonious set of objectives and practices based on the many guidelines and standards available in both academia and practice.