Security management is now acknowledged as a key constituent of Information Systems (IS) management. IS security management traditionally relies on the formation and application of security policies. Most of the research in this field address issues regarding the structure and content of security policies; whereas the context within which security policies are conceived and developed remains ra...

The idea of risk permeates the information security field. We use terms like ‘‘risk management’’, ‘‘risk assessment’’, ‘‘risk model’’ and ‘‘risk analysis’’ every day, and those topics are themselves the subject of countless papers and articles in security journals and magazines. But has the concept of risk become so ingrained within our profession that we have become over confident about how mu...

Most information security algorithms cannot achieve perfect security without incurring severe operational costs such as false alarms, network congestion, capital investment etc. Operating or designing an algorithm with perfect security is therefore not an economically rational alternative and thus the question arises of how to find the appropriate tradeoff between security and its costs. Althou...

With the wide-spreading use of e-transactions in enterprises, information security risk management (ISRM) is becoming essential for establishing a safe environment for their activities. This paper is concerned with introducing a new and comprehensive ISRM framework that enables the effective establishment of the target safe environment. The framework has two structural dimensions; and two proce...

Information security is a naturally intrusive topic that has not been researched to its full extent in IS. Taking note of a previous information security study that failed and lessons learned from it, we successfully carry out a study of our own with some modifications. In this paper we detail the method used, which we hope will prove beneficial for academic researchers.

The enforcement of information security policy is an important issue in organisations. Previous studies approach policy enforcement using deterrence theory to deal with information security violations and focus on end-users’ awareness. This study investigates deterrence strategy within organisations from the perspective of information security managers. The results primarily reveal that current...

The purpose of this empirical study is to evaluate the extent to which information security governance domain practices: strategic alignment, value delivery, resource management, risk management, and performance measurement relate to information security governance effectiveness. Random sampling technique was employed and data were collected via web survey from Ghanaian organizations. Employing...

This paper proposes a model that will incorporate all the different non-technical (human) aspects that are required ininformation security. The proposed model consists of three dimensions that are illustrated in a multidimensional matrix.The three dimensions of this matrix include information security components, people and documentation. The matrix willbe used as a basis for creati...