Virginia Commonwealth University VCU Scholars Compass Theses and Dissertations Graduate School 2008 DEFINING VALUE BASED INFORMATION SECURITY GOVERNANCE OBJECTIVES Sushma Mishra Virginia Commonwealth University Follow this and additional works at:http://scholarscompass.vcu.edu/etd Part of theManagement Information Systems Commons © The Author Recommended Citation Mishra, Sushma, "DEFINING VALUE BASED INFORMATION SECURITY GOVERNANCE OBJECTIVES" (2008).VCU Theses and Dissertations.Paper 1755. This Dissertation is brought to you for free and open access by the Graduate School at VCU Scholars Compass. It has been accepted for inclusion in Theses and Dissertations by an authorized administrator of VCU Scholars Compass. For more information, please [email protected]. © Sushma Mishra, 2009 All Rights Reserved DEFINING VALUE BASED INFORMATION SECURITY GOVERNANCE OBJECTIVES A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy at Virginia Commonwealth University. by SUSHMA MISHRA Post Graduate Diploma in Business Administration (MBA equivalent) International Management Institute, New Delhi, India, 1999 Bachelor of Science (Physics, Honors) University of Calcutta, India, 1995 Director: Dr. Gurpreet Dhillon PROFESSOR, INFORMATION SYSTEMS Virginia Commonwealth University Richmond, Virginia May 2009 Acknowledgements I begin with thanking my family for their patience in bearing with the rigorous demands of this profession. I most deeply want to thank my husband, Amit Pandey, for his unwavering faith and unconditional support to make this undertaking worthwhile. His unbounded enthusiasm, energy and passion have always inspired me to dream the impossible. Amit is my strength and a true companion in every sense. I also acknowledge my son, Arjuna Dev, whose birth gave me a fresh perspective towards life. I hope when he grows up and reads this, he would be proud of his mom. I appreciate the continued support from my mother-in-law and father-in-law during the writing of this dissertation and thanks to Anurag Pandey for always being there whenever I needed his help. I want to thank Dr. Satish Tripathi, a father figure in our lives, for his continued guidance and support and my brother, Sanjay for always believing in me. This dissertation would not be possible without the intellectual support of my committee members. I extend my heartfelt thanks to Dr. Gurpreet Dhillon, my advisor, for working with me. I am still in awe of his immense dedication and vitality for research. The perfectionist that he is, he read every word of the multiple versions of this work and always came up with ideas to improve the work. Dr. Dhillon, I did learn a lot from you; as a scholar, as a teacher and as a friend. I thank all my committee members, Doctors Amita Chin, Roland Weistroffer, Richard Redmond and Anson seers for their support and encouragement. Thanks to Dr. Allen S. Lee, who has been a major influence in shaping my thinking as a scholar, about information systems. I made several friends in the graduate school who not only provided unique insights into my scholarly activities but also extended constant encouragement and support. Thanks to Long Li, Gurvirendra Tejay, Dave Coss and Mark Harris for your friendship. Also, I want to acknowledge my late dad, Shri Shew Dular Mishra, for helping me to be the woman that I am today. He will always be my hero! I dedicate this work to him. ii Table of Contents Page Acknowledgements ............................................................................................................. ii List of Tables...................................................................................................................... ix List of Figures .................................................................................................................... xi Chapter 1 CHAPTER 1 Introduction ................................................................................. 1 1.1 Introduction ............................................................................................ 1 1.2 Nature of the research ............................................................................. 2 1.3 Importance of the research problem ....................................................... 3 1.4 Scope of the research ............................................................................ 10 1.5 Dissertation Structure ........................................................................... 13 2 CHAPTER 2 Literature Review...................................................................... 15 2.1 Introduction .......................................................................................... 15 2.2 Information Systems Security Governance: A Technical Orientation . 16 2.3 Information Systems Security Governance: A Socio-Organizational Orientation ............................................................................................ 27 2.4 Discussion ............................................................................................. 45 2.5 Conclusion ............................................................................................ 52 3 CHAPTER 3 Theory and Methodology .......................................................... 54 3.1 Introduction .......................................................................................... 54 3.2 Study of values in research ................................................................... 54 ii i 3.3 Theoretical basis: Value Theory ........................................................... 58 3.4 Methodology ......................................................................................... 61 3.4.1 Value focused thinking ................................................................ 62 3.4.2 Case study .................................................................................... 67 3.5 Research design .................................................................................... 72 3.5.1 Data Collection ............................................................................ 72 3.5.2 Data analysis ................................................................................ 74 3.5.3 Evaluation Criteria ....................................................................... 76 3.6 Conclusion ............................................................................................ 77 4 CHAPTER 4 Means and Fundamental Objectives for Information Systems Security Governance ................................................................................... 78 4.1 Introduction .......................................................................................... 78 4.2 Developing means and fundamental objectives ................................... 78 4.2.1 Respondent profile ....................................................................... 79 4.2.2 Keeney‘s 3 step methodology...................................................... 80 4.3 Establishing the objectives in information security governance ............. research ................................................................................................. 84 4.3.1 Fundamental Objectives .............................................................. 84 4.3.2 Means Objectives ........................................................................ 95 4.4 Discussions ......................................................................................... 129 4.4.1 Relevance of the proposed objectives ....................................... 129 4.4.2 Empirically grounded value based objectives ........................... 133 iv 4.4.3 Emergent nature of security governance objectives .................. 134 4.4.4 Synthesized information security governance objectives .......... 136 4.5 Conclusion .......................................................................................... 138 5 CHAPTER 5 Reexamining information security governance objectives at CCIT .................................................................................................................. 140 5.1 Introduction ........................................................................................ 140 5.2 Context of the case study: CCIT......................................................... 141 5.3 How is strategic planning for information security governance being undertaken at CCIT? ........................................................................... 144 5.3.1 Regulatory compliance at CCIT ................................................ 144 5.3.2 Ensuring continuous improvements in controls at CCIT .......... 148 5.3.3 Responsibility and accountability structures at CCIT ............... 151 5.3.4 Corporate control strategy at CCIT ........................................... 155 5.3.5 A Control conscious culture at CCIT ........................................ 158 5.3.6 Clarity in policies and controls at CCIT .................................... 161 5.3.7 How is efficacy of audit processes ensured at CCIT? ............... 164 5.3.8 Communications about controls at CCIT .................................. 167 5.3.9 Data criticality at CCIT ............................................................. 170 5.3.10 Clear controls development process at CCIT .......................... 174 5.3.11 Formal control assessment functionality at CCIT ................... 176 5.3.12 Monitoring and feedback for controls at CCIT ....................... 180 5.3.13 Achieving group cohesiveness at CCIT .................................. 183 v 5.3.14 How does CCIT ensure management commitment for security governance? ........................................................................................ 185 5.3.15 Standardization of controls help CCIT? .................................. 189 5.3.16 Alignment of individual and organizational values at CCIT .. 192 5.3.17 Resource allocation for controls at CCIT? .............................. 196 5.3.18 Visible executive leadership accomplished? ........................... 201 5.3.19 Ethical and moral values instituted at CCIT ............................ 203 5.3.20 On trust building mechanisms at CCIT ................................... 206 5.3.21 Ensure punitive structures at CCIT ......................................... 209 5.3.22 Training and education about controls at CCIT .................... 212 5.3.23 Clarity in business processes at CCIT ..................................... 215 5.4 Relevance of ISG objectives at CCIT................................................. 217 5.4.1 The top management perspectives on ISG objectives ............... 217 5.4.2 The middle management perspective on ISG objectives ........... 219 5.4.3 The operational management perspectives on ISG objectives .. 221 5.4.4 What do the perspectives mean for information security governance? ........................................................................................ 223 5.5 Discussion ........................................................................................... 226 5.5.1 Refining ISG objectives: Lessons from CCIT ........................... 227 5.5.2 Emergent Issues ......................................................................... 229 5.6 Conclusion .......................................................................................... 236 6 CHAPTER 6 Interpreting ISG Objectives: A Synthesis ............................... 237 vi 6.1 Introduction ........................................................................................ 237 6.2 ISG principles for organizations ......................................................... 237 6.2.1 Defining a Corporate Controls Strategy .................................... 238 6.2.2 Developing regulatory compliance within organizations .......... 242 6.2.3 Defining continuous improvements for controls ....................... 247 6.2.4 Establishing a controls conscious culture in organizations ....... 251 6.2.5 Establishing clarity in policies and procedures in organizations ...................................................................................... 253 6.2.6 Establishing responsibility and accountability structures in organizations ....................................................................................... 256 6.3 Discussions ......................................................................................... 260 6.4 Conclusion .......................................................................................... 267 7 CHAPTER 7 Conclusion ............................................................................. 268 7.1 Overview of the research .................................................................... 268 7.2 Contributions ...................................................................................... 271 7.2.1 Theoretical ................................................................................. 271 7.2.2 Practical ..................................................................................... 273 7.2.3 Methodological .......................................................................... 273 7.3 Evaluation of the research .................................................................. 274 7.4 Limitations .......................................................................................... 276 7.5 Future research directions ................................................................... 277 vii References ....................................................................................................................... 279 Appendices ...................................................................................................................... 296 viii