INFORMATION SYSTEMS SECURITY MANAGEMENT MATURITY MODEL FOR ELECTRONIC COMMERCE SMALL MEDIUM INDUSTRIES AND ENTERPRISES (SMI/E) USING TECHNOLOGY, ORGANIZATION AND ENVIRONMENT FRAMEWORK AZAH ANIR BINTI NORMAN DEPARTMENT OF INFORMATION SYSTEMS FACULTY OF COMPUTER SCIENCE AND INFORMATION TECHNOLOGY UNIVERSITY OF MALAYA KUALA LUMPUR 2014 INFORMATION SYSTEMS SECURITY MANAGEMENT MATURITY MODEL FOR ELECTRONIC COMMERCE SMALL MEDIUM INDUSTRIES AND ENTERPRISES (SMI/E) USING TECHNOLOGY, ORGANIZATION AND ENVIRONMENT FRAMEWORK AZAH ANIR BINTI NORMAN THESIS SUBMITTED IN FULFILMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY DEPARTMENT OF INFORMATION SYSTEMS FACULTY OF COMPUTER SCIENCE AND INFORMATION TECHNOLOGY UNIVERSITY OF MALAYA KUALA LUMPUR 2014 UNIVERSITI MALAYA ORIGINALLITERARYWORKDECLARATION NameofCandidate: (I.C./PassportNo.: ) Registration/MatrixNo.: NameofDegree: TitleofProjectPaper/ResearchReport/Dissertation/Thesis(“thisWork”): FieldofStudy: Idosolemnlyandsincerelydeclarethat: (1) Iamthesoleauthor/writerofthisWork; (2) Thisworkisoriginal; (3) Any use of any work in which copyright exists was done by way of fair dealing and for permitted purposes and any excerpt or extract from, or reference to or reproduction of any copyright work has been disclosed, expressly and sufficiently, and the title of the Work, anditsauthorshiphavebeenacknowledgedinthisWork; (4) I do not have any actual knowledge nor do I ought reasonably to know that the making of thisworkconstitutesaninfringementofanycopyrightwork; (5) IherebyassignallandeveryrightinthecopyrighttothisWorktotheUniversityofMalaya (“UM”), who henceforth shall be owner of the copyright in this Work and that any repro- duction or use in any form or by any means whatsoever is prohibited without the written consentofUMhavingbeenfirsthadandobtained; (6) I am fully aware that if in the course of making this Work I have infringed any copyright whether intentionally or otherwise, I may be subjected to legal action or any other action asmaybedeterminedbyUM. Candidate’sSignature Date Subscribedandsolemnlydeclaredbefore, Witness’sSignature Date Name: Designation: ii SuccessinanytaskcanonlycomefromALLAH ...toAbahHj. NormanIbrahimandMamaHjh. SadiahMustajab...yourblessingshavehelped methroughmyhard-times AND ...tomyconfidanteandcompanion;Abang,youhavealwaysinspiredmetobestrong... Iam blessedandamsincerelythankfultoAllahforallthebeautiful"gifts",forwhichIam indeptedtoyou. iii ABSTRACT Today,theInformationSystemsSecurityManagement(InformationSystemsSecurityManage- ment (ISSM)) maturity framework has been recognized and accepted by businesses globally. ThisISSMmaturityphenomenonhasshiftedmanybusinessperspectivesontheimportanceof securitymanagementtowardsbusinessinformationsystems. ThedevelopmentofcurrentISSM maturity framework, based on tried-and-true practices by security experts, have also expanded many issues in the IS research scenario among which are: (i) lack of flexible framework: the current framework developed and designed to suit brick and mortar traditional business, but not for e-commerce that has a volatile structure; (ii) lack of theory supported framework: the current ISSM framework is developed using tried-and-true practices of experts’ experiences ratherthanbasedonexceptedtheories. The main objective of this research is to address these two issues. The research aim is to construct an ISSM maturity model to suit e-commerce using Technology, Organization and Environmentframework(Technology-Organization-EnvironmentFramework(TOE)),DeLone and McLean Information System (IS) Success Factors, Diffusion of Innovation Theory (Dif- fusion of Innovation Theory (DOI)) and Ein-Dor Organizational Factors. The IS theory, IS model, IS framework and IS organization factors were selected to help develop a flexible and theoretically-basedISSMmaturitymodelforthebenefitofSmallMediumIndustries/Enterprises (SMI/Es)thatareinvolvedine-commerce. This study employs a mixed-method research using the sequential mix-method procedure to predicttheconceptualrelationship: (i)theresearchquantitativephaseadoptsastructuralequa- tion modelling (Structural Equation Modelling (SEM)) technique using Partial Least Square iv (Partial Least Square (PLS)) method, (ii) semi-structured interviews with the selected Small MediumIndustry/Enterprise(SMI/E)sbusinessChiefExecutivesOfficers(ChiefExecutiveOf- ficer (CEO)s) and business owners that are involved in e-commerce. The results show high reliability of predicted variables with minimal reading of reliability score of more than 0.85, displaying average variance extracted (Average Variance Extracted (AVE)) exceeding 0.5, in- dicatingadequateconvergentvalidityofallthepredictedvariablesdevelopedintheconceptual framework. The predicted relationship was proved to be significant with the score of 50.4% showingthehighinfluencesoflatentvariablesdiscussedinthisISSMmaturityresearch. The findings show three significant influences in ISSM maturity in e-commerce (i) technology which are the technology usage, compatibility, complexity, relative advantage and technology availability,(ii)organizationincludingthehumanresources,formalandinformallinkingstruc- tures and the communication process and (iii) the environment of which consisted of user sat- isfaction, government regulations, technology support characteristics, industry characteristics andmarketstructure. Basedonbothquantitativeandqualitativeresults,fourquadrantofISSM maturity were presented. These quadrants were then organized to construct the ISSM maturity model. The research contributes to the body of knowledge in twofolds: practically and aca- demicallywhereby(i)theresearchcontributedtothedevelopmentoftheoretically-basedISSM maturitymodelforSMI/Einvolvedinthee-Commerce,and(ii)theresearchjustifiedthetheo- retical consideration (based on the selected IS theory, IS framework, IS model and IS factors) whichformedtheconceptualresearchframeworkofthisthesis. Thisresearchhassuccessfully answered all research questions where it deduced the ISSM maturity factors and described the relationshipbetweenidentifiedfactors,henceconclusivelybuildtheISSMmaturitymodel. v ABSTRAK Hari ini, rangkakerja kematangan Sistem Maklumat Pengurusan Keselamatan (ISSM) telah diiktiraf dan diterima oleh banyak perniagaan pada peringkat global. Fenomena kematan- gan ISSM telah mengalih banyak perspektif perniagaan tentang kepentingan pengurusan ke- selamatan terhadap sistem maklumat (IS) perniagaan. Pembangunan rangkakerja kematangan ISSM sedia ada berdasarkan amalan cuba-dan-benar oleh pakar-pakar keselamatan juga telah mengembangkan lebih banyak isu dalam senario penyelidikan IS : (i) kekurangan rangkak- erja fleksibel: rangkakerja sedia-bangun direka untuk disesuaikan pada perniagaan tradisional berheirarki tetapi bukan untuk e-dagang yang mempunyai struktur yang tidak menentu; (ii) kekurangan rangkakerja yang disokong teori: rangkakerja ISSM semasa dibangunkan meng- gunakanamalancuba-dan-benarpenulistetapibukannyaberdasarkanteoriyangditerima. Ob- jektif utama kajian ini adalah untuk menangani kedua-dua isu di atas. Penyelidikan adalah bertujuan untuk membina model ISSM matang untuk memenuhi keperluan industri kecil dan sederhana (SMI/E) yang memiliki e-dagang menggunakan rangkakerja Teknologi, Organisasi dan Alam Sekitar (TOE), DeLone dan McLean Faktor Kejayaan Security Management (SM), Teori Resapan Inovasi (DOI) dan Dor-Ein Faktor Organisasi. Teori-teori ini membantu untuk membangunkanfleksibilitidalammodelISSMyangberasaskanteori. Kajian ini menggunakan campuran penyelidikan kuantitatif dan kualitatif dengan menggu- nakanprosedurkaedahcampuranberjujukanuntukmeramalkanhubungankonseptual: (i)fasa penyelidikan kuantitatif menggunakan model persamaan struktur (SEM) dengan teknik Sep- ara Least Square (PLS), (ii) semi temu bual berstruktur untuk pemilik perniagaan yang dip- ilih, yang terlibat dalam e-dagang. Keputusan menunjukkan kebolehpercayaan pembolehubah yang tinggi yang meramalkan bacaan minimum 0.85, memaparkan purata varians diekstrak vi (AVE) melebihi 0.5 yang menunjukkan kesahihan pembolehubah mencukupi kepada semua pembolehubahyangdiramalkandalammembangunkankerangkakonseptual. Ramalanhubun- gan membuktikan tahap pengaruh yang ketara sebanyak 50.4 peratus di mana pembolehubah menunjukkanpengaruhyangtinggikearahkematanganISSMe-dagang. Dapatan kajian menunjukkan tiga pengaruh penting dalam kematangan ISSM dalam e-dagang (i)teknologiiaitupenggunaanteknologi,keserasian,kerumitan,kelebihanrelatifdanketerse- diaanteknologi,(ii)organisasitermasuksumbermanusia,strukturhubunganformaldantidak formaldanproseskomunikasidan(iii)alamsekitarterdirikepuasanpengguna,peraturankera- jaan,ciri-ciriindustridanstrukturpasarandanciri-cirisokonganteknologi. Berasaskankeputu- san dari segi kuantitatif dan kualitatif , empat kuadran kematangan ISSM telah diketengahkan . Dengan menggunakan kuadran yang telah diketengahkan, kajian telah menganjurkan satu model kematangan ISSM. Kajian ini menyumbang kepada badan pengetahuan dalam dua li- patan: praktikaldanakademikyangmana(i)penyelidikantelahmenyumbangkepadapemban- gunanmodelkematanganISSMyangdibinaberasaskanteoriuntukkegunaanSMI/Eyangter- libatdalame-perdagangan,(ii)penyelidikanmembenarkanpandanganteori(berdasarkanteori IS yang dipilih, rangkakerja IS , model IS dan faktor IS) yang membentuk konsep rangkakerja penyelidikan tesis ini. Kajian ini telah berjaya menjawab semua soalan-soalan penyelidikan di manaiamenyimpulkanfaktorkematanganISSMdanmembincangkanhubunganantarafaktor- faktoryangtelahdikenalpasti,seterusnyamembinamodelkematanganISSM. vii ACKNOWLEDGEMENT Alhamdullillah. SuccessinallmytaskcomesonlyfromAllahSWT. Heartiest thanks to all who have directly and indirectly supported this research. My gratitude goestoMalaysiaProductivityCorporation(MPC)andWomenEntrepreneurNetwork(WENA) forinvaluableadviseandsupport. Tomysupervisor,Dr. NorizanMohdYasin,thankyouforall the comments and critics. Thank you Prof. Ramayah for all the statistical guidance and "wise- quotes", to Prof. Imam Ghozali and Mr. Dwiratmono, for the PLS introduction and guides. This thesis also could not be realized without the help of friends who have shared knowledge, information, tips and wisdom, that which I would not have been able to gather through my readings. I am also thankful to Along and Adik for your never ending help and support. Sayang Mohd Anuar Mustafa- thank you for believing in me. Ain Zahirah, Afiah Zaheen, Auni Zakiyah and Ahmad Zuhayr- your patience, love, laugthers and cries have make this journey more valuable andworthwhile. SubhanallahandAlhamdullillah,Iamblessed. Gratitude also goes to families and friends, for without them I may not be here. Finally to RESTU,onlyAllahcouldrepaytheunconditionalsupportyou’veprovidedme. viii TABLEOFCONTENTS ORIGINALLITERARYWORKDECLARATION ii DEDICATION iii ABSTRACT iv ACKNOWLEDGEMENT viii TABLEOFCONTENTS ix LISTOFFIGURES xiv LISTOFTABLES xvi LISTOFSYMBOLSANDACRONYMS xviii LISTOFAPPENDICES xix CHAPTER1: INTRODUCTION 1 1.1 Overview 1 1.2 ContextofResearch 6 1.3 OverviewofResearchProblem 6 1.4 ResearchObjectives 8 1.5 ResearchQuestions 8 1.6 ScopeofResearch 11 1.7 ResearchMethodology 12 1.8 ContributionoftheResearch 13 1.8.1 Academicbenefits 13 1.8.2 Practicalorappliedbenefits 14 1.9 Structureoftheresearch 15 CHAPTER2: LITERATUREREVIEW 18 2.1 Introduction 18 2.2 TheInformationSystemsSecurityManagement(ISSM) 21 2.2.1 ThePastISSMResearchHighlights 26 2.2.2 ThePresentISSMResearchHighlights 28 2.2.2(a) Thecharacteristicsofthestandards 30 2.2.2(b) Socio-technicalfactorsderivedfromInformationSystems SecurityManagementResearch 34 2.3 Informationsystemssecuritymanagement(ISSM)Maturity 39 2.3.1 TheInformationsystemssecuritymanagementISSMMaturityStandards 40 2.3.1(a) SoftwareSecurityMetricsbyMurineandCarpenter(1984) 41 ix