A Capability Maturity Framework for IT Security Governance in Organizations

Maleh, Yassine; Sahid, Abdelkebir; Ezzati, Abdellah; Belaïssaoui, Mustapha

doi:10.1007/978-3-319-76354-5_20

Cited by 7 publications

(8 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The questionnaire also included five demographic items: (1) the level of enterprise’s informatisation; (2) the potential impact of an information incident on enterprise’s reputation; (3) the size of the enterprise; (4) business environment; and (5) the type of business activity. A questionnaire was designed for a self-reported assessment, which is a commonly used lightweight method in ISec scientific research [ 30 , 37 – 39 , 94 ].…”

Section: Methodsmentioning

confidence: 99%

“…The method was applied to a large organization in Morocco by using an online survey. The findings indicate that organisation included in their in case analysis is less mature in the areas of security budgeting, resource effectiveness, security threat profiling, and security risk handling [30].…”

Section: Related Workmentioning

confidence: 97%

“…A capability assessment framework (CAFISGO) for the information security governance in organizations was developed by [30]. It consists of five key areas (information security governance strategy and metrics; technical asset security management; information service/system/ data security management; vulnerability and risk management; information security governance control/compliance/continuity management), 21 security objectives and 80 weighted controls each having a designated weighting coefficient.…”

Section: Related Workmentioning

confidence: 99%

“…(3) the size of the enterprise; (4) business environment; and (5) the type of business activity. A questionnaire was designed for a self-reported assessment, which is a commonly used lightweight method in ISec scientific research [30,[37][38][39]94].…”

Section: Plos Onementioning

confidence: 99%

See 3 more Smart Citations

A real-world information security performance assessment using a multidimensional socio-technical approach

2020

View full text Add to dashboard Cite

Measuring the performance of information security is an essential part of the information security management system within organisations. Studies in the past mainly focused on establishing qualitative measurement approaches. Since these can lead to ambiguous conclusions, quantitative metrics are being increasingly proposed as a useful alternative. Nevertheless, the literature on quantitative approaches remains scarce. Thus, studies on the evaluation of information security performance are challenging, especially since many approaches are not tested in organisational settings. The paper aims to validate the model used for evaluating the performance of information security management system through a multidimensional socio-technical approach, in a real-world settings among medium-sized enterprises in Slovenia. The results indicate that information security is strategically defined and compliant, however, measures are primarily implemented at technical and operational levels, while its strategic management remains underdeveloped. We found that the biggest issues are related to information resources and risk management, where information security measurement-related activities proved to be particularly problematic. Even though enterprises do possess certain information security capabilities and are aware of the importance of information security, their current practices make it difficult for them to keep up with the fast-paced technological and security trends.

show abstract

Section: Methodsmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 97%

Section: Related Workmentioning

confidence: 99%

Section: Plos Onementioning

confidence: 99%

See 2 more Smart Citations

A real-world information security performance assessment using a multidimensional socio-technical approach

2020

View full text Add to dashboard Cite

show abstract

“…Veiga and Eloff (2007) propose a detailed framework towards a holistic and people-orientated approach. Maleh et al (2017) suggest that it is essential to put in place an ISG approach adapted to the culture of the organisation. Their proposed capability maturity framework (CAFISGO) helps organisations assess their capability maturity state and address the procedural, technical and human aspects of ISG.…”

Section: Information Security Governance Modelsmentioning

confidence: 99%

What do we know about information security governance?

Schinagl

Shahim

2020

ICS

View full text Add to dashboard Cite

Purpose This paper aims to review the information security governance (ISG) literature and emphasises the tensions that exist at the intersection of the rapidly changing business climate and the current body of knowledge on ISG. Design/methodology/approach The intention of the authors was to conduct a systematic literature review. However, owing to limited empirical papers in ISG research, this paper is more conceptually organised. Findings This paper shows that security has shifted from a narrow-focused isolated issue towards a strategic business issue with “from the basement to the boardroom” implications. The key takeaway is that protecting the organisation is important, but organizations must also develop strategies to ensure resilient businesses to take advantage of the opportunities that digitalization can bring. Research limitations/implications The concept of DSG is a new research territory that addresses the limitations and gaps of traditional ISG approaches in a digital context. To this extent, organisational theories are suggested to help build knowledge that offers a deeper understanding than that provided by the too often used practical approaches in ISG research. Practical implications This paper supports practitioners and decision makers by providing a deeper understanding of how organisations and their security approaches are actually affected by digitalisation. Social implications This paper helps individuals to understand that they have increasing rights with regard to privacy and security and a say in what parties they assign business to. Originality/value This paper makes a novel contribution to ISG research. To the authors’ knowledge, this is the first attempt to review and structure the ISG literature.

show abstract