Building a Maturity Framework for Information Security Governance Through an Empirical Study in Organizations

Introduction

The threat to technology-based information assets is greater today than in the past. The evolution of technology has also reflected in the tools and methods used by those attempting to gain unauthorized access to the data or disrupt business processes (L. Goodhue & Straub, 1991). Attacks are inevitable, whatever the organization (IT Governance Institute, 2006). However, the degree of sophistication and persistence of these attacks depends on the attractiveness of this organization as a target (F. Rockart & D. Crescenzi, 1984), mainly regarding its role and assets. Today, the threats posed by some misguided individuals have been replaced by international organized criminal groups highly specialized or by foreign states that have the skills, personnel, and tools necessary to conduct secret and sophisticated cyber espionage attacks. These attacks are not only targeted at government entities. In recent years, several large companies have infiltrated, and their data have been “consulted” for several years without their knowledge. In fact, improving cyber security has emerged as one of the top IT priorities across all business lines. So, while companies (von Solms & van Niekerk, 2013) (Bowen, Chew, & Hash, 2007)

Areas such as the aerospace industry and strategic resources can be ideal targets for cyber espionage by nation-states, others managing financial assets or large-scale credit card information are equally attractive to international criminal groups (Posthumus & von Solms, 2004) (Humphreys, 2008).

These malicious actors no longer content themselves with thwarting the means of technical protection. Instead, they survey and exploit a variety of weaknesses detected in the targeted environment (Galliers & Leidner, 2014). These shortcomings are not only technological but also result from failures in protection procedures or gaps in vulnerability management practices. The best technology in the world, if misused will not provide an adequate defense against such threats (von Solms & van Niekerk, 2013).

Ensuring the information system IS security in a large organization is a real challenge (Sohrabi Safa, Von Solms, & Furnell, 2016). Only a good governance can reassure the general management, customers and partners, shareholders and ultimately the public at large (Mark Duffield, 2014).

The problem is that the security governance framework is designed to guide organizations in there IS security governance strategy, but does not define the practical framework for the engagement in this strategy.

To address these concerns, some practice repositories (ITIL, Cobit, CMMi, RiskIT) and international standards (ISO 27000 suite, ISO 15408) now include paragraphs on security governance. The first reports or articles in academic journals that evoke the governance of information security date back to the early 2000s.

The proposed referential and best practices designed to guide organizations in their IT security governance strategy. However, does not define the practical framework to implement or to measure the organization engagement in term of IS security governance.

In this paper, we will study the practices and commitments of organizations in IS security governance. A survey of 836 medium and large companies at the international level (USA, UK, France, Morocco, China, Russia, etc.) was set up to define the best practices of these organizations regarding information security governance and management. This study allowed us to propose a practical framework to evaluate the organization in their maturity state and to improve their level of IS security governance according to their needs and resources.