Assessment of information security maturity: An exploration study of Malaysian public service organizations

Journal of Systems and Information Technology

Volumn 14, Issue 1, 2012, Pages 23-57

  Dzazali, Suhazimah ^a   Zolait, Ali Hussein ^b  

^a National Institute of Public Administration   (Malaysia)

^b UNIVERSITY OF BAHRAIN   (Bahrain)

Author keywords

Data management; Data security; Information security; Malaysia; Public service organizations; Risk management; Security assessment; Security awareness; Security management; Security maturity

Indexed keywords

EID: 84861414677     PISSN: 13287265     EISSN: 17588847     Source Type: Journal    
DOI: 10.1108/13287261211221128     Document Type: Article

References (64)

1. Aceituno, V.C. (2004), ISM3 1.0. - Information Security Management Maturity Model, Institute for Security and Open Methodology, available at: http://isecom.securenetltd.com/Security_Maturity_Model_v3.0.pdf.
2. Andersen, W.P. (2001), "Information security governance" in Information Security Technical Report, Vol. 6, No. 3, pp. 60-70.
3. Andress, M. (2000), "Manage people to protect data", InfoWorld, Vol. 22, No. 46.
4. Baskerville, R. (1998), Designing Information System Security, Wiley, Chichester.
5. Berinato, S. (2003), "After the storm, reform", CIO Magazine, available at: www.cio.com/archive/121503/securityfuture.html (accessed 19 October 2004).
6. Bhaskar, K.N. (1993), Computer Security: Threat and Countermeasures, NCC-Blackwell, Oxford.
7. Borck, J.R. (2000), "Enterprise strategies: advice for a secure enterprise: implement the basics and see that everyone uses them", InfoWorld, Vol. 22, No. 46, November.
8. CAN/CSA Q850 (1997), Risk Management: Guideline for Decision Makers, A National Standard for Canada (CAN/CSA-Q850-97), available at: http://riskreports.com/standards.html.
9. Caralli, R.A. and Wilson, W.R. (2003), The Challenges of Security Management, Software Engineering Institute, Carnegie-Mellon University, Pittsburgh, PA, available at: www.cert.org/archive/pdf/Esmchallenges.pdf.
10. Cherns, A. (1976), "The principles of socio-technical design" in Human Relations, Vol. 2, No. 9, pp. 783-92.
11. COBIT (2000), Control Objectives for Information and Related Technology: Management Guidelines, Information Systems, Audit, and Control Foundation, Rolling Meadows, IL, ISACA, 1997, available at: www.isaca.org/cobit.htm.
12. COBIT (2002), Control Objectives for Information and Related Technology, Information Systems, Audit, and Control Foundation, Rolling Meadows, IL, ISACA, 1997, available at: www.isaca.org/cobit.htm.
13. COSO (2004), Enterprise Risk Management Framework: Committee of Sponsoring Organizations of the Treadway Commission (COSO), available at: www.erm.coso.org.
14. Delloitte & Touche (2002), Management Briefing - Information Security, available at: www.deloitte.com/dtt/cda/doc/content/info_security(1).pdf (accessed 20 January 2004).
15. de Vaus, D.A. (2002), Surveys in Social Research, 5th ed., Routledge, Warners Bay.
16. Dhillon, G. and Backhouse, J. (2001), "Current direction in IS security research: toward socio-technical perspectives" in Information System, Vol. 11, No. 2, pp. 127-53.
17. Dzazali, S., Ainin, S. and Zolait, A.H.S. (2009), "Employing the social-technical perspective in identifying security management systems in organisations" in International Journal of Business Information Systems, Vol. 4, No. 4, pp. 419-39.
18. Eloff, J.H.P. (2002), "What do international standards say on information security policies?", available at: www.cio.org.
19. Eloff, M.M. and Solms, S.H. (2000), "Information security management: a hierarchical framework for various approaches" in Computers and Security, Vol. 19, No. 3, pp. 243-56.
20. Ernst & Young (2004), Ernst & Young Global Information Security Survey 2004, available at: www.ey.com.
21. Ezingeard, J.N. and Bowen-Schrire, M. (2003), "Information security: a strategic issue", A Conjoint Report Study, Hanley Management College, UK and Dataföreningen, Sweden, available at: www.henley.se.
22. Firth, D. (1993), "Are we securing the right information?" in Proceedings of the Tenth World Conference on Computer Security, COMPSEC'93, London, May, Elsevier Advanced Technology, pp. 68-73.
23. Fletcher, S.K., Jansma, R.M., Lim, J.J., Halbgewachs, R., Murphy, M.D. and Wyss, G.D. (1995), "Software system risk management and assurance", available at: IEEE database (accessed 15 February 2005).
24. Fulford, H. and Doherty, N.F. (2003), "The application of information security policies in large UK-based organisations: an exploratory investigation" in Information Management & Computer Security, Vol. 11, No. 3, pp. 106-14.
25. Gaunt, N. (2000), "Practical approaches to creating a security culture" in International Journal of Medical Information, Vol. 60, No. 2, pp. 151-7.
26. Gordon, L.A., Loeb, G.M., Lucyshyn, W. and Richardson, R. (2004), 9th Annual FBI/CSI Computer Crime and Security Survey 2004, available at: http://GoCSI.com.
27. Hitchings, J. (1995), "The need for a new approach to information security", Proceedings of the 10th International Conference on Information Security (IFIP'94), Curacoa, Netherlands Antillean.
28. Hong, K.S., Chi, Y.P., Chao, L.R. and Tang, J.H. (2003), "An integrated system theory of information security management" in Information Management & Computer Security, Vol. 11, No. 5, pp. 243-448.
29. Hovav, A. and D'Arcy, J. (2003), "The impact of denial-of-service attack announcements on the market value of firms" in Risk Management & Insurance Review, Vol. 6, No. 2, p. 97.
30. ISO 27001 (2005), ISO/IEC 27001-2005(E): Information Technology-Security Techniques-Information Security Management Systems-Requirements, International Organisation for Standardization, Geneva.
31. ITGI (2003), "Board briefing on IT governance", IT Governance Institute, available at: www.itgi.org (accessed 11 August 2004).
32. Jaisingh, J. and Rees, J. (2004), Value at Risk: A Methodology for Information Security Risk Assessment, available at: www.cert.org/archive/pdf/var.pdf (accessed 7 September).
33. Jenkins, J. (2003), "Organisational IT security theory and practices: and never the twain shall meet?", available at: www.sans.org/rr/securitybasics/ IT_sec2.php (accessed 27 February 2004).
34. Jessup, L. and Valacich, J. (2008), Information Systems Today: Managing in the Digital World, 3rd ed., Pearson Education, Upper Saddle River, NJ.
35. JPA (2005), Malaysian Public Service Department (Jabatan Perkhidmatan Awam Malaysia). Proceedings of Public Service Conference 2005.
36. Kawalek, P. and Leonard, J. (1996), "Evolutionary software development to support organisational and business process change: a case study account" in Journal of Information Technology, Vol. 11, pp. 185-98.
37. Kloman, F. (2000), "Does risk matter?", Risk Management Report, September, available at: www.riskreports.com/htdocs/riskmatter.html (accessed 27 March 2003).
38. Kowalski, S. (1994), "IT security: a multi-disciplinary inquiry", Department of Computer and Systems Science, Stockholm University, Stockholm, Report Series No. 94-004.
39. MAMPU (2001), "Mekanisme pelaporan insiden keselamatan teknologi maklumat dan komunikasi ("Information and communications technology security incident reporting mechanism")", Malaysia Government General Circular No. 1 of 2001.
40. MAMPU (2003), Malaysian Administrative Modernization and Management Planning Unit, Malaysia, Public Service ICT Strategic Plan Executive Summary, available at: www.mampu.gov.my/mampu/bi/program/ict/ISPlan/ISPlan.htm (accessed 23 August 2005).
41. MAMPU (2005), HiLRA: Malaysian Public Service Information Security High Level Risk Assessment Guide, Malaysian Administrative Modernization and Management Planning Unit, Malaysia Public Service ICT Strategic Plan Executive Summary, available at: www.mampu.gov.my.
42. Marsh, J. (2003), "Myths managers believe about security", available at: www.sans.org/rr/start/myths.php (accessed 27 February).
43. MS 1536: Part 3 (2002), Guidelines for the Management of IT Security: Part 3: Techniques for the Management of IT Security, Malaysian Standard for Information Technology, Department of Standards, Putrajaya.
44. Musekura, J.B. and Ekh, R. (2003), "Information security issues - difference between perception and practice in organizations", Orebro University, Orebro, available at: www.oru.se/oru-upload/ (accessed 20 November 2005).
45. Pava, C.H.P. (1983), Managing New Office Technology, The Free Press, New York, NY.
46. Peltier, T.R. (2001), Information Security Risk Analysis, Auerbach Publications, New York, NY.
47. Richardson, R. (2003), 8th Annual CSI/FBI Computer Crime and Security Survey 2003, available at: http://GoCSI.com (accessed 5 February 2006).
48. Schneier, B. (2002), Secret and Lies - Digital Security in a Networked World, Wiley Computer Publishing, New York, NY.
49. Siponen, M. (2002), "Towards maturity of information security maturity criteria: six lessons learned from software maturity criteria" in Information Management & Computer Security, Vol. 10, No. 5, pp. 210-24.
50. Siponen, M. (2005), "Analysis of modern IS security development approaches: towards the next generation of social and adaptable ISS methods" in Information and Organization, Vol. 15, No. 4, pp. 339-75.
51. Solms, B. (2000), "Information security - the third wave?" in Computers and Security, Vol. 19, No. 7, pp. 615-20.
52. Solms, B. and Solms, R. (2004), "The 10 deadly sins of information security" in Computers and Security, Vol. 23, No. 5, pp. 371-6.
53. Solms, R. (1997), "Driving safely on the information superhighway" in Information Management & Computer Security, Vol. 5, No. 1, pp. 20-2.
54. Sommer (2003), "How to buy information security", available at: www.virtualcity.co.uk.hottobuy.htm (accessed 24 July 2004).
55. SSE-CMM (2003), System Security Engineering Capability Maturity Model V3.0, Carnegie Mellon University, Pittsburgh, PA, available at: www.sse-ccm.org/model/model.asp (accessed 20 January 2005).
56. Stacey, T.R. (1996), "Information security program maturity grid" in Information System Security, Vol. 5, No. 1, pp. 22-33.
57. Thomson, K. and Solms, R. (2005), "Information security obedience: a definition" in Computers & Security, Vol. 24, pp. 69-75.
58. Trist, E. (1981), "The socio-technical perspective" in Van de Ven, A. and Joyce, W.F. (Eds.), Perspectives on Organisational Design and Behaviour, Wiley, New York, NY, pp. 19-75.
59. Turban, E., King, D., Lee, J. and Viehland, D. (2004) in Electronic Commerce 2004 - Managerial Perspective, International edition, Pearson Education, Upper Saddle River, NJ, pp. 1-34.
60. Wallace, L., Keil, M. and Rai, A. (2004), "How software project risk affects project performance: an investigation of the dimensions of risk and an exploratory model" in Decision Sciences, Vol. 35, No. 2, pp. 289-320.
61. Walsh, K.R. and Schneider, H. (2002), "The role of motivation and risk behaviour in software development success", Information Research, Vol. 7, No. 3, available at: http://informationr.net/ir/7-3/paper129.html (accessed 7 February 2010).
62. Waring, A. and Glendon, A. (1998), Managing Risk - Critical Issues for Survival and Success into the 21st Century, Thompson Learning, London.
63. Zedner, L. (2003), "The concept of security: an agenda for comparative analysis" in Legal Studies, Vol. 23, March, pp. 154-76.
64. Hair, J.F., Anderson, R., Tatham, R.L. and Black, W.C. (1998), Multivariate Data Analysis, 5th ed., Macmillan, New York, NY.