Information Assurance and Corporate Strategy: A Delphi

1 downloads 0 Views 1MB Size Report
Mar 10, 2008 - Jean-Noël Ezingeard is Dean of the Faculty of Business and Law at Kingston University. (London). ...... Watching for Rogue Traders. Securities ...
Information Assurance and Corporate Strategy: A DelphiStudy of Choices, Challenges and Developments for the Future

Dr. Elspeth McFadzean* [email protected] Henley Business School University of Reading Greenlands Henley-on-Thames Oxfordshire United Kingdom RG9 3AU Tel: +44 (0)1491 571454 Fax: +44 (0)1491 571574

Professor Jean-Noël Ezingeard [email protected] Faculty of Business and Law Kingston University Kingston Hill Kingston Upon Thames Surrey United Kingdom KT2 7LB

Professor David Birchall [email protected] Henley Business School University of Reading Henley-on-Thames Oxfordshire United Kingdom RG9 3AU Tel: +44 (0)1491 571454 Fax: +44 (0)1491 571574

*Corresponding Author

Author Biographies Dr Elspeth McFadzean is a Visiting Academic Fellow at Henley Business School, University of Reading and an Honorary Recognised Teacher at the University of Liverpool. She received her PhD in 1996 from Brunel University in London. Her research interests are in the relationships between information systems/knowledge management and human behaviour including information assurance, group support systems, creativity and innovation, and team leadership and facilitation. Her research has appeared in the Journal of Information Systems Security, Online Information Review, Journal of Enterprise Information Management, Information Systems Management, Interfaces, European Journal of Innovation Management, Harvard Business Review, Strategic Change and Journal of Management Development.

Jean-Noël Ezingeard is Dean of the Faculty of Business and Law at Kingston University (London). His research is focused on Information Assurance, Information Security and Enterprise Risk Management, topics which he has researched, taught and consulted about in Europe, North America and South Africa. His work on Information Assurance has been used in publications by QinetiQ, Axa, and the Federation against Software Theft. He is a founding member of the British Computer Society’s Information Assurance working group. He joined the Business School world 12 years ago. Prior to this he worked as a Chartered Manufacturing Engineer (Operations Management) and a Lecturer in Computer Integrated Manufacturing.

David Birchall is an associate faculty member and Emeritus Professor at Henley Business School, University of Reading. His activities include studies into innovation management, off-shoring, methodologies for identifying future capabilities needs, leadership competencies in global enterprise as well as in the 3rd sector, spin-outs and relationships to the founding university, knowledge management and talent management. He has worked with global companies as well as small medium enterprise and the third sector and has written a number of books on innovation and future work.

Information Assurance and Corporate Strategy: A Delphi-Study of Choices, Challenges and Developments for the Future

Abstract In this paper, we identified processes associated with strengthening the alignment between information assurance, information systems and corporate strategies so that organisations could more effectively address legal and regulatory challenges. Our results are based on data gathered from 43 preliminary interviews and a subsequent Delphi exercise. The Delphi panel rated these processes in terms of desirability and feasibility. After three rounds a consensus of opinion was achieved. The results of the Delphi together with some practical implications are presented.

Keywords Information assurance, IA alignment, strategic alignment, Delphi

Information Assurance and Corporate Strategy: A Delphi-Study of Choices, Challenges and Developments for the Future

1. Introduction Due to constantly increasing threats to the security, integrity and availability of organisational information, theorists have presented a number of studies on information assurance (IA), or different aspects of IA, in the literature (Baskerville, 1991; Kankanhalli, Teo, Tan, & Wei, 2003; Miller & Engemann, 1996; Zviran & Haga, 1999). Indeed, there has been a call from both government officials and in the academic literature to place security issues – often the most discussed element of IA – at a more senior level (Dutta & McCrohan, 2002). The legal environment is also changing and continuing concerns regarding individual privacy, security of sensitive information, accountability for financial information and corporate governance are driving the development of new laws and regulations to ensure that organisations address potential security problems (Gilbert, 2008; Smedinghoff, 2008). These often include two key legal obligations: •

A duty to provide sufficient security for corporate data and information systems; and



A duty to reveal security breaches to those individuals or businesses who may be adversely impacted by these breaches (Smedinghoff, 2005).

Some theorists have suggested that information assurance should be undertaken as part of the corporate governance procedures and, as such, should be the responsibility of the board of directors (Birchall, Ezingeard, & McFadzean, 2003; Von Solms, 2001a). organisational compliance regulations that cover IA are increasingly expanding.

In fact, In the

United States, the Sarbanes-Oxley Act is seen as a key driver of IA efforts at senior levels for publically traded companies (Linkous, 2008). Thus, according to the National Cyber Security Partnership Governance Task Force (2004, p. 12),

The board of directors should provide strategic oversight regarding information security, including:

1. Understanding the criticality of information and information security to the organization.

2. Reviewing investment in information security for alignment with the organization strategy and risk profile.

3. Endorsing the development and implementation of a comprehensive information security program.

4. Requiring regular reports from management on the program's adequacy and effectiveness.

IA efforts can, however, be criticised for hampering business strategy and introducing restrictions to creativity, entrepreneurship and responsiveness. Organisations therefore need strong alignment between IS, IA and corporate strategies so that they can more effectively address the above legal and regulatory challenges (Ezingeard, McFadzean, & Birchall, 2005). In other words, organisations cannot view information assurance as an autonomous entity but as part of a holistic enterprise-wide framework that includes corporate and information strategy. A key advantage of developing IS, IA and corporate strategies at such a high level is the ability to build alignment between them. Senior executives are in a better position to gain a complete overview of the company, its goals and its processes (Lohmeyer, McCrory, & Pogreb, 2002). In addition, they have the authority to ensure that these plans are implemented effectively (Kankanhalli et al., 2003; McFadzean, Ezingeard, & Birchall, 2006).

Unfortunately, there has been little research undertaken in the area of IA alignment. The aim of this paper, then, is to ascertain what specific methods and processes can be utilised by management in order to strengthen the alignment of IA, IS and corporate strategy. To this end, we have used the Delphi Technique to determine these actions. We have also asked the expert panel to rank both the desirability and the feasibility of these variables.

This paper is structured as follows. The next section discusses the importance of information assurance and its alignment to IS and business goals. Moreover, a brief review of the alignment literature is presented. The methodology and research design are then described.

This section discusses the use of the Delphi Methodology as well as the design of our study. Subsequent sections present the results of the project and discuss the methods for strengthening IA and business alignment.

Finally, some implications for managers are

considered.

2. Information Assurance Alignment 2.1.

Information Assurance as a Strategic Necessity

The UK Information Assurance Advisory Council (IAAC) define IA as “a holistic approach to protect information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation” (Anhal, Daman, O'Brien, & Rathmell, 2002, p. 7). In other words, information assurance attempts to avoid security problems rather than fix them (Austin & Darby, 2003). Furthermore, a comprehensive conceptualisation of information assurance ensures that the information systems that are supporting an organisation’s transactional and transformational needs are kept operational and secure. This requires a complete view of the organisation’s vision as well as its current information needs and systems. Additionally, IA specialists need to understand how value is created from information and how it can be used to enhance the organisation’s success. As a result, Ezingeard, McFadzean & Birchall (2005, p. 23) suggest that IA is a method for “determining how the reliability, accuracy, security and availability of a company’s information assets should be managed to provide maximum benefit to the organisation, in alignment with corporate objectives and strategy.”

McFarlan (1984) and Ward (1988) propose that an issue is strategic if it has the potential to impact on the business as a whole. Thus, in this sense, information assurance can be defined as a strategic issue – and, therefore, should support corporate strategy – because the consequences of IA policy decisions can affect the entire business.

For example, an ill-

considered or poor IA strategy could result in: •

Damage to a firm’s reputation (Chellappa & Pavlou, 2002; Logan & Logan, 2003)



Financial loss due to poor controls (Dhillon, 2001; Ward & Smith, 2002)



The inability to operate, loss of business and a reduction in share price on the stock markets (Campbell, Gordon, Loeb, & Zhou, 2003; Ettredge & Richardson, 2002, 2003)



A restriction of information flow causing poor customer service and loss of business over time (Cerullo & Cerullo, 2004; Sanderson & Forcht, 1996)



Prohibitively high cost and the possibility that the organisation may not survive the disruption (Garg, Curtis, & Halper, 2003; Logan & Logan, 2003)



The migration of customers to competitors because of the inconvenience or risk of inadequate security, failing computer systems, lack of stability and poor reliability (Cockcroft, 2002; Hazari, 2005)

Information assurance is not just a technical problem. In fact, Dutta & McCrohan (2002) suggest that it is supported by three key areas, namely critical infrastructure, organisation and technology – and it is the responsibility of managers to ensure that these three areas are aligned. Consequently, Dutta & McCrohan state that if information assurance is left to the IS function, only one of these issues – technology – will be strengthened. Furthermore, recent attacks on buildings – the World Trade Center being a prime example – show that critical infrastructure and organisational issues are just as important as the technical side. Thus, information security is not just a problem for a series of single organisations. Rather, it is a national – indeed, global – challenge.

Organisational issues – including culture, structure, politics and the business environment – can also have an impact on information assurance. For example, certain organisations won’t see the necessity to promote strict information security; whilst others – such as companies which primarily focus on e-commerce – are likely to perceive information security as a key factor and will be aware of the potentially significant implications of a breach. On the other hand, small organisations or those that do not significantly rely on inter-organisation information exchange will be less concerned with stringent security procedures (McFadzean, Ezingeard, & Birchall, 2007). However, a survey undertaken in the UK by BERR (2008), found that 10% of companies that accept payment on their websites do not encrypt the information. Furthermore, 52% do not carry out any informal risk assessment, 67% do not

prevent confidential data being downloaded onto memory sticks and 78% of companies that had computers stolen did not encrypt hard discs.

In addition, the advent in the USA of the Sarbanes-Oxley Act, which holds executives personally liable for the accuracy of financial results – together with equivalent government guidelines in other countries – could potentially prepare the way to similar liabilities for all types of compliance issues. This is a growing problem particularly due to the increasing anxiety amongst consumers regarding information privacy (Stewart & Segars, 2002; Swartz, 2003; Viton, 2003). The latest survey undertaken by Ernst & Young (2007) suggests that regulation and compliance are now the leading drivers of information security investment. Indeed, 82% of managers now believe that information security positively contributes to the value of organisations rather than just being seen as an IT overhead. In fact, under section 302 of the Sarbanes-Oxley Act, the chief executive and chief financial officers of public companies must personally certify the existence and effective operation of disclosure controls and procedures. Additionally, they must declare that they have disclosed any substantial control deficiencies or any significant changes to control systems to their audit committees and independent auditors (Damianides, 2005).

Sixty percent of the respondents in the Ernst & Young (2007) survey also indicated that information security is instrumental in facilitating strategic initiatives. Likewise, the academic literature emphasises the need to ensure that information assurance is seen as a corporate governance issue (Von Solms, 2001b; Von Solms & Von Solms, 2004). This will provide the organisation with a more holistic view of security and include the development and implementation of risk planning models, security awareness programmes, counter measure matrix analysis and the construction of a security architecture that closely relates to the requirements of the business (Sherwood, 1996; Straub & Welke, 1998). Furthermore, this will help to integrate IA policy with multiple functional levels within the firm and will aid both communication and control and provide a framework for feedback. It will also link key IA and business issues such as corporate goals, legal and regulatory processes, best practices and the IT infrastructure (Cresson Wood, 1991; Higgins, 1999; Lindup, 1996; Posthumus & Von Solms, 2004). Moreover, information assurance needs to be aligned to both corporate and information strategy so that appropriate organisational assets and processes can be protected effectively without the need to invest in security procedures in unnecessary areas. Organisations should also seek to balance IA regulations with corporate objectives. Too

much restriction can reduce business effectiveness and too little can leave the organisation vulnerable to data loss or malicious attacks. Finally, information assurance can only work if stakeholders are aware of the risks and comply with the stated regulations. There is an increasing level of engagement between IA professionals and other stakeholders such as external auditors, lawyers, human resource managers and government agencies. It is therefore essential that information assurance is seen as a holistic discipline with senior management support and is championed together with the organisation’s objectives. Stakeholders are more likely to comply to the regulations if they are aware of the potential consequences to the business’s objectives – and their own roles – if they are not followed effectively. Hence, information assurance must become a concern from a corporate governance and strategic alignment perspective and should rise to the highest levels of the organisation (Dutta & McCrohan, 2002; Ezingeard & Birchall, 2004; NACD, 2001; Von Solms, 2001a).

2.2.

The Importance of Alignment

The alignment of separate functional strategies – such as information technology and human resources – to corporate strategy have consistently been found to be one of the concerns of top management for the past fifteen years (Brancheau, Janz, & Wetherbe, 1996; Niederman, Brancheau, & Wetherbe, 1991; Youndt, Snell, Dean, & Lepak, 1996). As a result, a great deal of research has been undertaken in this field especially on the relationship between IS and business functions and the antecedents that influence this relationship (Brown & Magill, 1994; Kearns & Lederer, 2003; Luftman & Brier, 1999).

Segars & Grover (1998, p. 143) define alignment as the “close linkage of IS strategy and business strategy.” This process encourages both areas to work together as partners and not, as Smaczny (2001) suggests, as a leader and a follower; the IS strategy being developed after the business strategy. Rather, both strategies are developed together, at the same time.

Reich & Benbasat (2000) argue that alignment is necessary for organisations so that they can take advantage of their IT opportunities and capabilities. Kearns & Lederer (2003) also found that sharing knowledge between the two functions, in order to devise an IT strategy that reflects the business plans, can create competitive advantage.

Unfortunately, there has been little research undertaken on the alignment of information assurance to either information strategy and/or corporate strategy. There have been calls for better governance in this field (Dutta & McCrohan, 2002; Entrust, 2004; IAAC, 2003; Von Solms, 2001a) but little mention is made about the links between the three areas. However theorists do recognise that IA is a holistic process and involves complex links between technology, executive governance, human behaviour and environmental factors (Backhouse & Dhillon, 1996; Baskerville & Siponen, 2002; Ettredge & Richardson, 2003).

Many organisations develop their information security policies in conjunction with their information systems strategy (Knapp & Boulton, 2006; Tsohou, Karyda, Kokolakis, & Kiountouzis, 2006). However, the volume of security-related incidents, and their associated costs, continues to rise (Chang & Yeh, 2006), showing that crucial information assurance issues are being buried in the IS strategy and are not being communicated to the board, when necessary. Indeed, van Opstal (2007, p. 6) found that, “A preponderance of board members report that boards are under-informed about operational risk”, which, in turn, can cause catastrophic problems as organisations such as Barings Bank, TJX and Société Générale have found to their cost (see Section 2.3.1). Security is both a human resource and organisational concern, and includes other – non-IS factors – such as staff motivation, awareness and training; ethics; compliance and legal issues; integration; stakeholder analysis; and information sharing and collaborative mechanisms (Hinde, 2003). Thus, companies cannot afford to hide security and compliance issues within IT strategy. Information assurance must be seen as a separate holistic and transparent component, which is communicated in its own right to the appropriate stakeholders.

2.3.

Improving IA Alignment

Aligning information assurance strategy with IS strategy and business strategy is not simply a case of developing all three strategies together.

Rather, it involves gathering relevant

information, developing relationships between functions and constructing appropriate processes and practices. The literature presents a variety of methods for improving the links between specialist functions such as IA and IS and the general business functions (Chan, 2002; Luftman & Brier, 1999; Sabherwal & Chan, 2001). These can be divided into four categories, which are similar to the strategy process of development, planning and implementation, control, and feedback (Cohen & Cyert, 1973; Frolick & Ariyachandra, 2006;

Hansotia, 2002; Kolokotronis, Margaritis, Papadopoulou, Kanellis, & Martakos, 2002; Montealegre, 2002). These are: •

Developing goals and critical success factors – the initial stage of strategy formulation includes the determination of the future direction and performance of the organisation (Bryson, Ackermann, & Eden, 2007; Preble, 1992) as well as the functions – such as IA – required to fulfil them.



Constructing or improving strategy alignment – the next stage of strategy formulation involves the identification of the processes, management and skills required for fulfilling the goals and critical success factors (Barney, 1991; Henderson & Venkatraman, 1993).



Measuring and reporting practices – after the strategies have been developed and implemented, a review of performance is generally undertaken and corrective actions carried out, if necessary (Daft & Macintosh, 1984; Govindarajan, 1988).



Evaluating and communicating strategic information to the board – appropriate feedback pertaining to strategy implementation and performance is communicated to the board (Raghupathi, 2007; Siebens, 2002).

In order to ensure alignment, strong links between business, IT and IA goals, critical success factors and strategies are essential. Furthermore, control and feedback will have an impact on strategy and, as a result, will also influence alignment.

Finally, the organisation’s

environment – such as its competition, markets and resources – will help to shape strategy, too.

Improving information assurance alignment is discussed in more detail below using these four categories (see Figure 1).

Insert Figure 1

2.3.1.

Developing IA Goals and Critical Success Factors (CSFs)

Three predominant IA goals and CSFs are mentioned in the literature. These are: •

Anticipating threats to the organisation and its goals – a breach in information security can have a severe impact on the organisation (Logan & Logan, 2003; McHugh, 2001). For example, TJX – the owner of retail discount stores TJ Maxx and Marshalls – failed to comply with the Payment Card Industry Security Standard, which was established by the major credit card companies and sets minimum security expectations. TJX initially failed nine of the twelve compliance requirements and over a two year period avoided responsibility for improving its security. Due to this lack of diligence, TJX’s credit card data had been breached by hackers. Over 94 million credit card records had been compromised and TJX had to provide a $41 million settlement fund in order to compensate the affected customers and banks (Burnes, 2008; Chickowski, 2008).

This example shows that TJX did not have

suitable security controls in place in order to fulfil their business objectives effectively.

Likewise, Société Générale lost approximately €4.9 billion ($7.2 billion) due to unauthorised derivatives trading – the result of insufficient risk management information. PriceWaterhouseCoopers reported that the Bank had “a heavy reliance on manual processing and the workload of operating staff meant that certain of the existing controls in place were not operating effectively” (Sandman, 2008, p. 4). As a result, the Bank failed to anticipate the potential threats to the business from its own staff (Vijayan, 2008). Moreover, Société Générale is not the only bank to suffer from the risky behaviour exhibited by employees. Barings Bank, Bear Stearns and Credit Suisse have all suffered from financial losses attributed to employee misconduct, mismanagement or negligence, which were not caught in time by appropriate controls (Wailgum & Sayer, 2008).

Anticipating and preventing informational threats is, therefore, vital for ensuring continuing working practices. Thus, an information assurance policy that is linked to business goals and communicated to the employees is an important weapon for preventing potential threats. Whitman (2003, p. 92) states that, “The security policy is

the first and potentially the most important layer of security available to the organization.”

This policy contains the organisation’s basic security philosophy

which dictates subsequent decisions, procedures and guidelines including prevention measures. •

Communicating IA procedures to the organisation – Employees expect to gain strategic direction from their senior executives.

They need to understand what

changes to expect, the reasons behind these changes and how they will influence their own work (Edwards, 2000). As a result senior managers need to be the champions of employee communication (Powers, 1996).

In its guidelines, the Turnbull Report

(Turnbull, 1999, p. 13), suggests that Boards of Directors may wish to consider whether the company “communicates to its employees what is expected of them and the scope of their freedom to act.” In addition, line managers must develop strong, ongoing relationships with other functional managers.

For example, managers

responsible for the IA, IS and business functions must communicate with one another so that IA, IS and business capabilities are integrated effectively at all levels of the organisation (Rockart, Earl, & Ross, 1996). IA procedures can also be communicated to staff through awareness and training programmes, which can cement the organisation’s basic security philosophy into its culture (Dutta & McCrohan, 2002). •

Responding to the changing environment and organisational needs – Today’s rapidly transforming business environment tends to encourage greater flexibility and change within organisations.

Reengineering programmes, altering management

information flows, re-designing business processes and developing new innovative product and services all require substantial input from information assurance experts (Dhillon & Backhouse, 2000; Rockart et al., 1996). In addition, it is important that information assurance issues do not constrain these changes by increasing bureaucracy, rigidity and centralisation of security policies. Baskerville & Siponen (2002) therefore suggest that organisations should develop a more flexible meta-policy which should provide guidelines on how security policies are created, implemented and enforced.

This will enable security countermeasures to keep pace with the

organisation’s business requirements.

2.3.2.

Constructing or Improving IA Strategy Alignment

Many studies on alignment have been based upon the seminal work undertaken by Henderson & Venkatraman (1993) in which they present a model illustrating the link between IT and business strategy.

This was constructed using two concepts, namely strategic fit and

functional integration.

The former concept acknowledges the need to address both the

internal and external business domains in order to develop alignment. The external domain includes the organisation’s market place and is concerned with aspects such as the company's products, marketing and customer information as well as other external factors such as competitors. The internal domain, on the other hand, is concerned with factors such as the company's structure, culture and processes.

Henderson and Venkatraman suggest that the fit between the internal and external domains is critical for maximising organisational and economic performance. They argue that failure to derive success from IT is frequently due to this lack of alignment. For instance, IT strategies are often unsuccessful because of the poor supporting infrastructure and/or poorly skilled human resources. Thus, strategic fit is a key driver for success.

This paper is based on the premise that information assurance should also be part of the strategic fit (see Figure 1). Like Henderson and Venkatraman, we suggest that the position of the company in the IA’s external domain will involve choices in three areas: •

The extent of the organisation’s willingness to ensure prevention of threats and the security of data – in other words, what are the specific technologies, processes and systems required by a company in order to defend against potential threats so that its business objectives can be fulfilled?



Systemic competencies – what attributes of IA strategy could positively contribute to the development of a new business strategy or could more effectively support the current strategy? This could include factors such as flexibility, reliability and speed.



IA governance – what actions can be used in order to acquire the above systemic competencies? This could include alliances with vendors, joint research projects and education initiatives.

In addition, the internal IA domain must address three components: •

Security infrastructure – what technology and software should be included in the security infrastructure? How should this be configured?



Processes – how should the IA processes and systems be developed, monitored and controlled?



Skills – how should awareness, knowledge and the capabilities of employees and other stakeholders be developed?

The alignment literature also calls for a link between the business and IT domains. Henderson and Venkatraman label this functional integration. This link specifically deals with the impact that one function has on the other and includes the relationships of both the internal (operational integration) and external (strategic integration) domains. We suggest that information assurance should also be included in the integration between the domains.

The literature suggests a number of methods for developing or improving IA strategy alignment. These are: •

Developing a relationship between IA, IT and business functions – According to Henderson & Venkatraman (1993) and Ho (1996), the IT function should be capable of both influencing and supporting the business strategy. This is particularly the case for organisations which use their information systems for competitive advantage. However, often organisations focus too readily on technology rather than business, management and organisational issues (Luftman, Lewis, & Oldach, 1993). Likewise, the information assurance function needs to be able to shape and reinforce IT and corporate strategy as well as maintain a balance between security issues and organisational goals (Von Solms, 2001a). The relationships between these functions can be strengthened by encouraging more extensive participation in firm-wide strategic planning (Broadbent & Weill, 1993), improving resource utilisation (Edwards, 2000) and enhancing communication and understanding between the three functions (Chan, 2002).



Linking the formation of IA, IT and business strategies – Rapid strategic change and the highly competitive nature of today’s business environment requires organisations to gather, interpret and synthesise information effectively and securely in order to remain flexible and to enable them to amend corporate initiatives, when necessary (Bergeron, Raymond, & Rivard, 2004). As a result, IA, IT and business strategies need to be strongly linked. Chan (2002) and Luftman and Brier (1999) suggest that this link is critical to developing successful alignment. Theorists have found that the link between these three strategies can be facilitated by (a) specifying who has authority and responsibility for risk, conflict resolution and the allocation of resources, (b) having a longer experience of undertaking organisation-wide strategic planning processes, (c) focusing on critical and long-term issues, (d) ensuring that strategic plans are well documented and are clear and consistent, (e) that the plans enhance overall organisational effectiveness and (f) the reporting level of those responsible for IT and IA are at board level (Broadbent & Weill, 1993; Chan, 2002; Luftman, 2003; Sledgianowski & Luftman, 2005; Tallon, Kraemer, & Gurbaxani, 2000).

2.3.3.

Measuring and Reporting Practices

The literature suggests that measuring and reporting information assurance procedures and practices can help to instil a greater commitment to IA from all employees. These include:

Controlling and measuring the effectiveness of IA, IS and business strategies – one of the greatest challenges of information assurance is to be able to communicate its value to the rest of the organisation. In order to achieve this, managers must be able to assess its worth. All too often, however, both IA and IS metrics are difficult for the business to understand. Luftman (2003) therefore suggests a service level agreement which assesses the IA and IS functions’ level of commitment to the organisation. The agreement should consist of business related metrics such as information quality, user satisfaction and business responsiveness and should be presented in language that is easy for non-technical people to understand (Peak & Guynes, 2003; Sledgianowski & Luftman, 2005). The strength of alignment between the IA, IS and business functions can also be measured.

This could include evaluating

communication, learning and knowledge sharing, governance, partnerships, processes and skills (Chan, Huff, Barclay, & Copeland, 1997; Luftman, 2000).

2.3.4.

Evaluating and Communicating Strategic Information to the Board

According to Von Solms (2001a), the board of directors should be provided with appropriate strategic information on IA. This will help to engage senior managers in the alignment process. This category, therefore, included the following:

Keeping senior management informed – Often, organisations invest considerable sums of money in developing performance measures but fail to take any action based on these measures (Luftman, 2003). This could have disastrous consequences for organisations if security is breached and there is a failure to act. Chan (2002) suggests that constructing formal reporting relationships and developing evaluation committees are vital. This will enable more effective monitoring and control by senior managers. In addition, the evaluation committees need to define the risk factors – often involving multiple dimensions and meanings – and their impact within the context of information security (Baker, Rees, & Tippett, 2007; Bodin, Gordon, & Loeb, 2008). Accurate measurement, communication and control of potential information security threats and countermeasures can not only save an organisation from disaster but they may also “assist organizations in converting today’s security threats into tomorrow’s business opportunities” (Da Veiga & Eloff, 2007, p. 369).

This research will attempt to determine which factors help to strengthen the alignment between IA and corporate strategy. Due to the scarcity of research in this area, we developed quite a broad research question:

What methods and processes included in the above four areas can be utilised effectively by organisations in order to align IA and corporate strategy?

3. Methodology and Research Design The data collection for this research was divided into two stages. The first stage consisted of gathering information through interviews and the second stage involved undertaking the Delphi approach. Anderson, Rungtusanatham & Schroeder (1994, p. 478) describe the Delphi

approach as a technique “intended for systematically soliciting, organizing and structuring judgments and opinions on a particularly complex subject matter from a panel of experts until a consensus on the topic is reached or until it becomes evident that further convergence is not possible.” The Delphi technique is typically employed in circumstances where judgemental information is essential (Okoli & Pawlowski, 2004). In addition, the approach ensures that the data collection process is both reliable and valid because it exposes the investigation to differing, and often divergent, opinions and seeks convergence through structured feedback (Schmidt, Lyytinen, Keil, & Cule, 2001).

The objectives of this Delphi study focus on two points: (a) identifying the factors that can influence information assurance alignment and (b) establishing a consensus on the desirability and the feasibility of implementing each factor.

In order to gather an initial list of statements for our Delphi, we interviewed a number of executives. Forty-three in-depth interviews were undertaken. The interviewees were senior managers; most were appointed to the board of their respective companies. These organisations ranged from SMEs to large multi-national corporations; the majority of which are listed on the stock market. The list of interviewees was drawn up from personal and organisational contacts and aimed to provide a good cross section of companies.

The

sampling strategy we used is that described by Strauss & Corbin (1990) as ‘open sampling’ where participants are selected to maximize the opportunities for augmenting the pool of relevant data (see Appendix 1(i) for further demographic information). Interviews lasted between 60 and 90 minutes. They were open-ended and discovery oriented (Flint, Woodruff, & Gardial, 2002). Moreover, we tried to maintain a continuous ‘conversation’ rather than follow a rigid list of questions or themes (see Appendix 2 for some examples of the questions that we asked). Senior executives were engaged with this form of interviewing and we felt they were happy to enter into fairly detailed discussions, perhaps more than they would have been with an interaction based on questions and answers. Few guidelines exist on the optimum size of interview data pools.

The idea of theoretical saturation is normally

recommended (Locke, 2001) as a guide to sample size, and we feel this saturation was reached in our study.

The interviews were transcribed verbatim and transferred into Atlas-ti (a qualitative analysis software programme) where they were coded using the processes advocated by Strauss & Corbin (1998), namely open, axial and selective coding.

Open coding is “the analytic process through which concepts are identified and their properties and dimensions are discovered in data” (Strauss & Corbin, 1998, p. 101). In general, the data is examined and coded line-by-line, by sentence or paragraph or by a holistic analysis of an entire document (Sarker, Lau, & Sahay, 2001). Although the open coding process is procedurally guided, it is fundamentally interpretive in nature and must include the perspectives and voices of the people that are studied (Strauss & Corbin, 1998). Open coding allows the researcher to name similar events, occurrences and objects so that they can be categorised under common headings.

Next, axial coding was undertaken, which involved the process of sorting all the relevant open codes on alignment into varying categories. Whereas open coding breaks up the data so that it can be analysed, axial coding reassembles the fractured data in order to discover relationships between the different categories and sub-categories. In this case, the codes in each category were associated with one particular topic on alignment. For instance, one family group was entitled Options for Evaluating & Communicating Strategic Information to the Board.

Selective coding involves the identification of the core category – or the central phenomenon– and the linking of this core category to other major categories. This integration often occurs as a process model, which illustrates how the axial codes are related. In order to choose our principal category, we needed to ensure that all our other major categories could be linked to this central idea. The central idea chosen for this research was “methods for improving IAcorporate alignment”.

Finally, a number of statements were formed from the interview data for each of the axial categories. These statements each suggested one potential method for improving alignment. One statement from the above category, for example, was “Including IA metrics in general IT reports”. These statements were then combined and used for the second stage of the research – the Delphi study.

The first step in the Delphi procedure is to choose an expert panel (Brancheau et al., 1996; Larreche & Montgomery, 1977; Malhotra, Steele, & Grover, 1994). This is a particularly important step because it is the panel that lends content validity to the task (Anderson et al., 1994). Preble’s (1984) research has found that there is little difference between a panel of members chosen from a single organisation and a panel of experts chosen from multiple organisations. The latter, however, provides a greater range of views and helps improve the generalisability of the results (Nambisan, Agarwal, & Tanniru, 1999; Okoli & Pawlowski, 2004).

We selected the second method and chose two different types of panellists. The first type included senior managers who are prominent members of the information security community (Mitchell & McGoldrick, 1994). Each have at least five years of practical experience within the IA field and are renowned for their competence in this area. The second type of panellists are academics who have expertise in information assurance (Guimaraes, Borges-Andrade, Machado, & Vargas, 2001; Okoli & Pawlowski, 2004). This provided a wider knowledgebase and a greater range of experience. There were 36 members in the panel (see Appendix 1(ii) for more information on the participants).

The Delphi approach started with two preliminary rounds (Schmidt et al., 2001). The initial stage involved generating the concepts that would be evaluated in later rounds. In some research studies these have been supplied for the panel as a starting point for idea generation (Anderson et al., 1994; Guimaraes et al., 2001; Nambisan et al., 1999; Saunders & Jones, 1992) whilst in others, the panel commences with a completely blank sheet of paper (Okoli & Pawlowski, 2004; Schmidt et al., 2001; Schmidt, 1997). We preferred to follow the example of the former studies where we used the results from our interviews to provide a list of factors that influence information assurance alignment. The panel members were free to amend or comment upon these ideas as well as generate their own concepts. The comments produced by the panel in each round were always fed-back to the participants in the next round (Schmidt, 1997). This provided them with qualitative information on the thoughts, ideas and questions raised by other panel members. In addition, many panellists developed a rationale for why certain statements were important – or less important – to them and this was presented anonymously to the rest of the panel in subsequent rounds. This helped the group to better understand the concepts and encouraged a form of nominal group debate (Malhotra et al., 1994).

Once the ideas had been collected and consolidated, the terminology was clarified and exact duplicates were removed. The resulting list was then sent back to the panel members for the second preliminary round. The objective here was to reduce the number of concepts into a manageable list. We achieved this by asking the panel to rate the concepts in terms of desirability and feasibility on a scale of one to six. The aggregate mean for each concept was calculated for the desirability score and those with a very low mean – that, is, those that were deemed to be undesirable – were either refined for clarity or removed. The resulting list – which consisted of 29 statements – was then sent back to the panel. The members were again asked to rate the concepts in terms of desirability and feasibility. This was the first of the consensus rounds. After each round the panel were assessed for consensus using the standard deviation. A standard deviation of less than one implied a high consensus for that statement and it was, therefore, removed from the list and set aside for later consideration during the theory building process. If the consensus was low, however, the statement was left on the list. The amended list was subsequently sent back to the panel with the aggregated means for each statement and a record of the comments made by the members so that they were aware of the reasons for particular scores. This continued for three rounds until consensus was achieved. The resulting list of statements was then used to develop our theory (a more detailed summary of the analysis process is shown in Appendix 3). This was achieved in the following way: •

The final statements were categorised into the four key groups.



The statements for each group were plotted on a graph which showed the relationship between desirability and feasibility.



Each graph was divided into four quadrants denoting the levels of desirability and feasibility. This was achieved by plotting the mean for desirability and feasibility in each category.



Finally, we developed a number of models showing the relationships between the concepts (Anderson et al., 1994; Strauss & Corbin, 1998).

4. Results As stated above, the 29 statements were classified using the four categories from the literature review. These are discussed in more detail below.

4.1.

Options for Developing IA Goals and CSFs

The panel developed a consensus regarding ten desirable goals and critical success factors pertaining to information assurance alignment. As for all the options put to the panel, we asked for the CSFs to be given a feasibility rating, shown in Figure 2.

Insert Figure 2

The most desirable critical success factor was considered to be acquiring senior management support for information assurance (Statement A). According to the panel of experts: •

This aim is very desirable; it is far easier to implement this kind of – not inexpensive – change with top down support. However as always it is getting that support that is where the difficulty lies.



I think it’s been proven [that] this is both possible and [that it] yields far better results – security needs to be instilled into the culture which requires efforts from the top down. If senior management won't take IA seriously, they can't expect their employees to do so.



This is one of the main CSFs for a successful implementation of an IA plan.

Anticipating IA threats (C) was also seen as highly desirable. As one expert commented:

Many people try to measure incidents as a way to get insight into their situation. However, incidents are normally very few and far between... There is much more insight to be gained from measuring the threats and anticipating threat trends.

Although the panel did suggest that anticipating IA threats was feasible, the experts did, however, give it the lowest feasibility rating. The reasons they gave can be summarised as follows:

It is not always possible to anticipate the unexpected and it becomes too onerous to keep up to date – the overhead in gathering data to allow anticipation can be high.

Statements A, B and F are all seen as highly desirable and highly feasible. Consequently, “gaining senior executive support for information assurance” (A), “instilling IA values and awareness amongst employees” (B) and “developing IA policy beyond legislation and regulation” (F) are seen to be essential and practical for organisations.

Statement G –

“developing a 3-5 year IA strategy” – was found to be slightly less attractive. Thus, although creating a medium term strategy is feasible it is less desirable than other possible approaches. Organisations may, therefore, want to experiment with this concept in order to construct an approach that is much more desirable. In fact, one expert suggested that the development of tactics rather than strategy was more advantageous.

“Developing a security architecture that can rapidly respond to changes in the business environment” (Statement D) and “clarifying individual IA roles and responsibilities for all employees in the organisation” (E) were both seen as desirable but their feasibility scores were lower. Many of the panel members believed that the implementation of these two approaches could be difficult. In particular, they perceived that creating solid and flexible security architecture could be problematical due to expense and constantly changing threats. In addition, the clarification of roles and responsibilities can also prove to be problematical. As one of our experts stated,

There are staff who simply make mistakes through lack of knowledge and awareness, and staff who knowingly ignore controls or transgress codes of acceptable behaviour through holding unacceptable attitudes or behavioural principles.

The last three approaches, “working together with members of the same industry to develop solutions for IA issues” (H), “responding to changing organisational needs by providing

flexible IA procedures and regulations” (I) and “using the latest security technology, when appropriate” (J) had much lower desirability and feasibility scores.

Working with other organisations to resolve IA issues was seen to be desirable. In fact, one panel member suggested,

Information sharing is a crucial and critical part of each enterprise's IA practice. Others will disagree but this is definitely feasible if only enterprises, public and private sector, stop behaving like mini silos.

It was this lack of co-operation which was of greatest concern to the panel members. Indeed, many respondents were highly enthusiastic about sharing information with other organisations but as one member stated, “there may be many issues of commercial conflicts that affect this…[but] it is also a benefit to get ideas from others outside one’s own industry to see how they have addressed these issues. Once can learn a lot from other industry sectors.”

Responding to changing organisational needs (Statement I) was also believed to be problematical. This was primarily due to time and cost issues as well as the need to be both consistent and compliant.

However, one expert suggested that if inflexible security policies impeded the organisation’s development, it would project a negative image of IA. In addition, another panel member stated,

The linkage between security and business requirements is essential and the ability to deliver procedures and regulations which match a changing business environment is a powerful way to provide benefit rather than be seen as an obstructive overhead. It is not easy to do as frequently it may impose budget or time constraints on projects and business initiatives.

In order to reconcile the need to be flexible with the difficulties in changing IA procedures, the panel recommended that IA should operate, where possible, at the level of general principles rather than detailed procedures.

Finally, using the latest security technology (Statement J) was also believed to be less feasible than many of the other options. Indeed, the experts offered some strong opinions on this issue: •

The latest technology is expensive and not always the most robust.



Technology is only a minor feature of a sound IA regime. Simple procedures or education may be more cost-effective.



It can create a false sense of security and possibly raise the level of risk.



Integrating new technology can be difficult especially for organisations growing by acquisitions

4.2.

Options for Improving IA Strategy Alignment

The nine factors found in this category were ranked in order of desirability by the expert panel (see Figure 2) and plotted on a graph using the desirability and feasibility mean scores. The results show that effective IA strategy alignment is dependent on the following: •

Raising IA decisions up the organisation chart, by either ensuring that the Board is involved in such decisions or make certain that IA practitioners are involved in strategic decision making. As one panel member commented, “The risk is carried by the business function. The purpose of the IA programme is to quantify and articulate that risk to the business function who will then judge how to manage it.”



Better communication between the functions involved with IA and the rest of the business, and communication of IA goals widely in the organisation. As pointed out by one of our experts, “Good IA is the art of communication”. This includes a mutual understanding of the goals and requirements for each function which is frequently seen as a barrier to alignment. In fact, two panel members argued that, “[communication] has to be in language the functions understand, can relate to and place importance on.” Thus, “We still need to develop suitable terminology where both the IA and the business functions can have a shared understanding.”



The need for clear mechanisms to ensure that the business impact of IA decisions is checked, at either project level or policy level.

Whatever their desirability, not all options were deemed as feasible as others by the experts involved in our panel. Accordingly, there are five options that can be used to align IA strategy and business strategy that are not only very desirable but also very feasible. Three of these options are concerned with raising the profile of information assurance in the organisation. These are: •

Involving the IA function in corporate strategy development (Statement O)



Improving communication between IA and business functions (K)



Improving the knowledge of both IA and Corporate goals and requirements for all relevant personnel (N).

If the involvement of IA managers in strategic decisions is not possible, then better communication is the key to ensuring alignment. The objective of such communications, according to our expert panellists, is to ensure that ‘the business’ knows the reasons behind IA decisions.

Examples of how this can be achieved vary, but in our research we have come across an interesting example of an organisation running some form of security intranet,

We have a corporate security website which is frequently referred to in corporate communications which is to do with the softer issues around security and the development of an appropriate culture.

The other two desirable options that were found are concerned with ensuring that there is an element of cross checking between business projects and their IA impact and vice-versa. These are: •

Aligning IA measures with business objectives (L).



Prioritising IT/IA projects in line with organisational goals (M).

These two statements generated much debate amongst our panellists. In the words of one expert, “If this is not done the IT/IA is out of control and the boss should be fired.” However, many other panellists suggested that, sadly, only a few organisations ensured that the ideas contained in the above two statements were adhered to. The answer to why this may be the case is, perhaps, referred to by one panellist who suggested that there were ‘many people’ involved in ensuring alignment at project level and this made it a complex exercise. Interestingly, we had come across a strategy of how this could be achieved in one of our earlier interviews in a multi-national bank with headquarters in central Europe. Here, the bank runs a forum where different parts of the business can exchange ideas with IA staff. This has been very beneficial for the participants because the forum facilitates communication. At the same time, control is used to guarantee alignment within the bank by ensuring that the IA function scrutinises all IT projects at a detailed level. The bank leaves no room for basic technical flaws that could have a negative security impact.

“Developing collaboration between IA and the organisation’s other functions” (P) was perceived as desirable by our panel members but it was also seen as potentially hazardous to implement. The importance of this collaboration was emphasised by our respondents. As one member stated, “The business drives the requirements and IA requirements needs to be incorporated at source, otherwise there will be conflict between business and IA objectives.” However, the ease in which this collaboration takes place depends on a number of factors including the way in which security is organised within the company, the culture of the organisation and the level of understanding between IA officials and the rest of the staff. According to one panel member, collaboration “has to be in language the functions understand, can relate to and place importance on.”

There were three options that were seen to be less desirable and feasible in this category. These are “discussing at board level key strategic dilemmas e.g. sharing information vs. tight security pertaining to IA” (Statement Q), “ensuring IA practitioners’ discuss how IA processes can support or restrict corporate strategy when undertaking IA changes” (R) and “dedicating resources to making the IA practices responsive to changes in the environment” (S). Statement Q, discussing key strategic dilemmas was seen as important, but the majority of our panel members thought this should not be undertaken at board level. According to one respondent, “Board agendas can make it difficult to achieve the correct level of interest but

audit committee, risk committee etc may provide opportunities to raise [these issues] with executive management and [provide] a vehicle for placing [them] before the board.” The opportunity to place relevant issues before the board was seen as important. As one panel member said, “The accountability is at board level so this is where it should be resolved.” However, if was felt that the detailed discussions on these dilemmas should be undertaken at the audit or risk committee level.

The lower desirability and feasibility scores for “ensuring IA practitioners’ discuss how IA processes can support or restrict corporate strategy when undertaking IA changes” (Statement R) indicates that there was a lack of confidence in communicating possible problems. According to one respondent, “That would take a good understanding of the impacts [of IA on corporate strategy] which most of us don't have. It could also be seen as a red flag by managers.” However, many in our panel stressed that IA should not just be seen in terms of risk but also as a business enabler.

Finally, Statement S, “dedicating resources to making the IA practices responsive to changes in the environment” also had a lower desirability and feasibility score. The idea of flexibility was generally seen as advantageous but there was some concern about the impression that this may give to employees, namely that IA was a collection of moveable goalposts when in reality there is a large number of immutable rules. Moreover, calculating the cost and the amount of resources required to provide this flexibility was seen as highly problematical.

4.3.

Options for Measuring and Reporting Practices

This category contains six statements.

“Identifying different (internal and external)

stakeholders’ requirements” (Statement T) was deemed to be very desirable by the panel of experts. This is because: •

Every organisation has to interact with others and share information. Interoperability requires a reconciliation of different policy stances.



Those selling via the Internet need to ensure customers’ personal & credit card details are secure as well as protecting their “own” information.



It is a BS7799/ISO 17799 requirement.



It helps to encourage a security-focused culture for all organisations involved in the value chain.



The information is useful to feed into strategies, awareness initiatives, etc.

“Benchmarking IA against external organisations (best practices/standards)” (X) was also perceived as a desirable method of measuring and reporting information assurance issues. However, although it was seen as an attractive option, the panel of experts were less enthusiastic about its feasibility. Two of the major disadvantages of benchmarking with external companies are the lack of willingness to share information between organisations and the fact that other firms may be located in different business environments and therefore they are difficult to compare. Thus, “Identifying different (internal and external) stakeholders’ requirements” (T) was perceived to be a more feasible approach for measuring and reporting IA practices.

However, the experts suggested a number of potential problems with

ascertaining stakeholder requirements: •

We may not know who the stakeholders are or, if we do, they may not be able to communicate their requirements in any meaningful way.



Often the stakeholders are not sure of their requirements.

The experts, therefore, suggested that a stakeholder analysis should be undertaken by management followed by the development of a framework mapping out the stakeholders and their information assurance requirements. Once this map had been completed it should be evaluated and updated regularly.

Moreover, the panel strongly felt that using metrics to measure information assurance (V) was desirable. In particular, the respondents considered that IA should be measured using both quantitative and qualitative methods (U). As one respondent stated, traditional quantitative metrics do not provide a thorough evaluation of IA processes:

I feel that both quantitative and qualitative measures can more accurately show the contribution of information security.

Another metric that was deemed desirable was the focus on speed of responsiveness (Y). In fact, one respondent suggested that the only metric that mattered in determining the effectiveness of internal control was time – how long it took to discover an incident and to recover. However, evaluating incidents is not always easy. As one panel member stated, “It is difficult to estimate how many unsuccessful attempts to access a system have been made but it is possible to determine those that succeed – sometimes. Metrics can cause a lot of problems if used incorrectly.”

Assessing employees’ IA practices (W) provided a lot of comments from the panel of experts. They suggested that this was an important issue and should be part of the annual appraisal process. However, it was suggested that this assessment should only occur after the employee has been on an appropriate awareness and training programme.

This assessment of

employees was deemed to be desirable for the following reasons: •

Assessment is one method of identifying and reporting on the state of security awareness in the company.



Regular audits are essential to ensure that the documented processes and procedures are being followed and to ascertain the reasons they are not being followed, if this is the case.



IA is about culture and the cultural values can only be reinforced by reference to current behaviour.



Regular assessment can exert pressure on employees to comply with information assurance standards.

The respondents were also asked to look at the feasibility of each statement. Although some options were seen as desirable to the panel of experts, they can be difficult to implement effectively. For example, two panel members pointed out that measuring and evaluating the employees’ IA practices (W) can be expensive. In addition, these practices need to be defined and communicated to the employees and the employees, themselves, are required to recognise and accept the need for IA controls.

From Figure 2, it can be seen that statements T (Identifying different (internal and external) stakeholders’ requirements in terms of IA) and W (Evaluating employees’ IA practices) are

shown to be both highly desirable and highly feasible.

Organisations can, therefore,

implement these processes with relative ease. Consequently, these actions may be two of the organisation’s initial IA processes to be implemented. However, statements U (Determining information assurance success by qualitative as well as quantitative measures) and V (Using metrics to measure information assurance) are seen to be desirable by the experts but their feasibility scores are lower.

Statement U is, in fact, seen as a very desirable option but

finding the most appropriate and accurate qualitative and quantitative measures could be challenging for managers.

4.4.

Options for Evaluating and Communicating Strategic Information to the Board

This category consists of four factors which are listed in terms of desirability and plotted against feasibility in Figure 2.

“Providing non-technical reports to the board” (Statement Z) was seen as the most desirable reporting practice.

The panel of experts suggested that the report could consist of the

following: •

Clear cost/benefit statements



An evaluation of the organisation’s risk environment



The organisation’s IA performance measured against industry peers



A forecast of potential threats and their impact on current policy



Clear recommendations on future strategy and focus



A list of business benefits that have accrued with the help of the current IA strategy



A statement of commitment and compliance for the organisation.

Similarly, “Reporting to the board on how IA goals are being achieved” (Statement (a)) was also seen to be highly desirable and feasible. Indeed, many in the panel thought that this was

“critical in most businesses today” and is essential for good governance and control. As one panel member suggested effective communication is a key part of information assurance.

Two further evaluating and reporting practices were also mentioned by the panel, “Frequent auditing of IA policies” (Statement (b)) and “Including IA metrics in general IT reports” (Statement (c)). According to one panel expert, the former “will clearly have a role in helping to ensure compliance, but the frequency must be such that it does not become overly burdensome for all concerned.” There was general agreement amongst the panel that IA policy auditing should occur no more frequently than once a year although organisations which are not so dependent on technology should audit, “every two to three years given legislation and changing market expectations.”

Including IA metrics in general IT reports (c) was seen as “a good awareness tool” by the panel. However, many of the experts suggested that developing the IA metrics in the first instance could be problematical. Indeed, one panel member went so far as to suggest that, “Metrics are not fully developed enough for this to be effective” although others indicated that developing effective measures was possible as long as they are acceptable to all the appropriate stakeholders. Furthermore, our experts felt that the IT/IS function was not the only area that should include these metrics. As one Delphi participant stated, this “implies that IA is just part of IT. This is a very bad concept as it increases the extant communications gap with all non-IT people. The metrics should be in all the line managers’ reports starting with finance and sales/marketing.” Nonetheless, one expert suggested that auditing is only useful if supported by enforcement methods and if it actively helps to resolve breaches – in other words, the audit should also ask ‘why’ questions. In general, a large number of the panel agreed that auditing should not be used to develop a “blame culture”.

5. Discussion: Strengthening IA and Corporate Alignment In total, the expert panel agreed on twenty-nine factors that influenced IA and corporate alignment. However, although most of these actions were recognised as desirable, the panel thought that a number of them were not easily implemented. Consequently, we plotted desirability against feasibility on a scatter graph for each of the four categories. We then calculated the midpoint for each scale in order to produce a 2x2 matrix (see Figure 2).

5.1.

Premier Choices

The top right hand box in this matrix was seen by the panel as both highly desirable and highly feasible. We, therefore, named this segment “Premier Choices”. Twelve of the factors were positioned in this sector.

According to Bergeron, Raymond & Rivard (2001), Miller (1981) and Venkatraman (1989), strategic alignment can be viewed as a series of frequently recurring clusters of attributes – or gestalts – which are predictive in nature. This perspective of alignment seeks “to look simultaneously at a large number of variables that collectively define a meaningful and coherent slice of organizational reality” (Miller, 1981, p. 8). Thus, the twelve factors were placed into six predictive clusters for enhancing alignment, namely Intra-Organisational Communication, Training & Awareness, Evaluating Practices, IA – IS – Business Unity, Identifying Requirements and Senior Management Involvement & Support (see Figure 3).

Insert Figure 3

5.1.1.

Intra-Organisational Communication

The research found three premier choices for developing alignment through intraorganisational communication. These are: •

Improving communication between IA and business functions



Providing non-technical reports to the board of directors so that they can understand and approve IA policy



Reporting to the board on how IA goals are being achieved

Improving communication between functions as well as throughout the hierarchy was therefore seen as an essential element for enhancing information assurance alignment. Similar ideas can also be found in the work of Broadbent & Weill (1993), Chan (2002) and Willcoxson & Chatham (2004). Brown & Ross (1996) suggest that enhanced co-operation and communication will improve mutual understanding, appreciation and trust between functions. However, this crucial communication is often left to a few individuals who tend to converse regularly with other departments (Huang & Hu, 2007).

Research has found that alignment can be enhanced when the senior managers of each function share and communicate domain knowledge with one another (Reich & Benbasat, 2000).

Lack of understanding and poor job security both contribute to inadequate

communication between technologists and business leaders (Jeffery & Leliveld, 2004) According to Ward & Peppard (1996), the different functions within organisations must recognise that there is a problem with communication and trust before these challenges can be solved. In an effort to reduce these problems, structural overlays such as top management advisory groups, audit and IA steering committees, matrix reporting, cross-functional job rotations, physical co-location and inter-departmental events could be implemented (Brown, 1999; Brown & Ross, 1996). This would provide opportunities for developing partnerships and undertaking mutual education and training. In addition, ensuring a greater understanding of information assurance and providing feedback on how IA goals are being achieved would help to convey the value of IA to both board members and employees alike. They could encourage greater commitment from staff for maintaining and/or improving information security procedures and policies throughout the organisation. This is particularly the case for board members. As one of our experts stated, “Corporate strategists are not so interested in IA unless there is an obvious need and reason.” It is therefore important to provide board members with a greater understanding of the value and goals of information assurance. Furthermore, developing a forum where ideas – and potential disagreements – can be discussed between functions acts as an additional enabler for alignment. This can encourage mutual respect and a greater sense of teamwork.

5.1.2.

Training & Awareness

The panel suggested two premier choices for enhancing alignment through training and awareness. These are: •

Instilling IA values and awareness amongst employees



Improving the knowledge of both IA and Corporate goals and requirements for all relevant personnel

Instilling IA awareness and values amongst employees was seen as a crucial factor for enhancing alignment. In fact, one expert stated that,

An essential element in providing security is that it needs to be implemented. Failure to engage employees means that it is unlikely to be implemented. The trick is to make it meaningful to employees both in business terms and in terms of their own day-to-day work.

In addition, employees need to feel personally responsible for the security of their organisation and they need to be able to learn and react quickly when the need arises (Kesh & Ratnasingam, 2007). This is especially the case during a security crisis where contingency plans need to be implemented promptly. It is therefore essential that all employees are provided with the necessary training and given adequate information on the latest security threats (D'Arcy & Hovav, 2007; Whitman, 2003).

The panellists also suggested that engagement was equally necessary for senior managers. To achieve this, it was recommended that IA personnel should emphasise the relationship between business goals and security when communicating with business managers,

The senior executives, particularly in the current climate, are sensitised to ensuring internal control is effective. IA is part of internal control and assists in addressing business risks. If senior executive are approached on a business risk basis (not a technical risk basis) then getting buy-in (or better transfer of ownership) is much easier to accomplish.

Along a similar vein, Broadbent & Weill (1993) advocate that rotating middle and senior managers between functions may serve as an effective method for improving both understanding and relationships between the different departments.

5.1.3.

Evaluating Practices

According to Vroom & Von Solms (2004, p. 193), “The role of the employees is vital to the success of any company, yet unfortunately they are also the weakest link when it comes to information security.” Employees can pose a significant IA risk to organisations due to the number of security breaches undertaken by staff each year (Schultz, 2002). These include both malicious attacks and accidental breaches, which can be caused by negligence or

ignorance of IA policies. Mitnick (2003) demonstrates how easily it is for employees to be deceived into giving out personal information to potential hackers.

One of the premier choices for enhancing alignment advocated by our panel – evaluating employee IA practices – would help to reduce security breaches undertaken by staff as well as helping to instil IA awareness into the business culture. This evaluation should include basic technical “good practice” such as monitoring the installation of unauthorised software (Da Veiga & Eloff, 2007) and assessing employee security awareness (Kruger & Kearney, 2006) as well as monitoring any changes in behaviour or the exacerbation of excessive personal or group conflicts (D'Arcy & Hovav, 2007; Dhillon, 2001). Moreover, it is essential that any carelessness, lack of knowledge or disregard of procedures is dealt with quickly in order to ensure compliance.

5.1.4.

IA – IS – Business Unity

The panel suggested that there are three premier choices for ensuring unity between functions. These are:



Aligning IA measures with business objectives



Prioritising IA/IT projects in line with organisational goals



Involving the IA function in corporate strategy development

Previous alignment research has shown that developing strong links between functions helps organisational performance (Bergeron et al., 2004). Luftman (2000), for example, found that prioritising projects was a key enabler of alignment. In this instance, prioritising IA/IT projects implies that managers are able to incorporate security policies and measures into their IT and business strategies in order to keep abreast of competitors (Luftman, Papp, & Brier, 1999).

For example, e-Bay emphasises peace of mind to its customers by providing

information on safety and security protocols in its Safety Centre. This information has been built into e-Bay’s key service, namely its internet site.

The above three premier choices are designed to develop a sense of collaboration, unity and understanding between the functions (Kearns & Lederer, 2003).

This should enhance

communication and provide greater commitment towards fulfilling both IA and organisational goals (Brown & Magill, 1994).

5.1.5.

Identifying Requirements

Identifying the IA requirements of internal and external stakeholders and developing IA policies, procedures and guidelines to help support these requirements were both seen by the panel as essential enablers of information assurance alignment.

Post & Kagan (2007) and McFadzean, Ezingeard & Birchall (2007) suggest that excessively tight information security can hinder both employees and customers alike. Systems can become inaccessible due to tight controls, which can reduce staff productivity, or access controls – such as passwords – can be too complex thereby forcing stakeholders to write them down in order to aid memory. Moreover, stakeholders can have different perceptions of risk. For example, employees’ views of potential threats may not correspond to that of information security professionals (Tsohou et al., 2006). It is for these reasons, that some theorists believe that a more holistic view of IA is required (Backhouse, Hsu, & Silva, 2006; Zuccato, 2004). Understanding the needs of stakeholders, therefore, is essential for developing this holistic view and encouraging greater alignment and compliance. This information can also be used to develop more effective IA policies.

IA policies should present the company’s overall purpose and direction of information assurance as directed by senior managers and should be in accordance with the organisation’s vision (Da Veiga & Eloff, 2007). These should include Internet and e-mail policies, access control policies, physical and environmental policies as well as policies dealing with specific threats such as social engineering (Mitnick, 2003). In addition, these policies need to be audited to ensure that they are in the best interests of the company, that they guarantee compliance and that they help to fulfil the organisation’s goals (Vroom & Von Solms, 2004).

5.1.6.

Senior Management Involvement & Support

The alignment literature has acknowledged the need for senior management involvement and support in order to enhance the link between functions (Brown & Magill, 1994; Chan, 2002; Kearns & Lederer, 2003). According to Edwards (2000, p. 49), “Individuals and groups

within the organization will look for direct and indirect signs [from senior managers] in order to understand what strategic changes to expect, the rationale behind the changes and the direct connections to their individual work.” In addition, Reich & Benbasat (2000) found that the social dimensions of alignment were influenced by the sharing

and communication of

domain knowledge by the senior managers of each function. In fact, Luftman, Papp & Brier (1999) identified senior management support as the most important enabler of alignment. Likewise, the panel of experts also found that this is an essential ingredient of effective IA alignment. Senior managers must recognise and communicate the importance and value of information assurance to the rest of the organisation. Furthermore they need to define and convey a clear IA vision and strategy to all internal and external stakeholders as well as providing the appropriate resources for IA projects.

5.2.

Challenges

The bottom right hand box of the matrix includes those factors that are desirable but are not easily implemented. In other words, there are still barriers to be overcome before these issues can be put into action. We have called this segment “Challenges”. Six factors were placed in this category (see Figure 4).

Insert Figure 4

The panellists agreed that the need for communication between the business and IA functions was important and feasible – and was, therefore, placed in Premier Choices – but that going beyond communication towards collaboration was much more challenging. The statement “Developing collaboration between IA and the organisation’s other functions” achieved high scores for desirability but lower scores for feasibility – suggesting that many barriers would have to be overcome for collaboration to be achieved. Yet, collaboration between IA and the business functions is a major key to success for an effective relationship (Chan, 2002). As pointed out by an IA expert in banking, ensuring alignment is often a matter for “joined up thinking” rather than radical change:

So what I can say to a board is…we're not talking about huge amounts of extra expenditure, we are talking about looking at things slightly differently…about coordinating things properly.

What, then, are the barriers to collaboration that caused our panellist to rank the statement lower in terms of feasibility? From our initial interviews and the comments from the panel, it was clear that conflicting objectives between different business functions was the key cause. This occurs at two levels.

Firstly, there can be significant tensions between IA objectives and business objectives. Information assurance can, at times, hinder many business ideas by emphasising caution at the expense of flexibility. The solution that seems to be favoured by many of the experts is that collaboration is made easier by an understanding that the business function will always be the owner of the risk whatever decision is taken. This may appear paradoxical but it can be explained by the fact that the business function may feel more inclined to treat the IA function as a business partner if it sees it as an advisor rather than a ‘policeman’. The latter is, of course, counter-productive.

Secondly, the objectives of different business functions can conflict. According to one senior manager in charge of IA:

It's to do with people having a very vertical view of things. People are focused on achieving their objectives and I think that prevents broader perspectives, broader thinking.

Here, the solution offered is that of a ‘horizontal’ IA view across the organisation which ensures that the consequences of decisions in one part of the organisation are acceptable in another part of the business, as well.

Anticipating IA threats, developing a security architecture that can rapidly respond to changes in the business environment and clarifying individual IA roles and responsibilities for all employees in the organisation were all seen as desirable but due to the volatile nature of the environment – both internally and externally – they were also seen as a challenge. Developing awareness programmes and appropriate appraisal systems for staff help clarify their roles and responsibilities but unpredictable staff behaviour will always be a threat. Moreover, anticipating threats from both inside and outside the organisation and the subsequent development of security architecture was perceived to be too onerous and

expensive. However, one of our expert panel suggested that a greater understanding could be developed from evaluating the threats and anticipating threat trends; “We have much still to learn regarding how to do this well, but this is a highly desirable goal to aim for and is feasible nonetheless.”

Indeed, measuring information assurance was perceived to be

demanding. As one expert suggested, “Some security aspects can be measured by metrics, but measuring security risk is difficult. This is an important nut to crack if security initiatives are to succeed and get the support of senior management.”

5.3.

Incomplete Options and Not Right Yet

The top left hand box of the matrix consists of those elements that are highly feasible but are not very desirable in their present form. Thus, these factors need to be developed further in order to make them more effective. We have, therefore, called this segment “Incomplete Options”. Two factors have been placed in this category (see Figure 4). Both of these focus on time issues – the frequency of audits and the strategic planning period. Our experts suggested that it is difficult to plan long-term goals because the security environment is changing too rapidly.

New threats are occurring almost daily and technology needs to

develop quickly in order to counter these threats.

Finally, the bottom left hand quadrant of the matrix – which we have called “Not Right Yet” – includes actions that have both lower desirability and feasibility scores. Eight factors were located in this segment. The majority of these factors involve greater communication and team work with stakeholders.

For example, industry-wide co-operation is seen as

advantageous but unlikely to occur because of potential competitive pressures. In addition, discussing key strategic dilemmas pertaining to IA at board level and considering how IA processes can support or restrict corporate strategy are both viewed as problematical because they would require a sufficient level of understanding from the business community. At present, IA officials are not confident that the corporate functions have this understanding. However, the alignment literature stresses the importance of communication, training and awareness and team work (Broadbent & Weill, 1993; Brown, 1999; Huang & Hu, 2007) but there is a need to explore this further in order to determine the type and complexity of information to be communicated as well as how this can be improved.

The information security literature also suggests that appropriate resources should be provided in order to guarantee adequate safety measures (Dutta & McCrohan, 2002). Moreover, there is pressure from vendors to ensure that the latest technology is utilised (Stewart, 2005) and that up-to-date metrics are in place (Huang, Lee, & Kao, 2006; Kim, Lee, Han, & Lee, 2002; Kulkarni & Bush, 2006). However, these can be expensive and not necessarily advantageous.

For instance, one panel member pointed out that the latest

technology is not necessarily very robust.

Although information security metrics are seen as important by both the literature and our panel members, the communication of these metrics requires further examination. First, our experts suggest that metrics should measure more than technology. Indeed, they propose that metrics should be developed for all areas of the business. This will signify that information assurance is not just a technical problem; rather it is also a human problem. Second, although metrics are essential, it is important that they do not help to create a culture of blame or secrecy.

Finally, metrics need to be analysed and subsequently communicated to the

organisation’s employees and, if necessary, inadequate procedures need to be improved and/or enforced. Further research, therefore, needs to be undertaken on the behavioural aspects – culture, communication and enforcement – of developing and implementing security metrics.

In order to increase the desirability and feasibility of all the factors in the bottom left hand quadrant of the matrix, a major change in the organisation’s internal and/or external environments may need to occur. Moreover, a change in managerial philosophy may be necessary. For example, a new philosophy of collaboration and commitment may be required from all stakeholders. This may be particularly the case when it comes to other organisations,

It is pretty feasible [to work with other institutions], but there may be issues of commercial conflicts that may affect this. It is, however, a benefit to get ideas from others outside one’s own industry to see how they have addressed issues. One can learn a lot from other industry sectors.

6. Implications, Limitations and Concluding Remarks 6.1.

Implications

There are a number of implications for managers that can be proposed from the above discussion. These are as follows: •

Incorporate IA into corporate governance guidelines – over the past decade, there have been many calls to ensure that information assurance should be part of the corporate governance processes (Birchall et al., 2003; Dhillon & Backhouse, 2000; Von Solms, 2001a). This is advantageous for a number of reasons. Firstly, organisations must be compliant with government regulations especially as there is a desire to make senior executives personally liable for fraudulent, erroneous or incompetent practices (Damianides, 2005). Secondly, the board is able to gain an overview of the company including ascertaining information on corporate goals, financial data, legislation, information strategy and security requirements. Thirdly, senior executives are able to influence subordinates to ensure that the IA processes and guidelines are carried out.



Encourage senior executive involvement in alignment – in order to gain functional and strategic integration, Baskerville & Siponen (2002) suggest developing an information assurance meta-policy. They define an IA meta-policy as “a ‘policy about policies’ [which declares] the organisation’s plan for creating and maintaining its information security policies” (Baskerville & Siponen, 2002, p. 339). In other words, senior managers should produce a policy document stating who is responsible for the development of policies and when, and how often, this policy-making should occur. Thus, the document can state the necessity for including both IA and business executives as co-policy makers.



Promote IA to employees, customers and other stakeholders by emphasising strategic inter-relationships – one of the most popular methods of ensuring that employees and other stakeholders are educated on security matters is the introduction of security awareness programmes. However, one of our interviewees suggested,

It may happen that employees are aware of IA issues without having the competence to actually adhere to these values in their work.

Thus, relevant training programmes should be provided in order to ensure that all employees are given appropriate instruction on security practices and are aware of the strategic importance of these issues. •

Develop effective communication, measurement and feedback - it could be argued that ‘silo’ thinking is not a problem that is unique to IA. It is a problem that is addressed in many other areas of business and in particular performance management. One of the solutions generally offered in this discipline is that of using a balanced scorecard approach for objective setting and evaluation (Kaplan & Norton, 1996). According to Ittner and Larcker (1998, p. 217), “Proponents of the balanced scorecard contend that this approach provides a powerful means for translating a firm's vision and strategy into a tool that effectively communicates strategic intent and motivates performance against established strategic goals.”

In addition, the balanced scorecard is advantageous because it

encourages senior managers to view both the business and its IA issues from the perspective of different stakeholders – customers, suppliers, financial managers, employees and so on. Consequently, some form of balanced scorecard could promote alignment by pushing together the IA, IT and business paradigms.

6.2.

Limitations

Whilst the Delphi technique used for consensus building is based on ordinal data, the conclusions from this study are interpretive and rely on the depths of the qualitative data and the literature findings. One criticism that is often cited for qualitative data collection methods such as interviews is that the size of the sample is too small to enable the generalisation of results. We recognise this weakness and emphasise that this study was not intended to collect the entire range of perspectives on IA alignment. Rather, the data reflects the views expressed by the interviewees and panel members (Brancheau et al., 1996). Further research is required to permit the generalisation of findings.

Strauss & Corbin’s (1998) coding methodology was used to analyse the interview data in order to develop the initial list of statements for the Delphi. We undertook a number of different strategies to ensure accuracy and rigour during this analysis phase. Firstly, we constructed memos – analytical notes – which allowed us to capture ideas, comparisons,

connections and categories from the data during analysis (Charmaz, 2006; Clarke, 2005; Strauss & Corbin, 1998). In addition, they provided a paper-trail of our analysis. Secondly, we used member checking to ensure accuracy (Creswell, 2003). This was useful for two reasons: it allowed us to confirm the precision of the interviews and the coding and it allowed us to gather additional information from the subjects, when necessary (Charmaz, 2006).

The Delphi approach that we used for this research was advantageous because it reduced the possibility of “groupthink” or the inappropriate influence of choices by those participants with greater status or perceived ability (Parente, Anderson, Myers, & O'Brien, 1984; Sniezek, 1990). However, we also recognise that the technique has a number of potential weaknesses. Eschenbach and Geistauts (1985), for example, suggest that it may be difficult to ascertain what constitutes expertise when choosing an appropriate panel. This relates to a second possible weakness; that is, whether the feedback and consensus derived from the panel offers any value. In order to pre-empt these arguments, we chose both senior IA practitioners and distinguished IA academics for our panel. This ensured that the Delphi group included both practical and theoretical expertise enabling the participants to provide the necessary high quality feedback.

The polling process can also be seen as problematical. Researchers must recognise that too many polling rounds are a waste of resources and a tax on the panel members’ time. However, too few rounds could make the results meaningless. In addition, researchers must make sure that they do not overload their experts with too much information. Thus, they need to balance the number of items carried through to subsequent rounds; too many items could confuse the participants and cloud their judgement whilst too few would provide little useful information (Schmidt, 1997). In order to manage these potential weaknesses, we removed statements which showed high agreement levels thereby only using statements that had a low consensus rating for subsequent rounds. This reduced the information given to the panel members. After three rounds, we decided to use all the statements that we had collected that had high consensus scores.

This research provides three basic streams for further conceptual and empirical work on information assurance alignment. The first is the necessity of subjecting this research to further empirical examination to ascertain whether these results are supported by more extensive organisational data. Second, the 29 Delphi statements could be examined further in

order to explore the relationships between the concepts. One possibility would be to develop a set of practices which could act as a change agent in order to modify poorly aligned organisations. Third, opportunities exist for exploring each of the concepts in more depth. This is particularly the case for those in the “Challenges” category; that is, those concepts that are seen as desirable but are currently less feasible to implement. For instance, further research could be undertaken on developing the value of IA at board level, methods for measuring soft and hard security processes and systems, and effective approaches for ensuring appropriate employee security processes, communication systems and awareness programmes to ensure greater security compliance.

6.3.

Concluding Remarks

This paper has argued that alignment between IA, IS and corporate strategy is an important element for organisational success.

Using interviews and the Delphi Method, we have

presented a number of options for enhancing this alignment. These, together with the use of a balanced scorecard – which emphasises key metrics, communication and understanding of the inter-connectedness between different aspects of IA practices and business operations – and a strategic meta-policy, can help strengthen the sometimes troublesome relationships between the IA and business functions. This, as research has shown, can significantly improve the chances of adoption and effectiveness of IA practices and performance and is one of the major issues that concern today’s managers (Bendoly & Jacobs, 2004; Bergeron et al., 2004; Sabherwal & Chan, 2001).

Finally, this research contributes to the body of IA literature from both a practical and academic perspective. From a practical point-of-view, the study increases understanding of the different concepts that have an impact on information assurance alignment including their desirability and feasibility.

This understanding should help senior business, IT and IA

managers to improve the processes that enhance alignment. To this end, organisations need to improve communication between functions and hierarchical levels regarding IA. This can be achieved by setting up groups that overlay the functions and hierarchical levels such as interdepartmental events, security awareness programmes and conferences, senior management advisory groups and audit and IA steering committees.

From a theoretical perspective, this paper has suggested three potential streams for future research in this area. These provide an opportunity for examining information assurance alignment from a softer, human relations perspective rather than the more popular technical perspective.

References Anderson, J. C., Rungtusanatham, M., & Schroeder, R. G. (1994). A Theory of Quality Management Underlying the Deming Management Method. Academy of Management Review, 19(3), 472-509. Anhal, A., Daman, S., O'Brien, K., & Rathmell, A. (2002). Engaging the Board: Corporate Governance and Information Risk. Cambridge, UK: Information Assurance Advisory Council (IAAC). Austin, R. D., & Darby, C. A. (2003). The Myth of Secure Computing. Harvard Business Review, 81(6), 120-126. Backhouse, J., & Dhillon, G. (1996). Structures of Responsibility and Security of Information Systems. European Journal of Information Systems, 5, 2-9. Backhouse, J., Hsu, C. W., & Silva, L. (2006). Circuits of Power in Creating De Jure Standards: Shaping an International Information Systems Security Standard. MIS Quarterly, 30, 413-438. Baker, W. H., Rees, L. P., & Tippett, P. S. (2007). Necessary Measures. Communications of the ACM, 50(10), 101-106. Barney, J. (1991). Firm Resources and Sustained Competitive Advantage. Journal of Management, 17(1), 99-120. Baskerville, R. (1991). Risk Analysis: An Interpretive Feasibility Tool in Justifying Information Systems Security. European Journal of Information Systems, 1(2), 121130. Baskerville, R., & Siponen, M. (2002). An Information Security Meta-Policy for Emergent Organizations. Logistics Information Management, 15(5/6), 337-346. Bendoly, E., & Jacobs, F. R. (2004). ERP Architectural/Operational Alignment for OrderProcessing Performance. International Journal of Operations & Production Management, 24(1/2), 99-117. Bergeron, F., Raymond, L., & Rivard, S. (2001). Fit in Strategic Information Technology Management Research: An Empirical Comparison of Perspectives. Omega, 29(2), 125-142. Bergeron, F., Raymond, L., & Rivard, S. (2004). Ideal Patterns of Strategic Alignment and Business Performance. Information and Management, 41(8), 1003-1020. BERR - The Department for Business Enterprise & Regulatory Reform. (2008). Information Security Breaches Survey. www.security-survey.gov.uk. Birchall, D., Ezingeard, J.-N., & McFadzean, E. S. (2003). Information Security: Setting the Boardroom Agenda. London: Grist Ltd. Bodin, L. D., Gordon, L. A., & Loeb, M. P. (2008). Information Security and Risk Management. Communications of the ACM, 51(4), 64-68. Brancheau, J. C., Janz, B. D., & Wetherbe, J. C. (1996). Key Issues in Information Systems Management: 1994-95 SIM Delphi Results. MIS Quarterly, 20(2), 225-242. Broadbent, M., & Weill, P. (1993). Improving Business and Information Strategy Alignment: Learning from the Banking Industry. IBM Systems Journal, 32(1), 162-179. Brown, C. V. (1999). Horizontal Mechanisms under Differing IS Organization Contexts. MIS Quarterly, 23(3), 421-454. Brown, C. V., & Magill, S. L. (1994). Alignment of the IS Functions with the Enterprise: Toward a Model of Antecedents. MIS Quarterly, 18(4), 371-403. Brown, C. V., & Ross, J. W. (1996). The Information Systems Balancing Act: Building Partnerships and Infrastructure. Information Technology & People, 9(1), 49-62.

Bryson, J. M., Ackermann, F., & Eden, C. (2007). Putting the Resource-Based View of Strategy and Distinctive Competencies to Work in Public Organizations. Public Administration Review, 67(4), 702-717. Burnes, G. (2008). Top 10 Enterprise Risk Management Myths. Financial Executive, 24(4), 56-58. Campbell, K., Gordon, L. A., Loeb, M. P., & Zhou, L. (2003). The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market. Journal of Computer Security, 11(3), 431-448. Cerullo, V., & Cerullo, M. J. (2004). Business Continuity Planning: A Comprehensive Approach. Information Systems Management, 21, 70-78. Chan, Y. E. (2002). Why Haven't We Mastered Alignment? The Importance of the Informal Organization Structure. MIS Quarterly Executive, 1(2), 97-112. Chan, Y. E., Huff, S. L., Barclay, D. W., & Copeland, D. G. (1997). Business Strategic Orientation, Information Systems Strategic Orientation, and Strategic Alignment. Information Systems Research, 8(2), 125-150. Chang, A. J.-T., & Yeh, Q.-J. (2006). On Security Preparations against Possible IS Threats across Industries. Information Management & Computer Security, 14(4), 343-360. Charmaz, K. (2006). Constructing Grounded Theory: A Practical Guide Through Qualitative Analysis. London: Sage. Chellappa, R. K., & Pavlou, P. A. (2002). Perceiving Information Security, Financial Liability and Consumer Trust in Electronic Commerce Transactions. Logistics Information Management, 15(5/6), 358-368. Chickowski, E. (2008). Preventing Another TJX. Baseline, (81), 22-37. Clarke, A. E. (2005). Situational Analysis: Grounded Theory and the Post-Modern Turn. Thousand Oaks, CA: Sage. Cockcroft, S. (2002). Gaps between Policy and Practice in the Protection of Data Privacy. Journal of Information Technology Theory and Application, 4(3), 1-13. Cohen, K. J., & Cyert, R. M. (1973). Strategy: Formulation, Implementation, and Monitoring. The Journal of Business, 46(3), 349-367. Cresson Wood, C. (1991). Planning as a Means to Achieve Appropriate Data Communications Security. In K. Dittrich, S. Rautakivi & J. Saari (Eds.), Computer Security and Information Integrity (pp. 119-131). Amsterdam: Elsevier Science Publishers. Creswell, J. W. (2003). Research Design: Qualitative, Quantitative, and Mixed Methods Approaches (Second Edition). Thousand Oaks, California: Sage Publications. D'Arcy, J., & Hovav, A. (2007). Deterring Internal Information Systems Misuse. Communications of the ACM, 50(10), 113-117. Da Veiga, A., & Eloff, J. H. P. (2007). An Information Security Governance Framework. Information Systems Management, 24(4), 361-372. Daft, R. L., & Macintosh, N. B. (1984). The Nature and Use of Formal Control Systems for Management Control and Strategy Implementation. Journal of Management, 10(1), 43-66. Damianides, M. (2005). Sarbanes-Oxley and IT Governance: New Guidance on IT Control and Compliance. Information Systems Management, 22(1), 77-85. Dhillon, G. (2001). Violation of Safeguards by Trusted Personnel and Understanding Related Information Security Concerns. Computers & Security, 20(2), 165-172. Dhillon, G., & Backhouse, J. (2000). Information System Security Management in the New Millennium. Communications of the ACM, 43(7), 125-128. Dutta, A., & McCrohan, K. (2002). Management's Role in Information Security in a Cyber Economy. California Management Review, 45(1), 67-87.

Edwards, B. A. (2000). Chief Executive Officer Behavior: The Catalyst for Strategic Alignment. International Journal of Value-Based Management, 13(1), 47-54. Entrust. (2004). Information Security Governance (ISG): An Essential Element of Corporate Governance. Retrieved 24th February 2005, from http://www.bitpipe.com/detail/RES/1082396487_702.html Ernst & Young. (2007). 10th Annual Global Information Security Survey: Achieving a Balance of Risk and Performance. Retrieved 15th July 2008, from http://www.ey.com/Global/assets.nsf/UK/GISS_2007/$file/GISS%202007%20FINAL .pdf Eschenbach, T. G., & Geistauts, G. A. (1985). A Delphi Forecast for Alaska. Interfaces, 15(6), 100-109. Ettredge, M., & Richardson, V. J. (2002). Assessing the Risk in E-Commerce, Proceedings of the 35th Annual Hawaii International Conference on System Sciences. Hawaii. Ettredge, M., & Richardson, V. J. (2003). Information Transfer among Internet Firms: The Case of Hacker Attacks. Journal of Information Systems, 17(2), 71-82. Ezingeard, J.-N., & Birchall, D. (2004). Securing Information: Governance Issues. In S. Crainer & D. Dearlove (Eds.), Financial Times Handbook of Management. London: Financial Times Prentice Hall. Ezingeard, J.-N., McFadzean, E., & Birchall, D. (2005). A Model of Information Assurance Benefits. Information Systems Management, 22(2), 20-29. Flint, D. J., Woodruff, R. B., & Gardial, S. F. (2002). Exploring the Phenomenon of Customers' Desired Value Change in a Business-to-Business Context. Journal of Marketing, 66, 102-117. Frolick, M. N., & Ariyachandra, T. R. (2006). Business Performance Management: One Truth. Information Systems Management, 23(1), 41-48. Garg, A., Curtis, J., & Halper, H. (2003). Quantifying the Financial Impact of IT Security Breaches. Information Management & Computer Security, 11(2/3), 74-83. Gilbert, F. (2008). Is Your Due Diligence Checklist Obsolete? Understanding How Information Privacy and Security Affects Corporate and Commercial Transactions. Computer and Internet Lawyer, 25(10), 13-18. Govindarajan, V. (1988). A Contingency Approach to Strategy Implementation at the Business-Unit Level: Integrating Administrative Mechanisms with Strategy. Academy of Management Journal, 31(4), 828-853. Guimaraes, T. A., Borges-Andrade, J. E., Machado, M. d. S., & Vargas, M. R. M. (2001). Forecasting core competencies in an R&D environment. R & D Management, 31(3), 249-255. Hansotia, B. (2002). Gearing up for CRM: Antecedents to Successful Implementation. Journal of Database Management, 10(2), 121-132. Hazari, S. (2005). Perceptions of End-Users on the Requirements in Personal Firewall Software: An Exploratory Study. Journal of Organizational and End User Computing, 17(3), 47-65. Henderson, J. C., & Venkatraman, N. (1993). Strategic Alignment: Leveraging Information Technology for Transforming Organizations. IBM Systems Journal, 32(1), 4-16. Higgins, H. N. (1999). Corporate System Security: Towards an Integrated Management Approach. Information Management & Computer Security, 7(5), 217-222. Hinde, S. (2003). The Law, Cybercrime, Risk Assessment and Cyber Protection. Computers and Security, 22(2), 90-95. Ho, C.-F. (1996). Information Technology Implementation Strategies for Manufacturing Organizations: A Strategic Alignment Approach. International Journal of Operations & Production Management, 16(7), 77-100.

Huang, C. D., & Hu, Q. (2007). Achieving IT-Business Strategic Alignment via EnterpriseWide Implementation of Balanced Scorecards. Information Systems Management, 24(2), 173-184. Huang, S.-M., Lee, C.-L., & Kao, A.-C. (2006). Balancing Performance Measures for Information Security Management: A Balanced Scorecard Framework. Industrial Management + Data Systems, 106(1/2), 242-255. IAAC. (2003). Engaging the Board: Corporate Governance & Information Assurance. Cambridge: Information Assurance Advisory Council. Ittner, C. D., & Larcker, D. F. (1998). Innovations in Performance Measurement: Trends and Research Implications. Journal of Management Accounting Research, 10, 205-238. Jeffery, M., & Leliveld, I. (2004). Best Practices in IT Portfolio Management. Sloan Management Review, 45(3), 41-49. Kankanhalli, A., Teo, H.-H., Tan, B. C. Y., & Wei, K.-K. (2003). An Integrative Study of Information Systems Security Effectiveness. International Journal of Information Management, 23, 139-154. Kaplan, R. S., & Norton, D. P. (1996). Using the Balanced Scorecard as a Strategic Management System. Harvard Business Review, 74(1), 75-85. Kearns, G. S., & Lederer, A. L. (2003). A Resource-Based View of Strategic IT Alignment: How Knowledge Sharing Creates Competitive Advantage. Decision Sciences, 34(1), 1-29. Kesh, S., & Ratnasingam, P. (2007). A Knowledge Architecture for IT Security. Communications of the ACM, 50(7), 103-108. Kim, J., Lee, J., Han, K., & Lee, M. (2002). Business as Buildings: Metrics for the Architectural Quality of Internet Businesses. Information Systems Research, 13(3), 239-254. Knapp, K. J., & Boulton, W. R. (2006). Cyber-Warfare Threatens Corporations: Expansion into Commercial Environments. Information Systems Management, 23(2), 76-87. Kolokotronis, N., Margaritis, C., Papadopoulou, P., Kanellis, P., & Martakos, D. (2002). An Integrated Approach for Securing Electronic Transactions over the Web. Benchmarking, 9(2), 166-181. Kruger, H. A., & Kearney, W. D. (2006). A Prototype for Assessing Information Security Awareness. Computers & Security, 25(4), 289-296. Kulkarni, A., & Bush, S. (2006). Detecting Distributed Denial-of-Service Attacks Using Kolmogorov Complexity Metrics. Journal of Network and Systems Management, 14(1), 69-80. Larreche, J.-C., & Montgomery, D. B. (1977). A Framework for the Comparison of Marketing Models: A Delphi Study. Journal of Marketing Research, 14(4), 487-498. Lindup, K. (1996). The Role of Information Security in Corporate Governance. Computers & Security, 15(6), 477-485. Linkous, J. (2008). Put the 'i' in IT compliance. Communications News, 45(12), 26; 28. Locke, K. D. (2001). Grounded Theory in Management Research. London: Sage. Logan, P. Y., & Logan, S. W. (2003). Bitten by a Bug: A Case Study in Malware Infection. Journal of Information Systems Education, 14(3), 301-305. Lohmeyer, D. F., McCrory, J., & Pogreb, S. (Writer) (2002). Managing Information Security, McKinsey Quarterly. Luftman, J. (2000). Assessing Business-IT Alignment Maturity. Communications of the Association of Information Systems, 4(14), 1-50. Luftman, J. (2003). Assessing IT/Business Alignment. Information Systems Management, 20(4), 9-15. Luftman, J., & Brier, T. (1999). Achieving and Sustaining Business-IT Alignment. California Management Review, 42(1), 109-122.

Luftman, J., Papp, R., & Brier, T. (1999). Enablers and Inhibitors of Business-IT Alignment. Communications of the Association of Information Systems, 1(11), 1-33. Luftman, J. N., Lewis, P. R., & Oldach, S. H. (1993). Transforming the Enterprise: The Alignment of Business and Information Technology Strategies. IBM Systems Journal, 32(1), 198-221. Malhotra, M. K., Steele, D. C., & Grover, V. (1994). Important Strategic and Tactical Manufacturing Issues in the 1990s. Decision Sciences, 25(2), 189-214. McFadzean, E. S., Ezingeard, J.-N., & Birchall, D. (2006). Anchoring Information Security Governance Research: Sociological Groundings and Future Directions. Journal of Information Systems Security, 2(3), 3-47. McFadzean, E. S., Ezingeard, J.-N., & Birchall, D. (2007). Perception of Risk and the Strategic Impact of Existing IT on Information Security Strategy at Board Level. Online Information Review, 31(5), 622-660. McFarlan, F. W. (1984). Information Technology Changes the Way You Compete. Harvard Business Review, 62(3), 98-103. McHugh, J. (2001). Intrusion and Intrusion Detection. International Journal of Information Security, 1(1), 14-35. Miller, D. (1981). Toward a New Contingency Approach: The Search for Organizational Gestalts. Journal of Management Studies, 18(1), 1-26. Miller, H. E., & Engemann, K. G. (1996). A Methodology for Managing Information-Based Risk. Information Resources Management Journal, 9(2), 17-24. Mitchell, V. W., & McGoldrick, P. J. (1994). The Role of Geodemographics in Segmenting and Targeting Consumer Markets: A Delphi Study. European Journal of Marketing, 28(5), 54-72. Mitnick, K. D. (2003). Are You the Weak Link? Harvard Business Review, 81(4), 18-20. Montealegre, R. (2002). A Process Model of Capability Development: Lessons from the Electronic Commerce Strategy at Bolsa de Valores de Guayaquil. Organization Science, 13(5), 514-531. NACD. (2001). Information Security Oversight: Essential Board Practices: National Association of Corporate Directors. Nambisan, S., Agarwal, R., & Tanniru, M. (1999). Organizational Mechanisms for Enhancing User Innovation in Information Technology. MIS Quarterly, 23(3), 365-395. National Cyber Security Partnership Governance Task Force. (2004). Information Security Governance: A Call to Action. Retrieved 24th February 2005, from http://www.cyberpartnership.org/InfoSecGov4_04.pdf Niederman, F., Brancheau, J. C., & Wetherbe, J. C. (1991). Information Systems Management Issues for the 1990s. MIS Quarterly, 15(4), 475-500. Okoli, C., & Pawlowski, S. D. (2004). The Delphi Method as a Research Tool: An Example, Design Considerations and Applications. Information & Management, 42(1), 15-29. Parente, F. J., Anderson, J. K., Myers, P., & O'Brien, T. (1984). An Examination of Factors Contributing to Delphi Accuracy. Journal of Forecasting, 3(2), 173-183. Peak, D., & Guynes, S. (2003). The IT Alignment Planning Process. Journal of Computer Information Systems, 44(1), 9-15. Post, G. V., & Kagan, A. (2007). Evaluating Information Security Tradeoffs: Restricting Access can Interfere with User Tasks. Computers & Security, 26(3), 229-237. Posthumus, S., & Von Solms, R. (2004). A Framework for the Governance of Information Security. Computers & Security, 23(8), 638-646. Powers, V. J. (1996). Benchmarking Study Illustrates how Best-in-Class Achieve Alignment, Communicate Change. Communication World, 14(1), 30-33. Preble, J. F. (1984). The Selection of Delphi Panels for Strategic Planning Purposes. Strategic Management Journal, 5(2), 157-170.

Preble, J. F. (1992). Towards a Comprehensive System of Strategic Control. Journal of Management Studies, 29(4), 391-409. Raghupathi, W. R. (2007). Corporate Governance of IT: A Framework for Development. Communications of the ACM, 50(8), 94-99. Reich, B. H., & Benbasat, I. (2000). Factors that Influence the Social Dimension of Alignment between Business and Information Technology Objectives. MIS Quarterly, 24(1), 81-113. Rockart, J. F., Earl, M. J., & Ross, J. W. (1996). Eight Imperatives for the New IT Organization. Sloan Management Review, 38(1), 43-55. Sabherwal, R., & Chan, Y. E. (2001). Alignment between Business and IS Strategies: A Study of Prospectors, Analyzers, and Defenders. Information Systems Research, 12(1), 11-33. Sanderson, E., & Forcht, K. A. (1996). Information Security in Business Environments. Information Management & Computer Security, 4(1), 32-37. Sandman, J. (2008). Watching for Rogue Traders. Securities Industry News, 20(23), 4. Sarker, S., Lau, F., & Sahay, S. (2001). Using an Adapted Grounded Theory Approach for Inductive Theory Building about Virtual Team Development. The DATA BASE for Advances in Information Systems, 32(1), 38-56. Saunders, C. S., & Jones, J. W. (1992). Measuring Performance of the Information Systems Function. Journal of Management Information Systems, 8(4), 63-82. Schmidt, R., Lyytinen, K., Keil, M., & Cule, P. (2001). Identifying Software Project Risks: An International Delphi study. Journal of Management Information Systems, 17(4), 536. Schmidt, R. C. (1997). Managing Delphi Surveys using Nonparametric Statistical Techniques. Decision Sciences, 28(3), 763-774. Schultz, E. E. (2002). A Framework for Understanding and Predicting Insider Attacks. Computers & Security, 21(6), 526-531. Segars, A. H., & Grover, V. (1998). Strategic Information Systems Planning Success: An Investigation of the Construct and its Measurement. MIS Quarterly, 22(2), 139-163. Sherwood, J. (1996). SALSA: A Method for Developing the Enterprise Security Architecture and Strategy. Computers & Security, 15(6), 501-506. Siebens, H. (2002). Concepts and Working Instruments for Corporate Governance. Journal of Business Ethics, 39(1/2), 109-116. Sledgianowski, D., & Luftman, J. (2005). IT-Business Strategic Alignment Maturity: A Case Study. Journal of Cases on Information Technology, 7(2), 102-120. Smaczny, T. (2001). Is an Alignment between Business and Information Technology the Appropriate Paradigm to Manage IT in Today's Organisations? Management Decision (Vol. 39, pp. 797-802). Smedinghoff, T. J. (2005). The New Law of Information Security: What Companies Need to Do Now. Computer and Internet Lawyer, 22(11), 9-25. Smedinghoff, T. J. (2008). The State of Information Security Law: A Focus on the Key Legal Trends. EDPACS, 37(1/2), 1-52. Sniezek, J. A. (1990). A Comparison of Techniques for Judgmental Forecasting by Groups with Common Information. Group & Organization Studies, 15(1), 5-19. Stewart, A. (2005). Information Security Technologies as a Commodity Input. Information Management & Computer Security, 13(1), 5-15. Stewart, K. A., & Segars, A. H. (2002). An Empirical Examination of the Concern for Information Privacy Instrument. Information Systems Research, 13(1), 36-49. Straub, D. W., & Welke, R. J. (1998). Coping With Systems Risk: Security Planning Models for Management Decision Making. MIS Quarterly, 22(4), 441-469.

Strauss, A., & Corbin, J. (1990). Basics of Qualitative Research: Grounded Theory Procedures and Techniques. Thousand Oaks, California: Sage. Strauss, A., & Corbin, J. (1998). Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory. Thousand Oaks, California: Sage Publications. Swartz, N. (2003). The Cost of Sarbanes-Oxley. Information Management Journal, 37(5), 8. Tallon, P. P., Kraemer, K. L., & Gurbaxani, V. (2000). Executives' Perceptions of the Business Value of Information Technology: A Process-Oriented Approach. Journal of Management Information Systems, 16(4), 145-173. Tsohou, A., Karyda, M., Kokolakis, S., & Kiountouzis, E. (2006). Formulating Information Systems Risk Management Strategies through Cultural Theory. Information Management & Computer Security, 14(3), 198-217. Turnbull, N. (1999). Internal Control: Guidance for Directors on the Combined Code. London: The Institute of Chartered Accountants in England & Wales. van Opstal, D. (2007). The Resilient Economy: Integrating Competitiveness and Security. Washington, D.C.: Council on Competitiveness. Venkatraman, N. (1989). The Concept of Fit in Strategy Research: Toward Verbal and Statistical Correspondence. Academy of Management Review, 14(3), 423-444. Vijayan, J. (2008). Inside Job Highlights IT And Oversight Failures At Bank. Computerworld, 42(23), 16. Viton, P. L. (2003). Creating Fraud Awareness. S.A.M. Advanced Management Journal, 68(3), 20-27; 43. Von Solms, B. (2001a). Corporate Governance and Information Security. Computers & Security, 20(3), 215-218. Von Solms, B. (2001b). Information Security: A Multidimensional Discipline. Computers & Security, 20(6), 504-508. Von Solms, B., & Von Solms, R. (2004). The 10 Deadly Sins of Information Security Management. Computers & Security, 23(5), 371-376. Vroom, C., & Von Solms, R. (2004). Towards Information Security Behavioural Compliance. Computers & Security, 23(3), 191-198. Wailgum, T., & Sayer, P. (2008). Risk without Reward. CIO, 21(14), 42-45. Ward, J., & Peppard, J. (1996). Reconciling the IT/Business Relationship: A Troubled Marriage in need of Guidance. Journal of Strategic Information Systems, 5(1), 37-65. Ward, J. M. (1988). Information Systems and Technology Application Portfolio Management - an Assessment of Matrix-Based Analyses. Journal of Information Technology, 3(3), 205-215. Ward, P., & Smith, C. L. (2002). The Development of Access Control Policies for Information Technology Systems. Computers & Security, 21(4), 356-371. Whitman, M. E. (2003). Enemy at the Gate: Threats to Information Security. Communications of the ACM, 46(8), 91-95. Willcoxson, L., & Chatham, R. (2004). Progress in the IT/Business Relationship: A Longitudinal Assessment. Journal of Information Technology, 19(1), 71-80. Youndt, M. A., Snell, S. A., Dean, J. W., & Lepak, D. P. (1996). Human Resource Management, Manufacturing Strategy, and Firm Performance. Academy of Management Journal, 39(4), 836-866. Zuccato, A. (2004). Holistic Security Requirement Engineering for Electronic Commerce. Computers & Security, 23(1), 63-76. Zviran, M., & Haga, W. J. (1999). Password Security: An Empirical Study. Journal of Management Information Systems, 15(4), 161-185.

Figure 1: IA Strategy Alignment Model

Figure 2: Options for Improving IA Alignment

Key A

Gaining senior executive support for information assurance

B

Instilling IA values and awareness amongst employees

C

Anticipating IA threats

D

Developing a security architecture that can rapidly respond to changes in the business environment

E

Clarifying individual IA roles and responsibilities for all employees in the organisation

F

Developing IA policy beyond legislation and regulation

G

Developing a 3 to 5 year IA strategy

H

Working together with members of the same industry to develop solutions for IA issues

I

Responding to changing organisational needs by providing flexible IA procedures and regulations

J

Using the latest security technology, when appropriate

K

Improving communication between IA and business functions

L

Aligning IA measures with business objectives

M

Prioritising IT/IA projects in line with organisational goals

N

Improving the knowledge of both IA and Corporate goals and requirements for all relevant personnel

O

Involving the IA function in corporate strategy development

P

Developing collaboration between IA and the organisation’s other functions

Q

Discussing at board level key strategic dilemmas e.g. sharing information vs. tight security pertaining to IA

R

Ensuring IA practitioners’ discuss how IA processes can support or restrict corporate strategy when undertaking IA changes

S

Dedicating resources to making the IA practices responsive to changes in the environment

T

Identifying different (internal and external) stakeholders’ requirements in terms of IA

U

Determining information assurance success by qualitative as well as quantitative measures

V

Using metrics to measure information assurance

W

Evaluating employees’ IA practices

X

Benchmarking IA against external organisations (best practices/standards)

Y

Having IA metrics which focus on time performance (for example, how long did it take to discover incidents and how long did it take to recover)

Z

Providing non-technical reports to the Board of Directors so that they can understand and approve IA policy

(a)

Reporting to the board on how IA goals are being achieved

(b)

Frequent auditing of IA policies

(c)

Including IA metrics in general IT reports

Figure 3: Methods for Enhancing Alignment – Premier Choices

Figure 4: Methods for Enhancing Alignment – Options Requiring Further Work

Appendix 1(i): Information on Interview Sample Subject Code S1

Position

Industry

Company

CEO

Finance

S2

E-Commerce Development Director Advisor

Finance

Subsidiary of UK Public Quoted Subsidiary of UK Public Quoted

Chairman

Energy

Chief Information Security Officer & VP Operations IT Director

Electronics

S6

Chief Officer

Finance

S7

Company Secretary

Energy

S8 S9

Managing Director Managing Director

Manufacturing Consulting

S10

Consulting

S16

Chief Information Officer Chief Information Security Officer Chief Executive Officer Senior Manager, Business Process Industrial Products Group Security Adviser Director of Finance & Corporate Services Chief Finance Officer

S17

IT Director

Pharmaceutical

S18

Energy

S19

Director of Global Security Finance Director

S20 S21

Finance Director IT Director

Electronics Electronics

S3

S4

S5

S11 S12 S13

S14 S15

1

Operating

Defence

Finance

IT Communications Consulting

Finance Public Sector

Pharmaceutical

Finance

UK Government department UK Public Quoted US Public Quoted

Board Member Yes No

Last Turnover Figure $m1 Group Results: $43,000 Group Results: $43,000

Yes

Not applicable

Yes

$9,511

Yes

$151.3

No

Group Results: $31,151

Yes

Group Results: $31,151

Yes

$16 344

Yes Yes

$3.1 $761

Yes

$761

No Yes

Group Results: $60, 420 $12,001

Yes

$21,100

UK Public Quoted UK public sector authority

No

$36 780

Yes

$295.3

UK Subsidiary of Swiss Public Quoted UK Subsidiary of Swiss Public Quoted UK Public Quoted UK Public Quoted Private Private

Yes

$38, 947

No

$38, 947

No

$285 010

Yes

$583

Yes No

$2056 $2056

UK Subsidiary of Swiss Public Quoted UK Subsidiary of Swiss Public Quoted UK Public Quoted UK Private UK Public Quoted UK Public Quoted UK Subsidiary of US Public Quoted UK Public notquoted Private

Results taken from Osiris. Where results are available in a currency other than US dollars, the exchange rate published at TrustNet (http://www.trustnet.com/general/rates.asp) on 10th March 2008 was used for converting the revenue figures

Subject Code S22

Position

S23

Director of Finance, Personnel & Information Systems Director of Finance, Personnel & Information Systems Chief Executive Officer Group Marketing Director

S27

Marketing Director

Consulting

S28

Information Security Project Manager

IT

S29

Chief Information Security Officer Senior Manager, Business Process Industrial Products Chief Security Officer Advisor Chairman

Energy

S33

Knowledge Manager

Finance

S34

Senior Civil Servant

Public Sector

S35

Chief Finance Officer

Pharmaceutical

S36

Information Assurance Programme Director Group Security Adviser Head of IT

Communications

Electronic Trading

S40

Benchmark Programs Manager Head of Information

Scientific Solutions Finance

S41

IT Director

Finance

S24

S25 S26

S30

S31 S32

S37 S38 S39

Chief Officer

Industry Technology

Last Turnover Figure $m1 $2,900

Education

Multi-national subsidiary of US Public Quoted Private

Board Member No

Yes

Unavailable

Education

Private

Yes

Unavailable

Consulting

Private

Yes

Unavailable

Consulting

Yes

$373

No

$373

No

Group Results: $98,785

Electronics

Multi-national subsidiary of US Public Quoted Multi-national subsidiary of US Public Quoted German Subsidiary of US Public Quoted US Public Quoted

Yes

$151.3

Consulting

Private

Yes

$21,100

Finance

Swiss Public Quoted UK Government department UK Public Quoted Subsidiary of Spanish Public Quoted UK Government Department UK Subsidiary of Swiss Public Quoted UK Public Quoted

No

$27 760

Yes

Not applicable

Yes

$9,511

No

$5 339

Not applicable Yes

Not applicable

No

Group Results: $41,674

No

$36 780

Yes

Unavailable

No

$30,653

No

Group Results: $43,000

No

Group Results: $31,151

Transportation Logistics

Company &

Defence

Finance

UK Public Quoted Subsidiary of UK Public Quoted US Public Quoted Global Organisation with listings in London, Hong Kong and New York UK Subsidiary of Swiss Public Quoted

$38, 947

Subject Code S42

Position

Industry

Company

CEO

Finance

S43

IT Director

Finance

Subsidiary of UK Public Quoted Subsidiary of UK Public Quoted

Board Member Yes No

Last Turnover Figure $m1 Group Results: $43,000 Group Results: $43,000

Appendix 1(ii): Information on Delphi Panel Code 56277 56272 56276

Company Academia Academia UK Public Quoted

56242

US Public Quoted

56258

UK Private

Managing Director

56273 56267

Academia Swiss Public Quoted

56279

UK Private

56257 56251

56240

Academia UK Public Quoted Belgian Public Quoted Subsidiary of UK Public Quoted Academia UK Government Department Academia

Professor Director, Security Risk Information Security Consultant Professor Head of Information Security Chief Security Officer (for the Group) IT Security and Business Continuity Principal Analyst Professor

56275

UK Private

56271

56253

Academia Subsidiary of UK Public Quoted Academia

56244

UK Public Quoted

56247

UK Public Quoted

56235

Academia

56246

Swiss Public Quoted

56270

56231

Academia Subsidiary of UK Public Quoted Academia

56252

Global Organisation

Security Consultant

56278

Academia Global Organisation with listings in London, Hong Kong and New York

Lecturer

56264 56239 56232 56249

56259

56245

56248

56255

US Public Quoted

56263

Subsidiary of UK

Role Professor Professor Information Security Officer Chief Information Security Officer

Sector Education Sector Education Sector Electronics

Turnover ($m) Not applicable Not applicable $85.85

Electronics

$151.3

IT Services/Consultancy Education Sector Finance IT Services/Consultancy Education Sector Retail Finance

Unknown Not applicable $27 760 Unknown Not applicable $25,900 $1669

IT Services/Consultancy Education Sector

Not applicable

Senior civil servant

Public Sector

Not applicable

Professor Information Security Consultant Professor

Not applicable

Reader in Information Security

Education Sector IT Services/Consultancy Education Sector IT Services/Consultancy Education Sector

Group Security Adviser

Finance

Project Director, Information Assurance Professor Executive Director, Global Head of Security Risk Lecturer

IT Services/Consultancy Education Sector

Not applicable Group Results: $41,674 Not applicable Group Results: $43,000 Group Results: $41,674 Not applicable

Finance

$27 760

Education Sector IT Services/Consultancy Education Sector IT Services/Consultancy Education Sector

Not applicable

Head of Security

Head of IT Professor

Head of Information Assurance

Finance

Information Security Consultant Head of Security Architecture

IT Services/Consultancy Finance

$63

Unknown

Unavailable Not applicable Unknown Not applicable Group Results: $43,000 $1,213 Group Results

Public Quoted

$14,200

56268

Academia

Associate Editor, Information Management and Computer Security

56236

UK Subsidiary of US Public Quoted

Chief Information Security Officer

IT Services/Consultancy

Not published (1,600 employees)

Head of Information Security

Public Sector

$12,001

IT Director

Finance

Group Results: $31,151

Security Consultant and Government Adviser

IT Services/Consultancy

Unknown

56262 56243 56234

UK Public Sector Organisation UK Subsidiary of Swiss Public Quoted UK Private

Education Sector

Not applicable

Appendix 2 – Sample of Interview Questions Developing IA Goals and Critical Success Factors •

What are the objectives of IA within your organisation?



What are your key drivers behind your IA objectives?



How do you know when you have achieved your IA goals? How do you know when you have fulfilled them? What critical success factors do you require in order to achieve your IA goals?

Constructing or Improving IA Strategy Alignment •

What processes do you use to link business direction with security strategy, measures and benchmarking?



How do you find out about the potentially disparate views of different people and/or functions and develop an agreement between them?



How do you ensure that your IA strategy is aligned to the business plans?



How do you make sure that you've got the right metrics in place and that they are aligned to the business strategy?



How would you improve the alignment between IA, IT and business strategy within your organisation?

Measuring & Reporting Practices •

What specific areas do you measure in terms of information assurance and security?



Do you employ outside consultants to ascertain whether the organisation has appropriate and effective IA competencies and processes in place?



What levels would information assurance be discussed? Is it at board level or is it a level just below that? What issues are discussed at these meetings?



Is there a person at senior level that is responsible for IA across the whole group or is it seen as part of everyone's job?



How are IA metrics developed? Who develops them and what are they?



How is information assurance presented to the audit committee?

Evaluating & Communicating Strategic Information to the Board •

What information in terms of IA is communicated to the board?



How is this information communicated to the board?



How does the board satisfy itself in terms of IA effectiveness across the organisation?



Does the board feel any growing pressures in terms of IA due to the growing number of scandals that are shared with the public?



How often does that IA strategy paper go to the board and what is included in the paper?

Appendix 3: Example of Analysis Process Appendix 3(i) – Step 1 – Interviews

Appendix 3(ii) – Step 2 – Coding Process

Appendix 3(iii) – Step 3 – Delphi Procedure