Evaluating the effectiveness of information security governance practices in developing nations: A case of Ghana.

摘要

The problem organizations are facing is lack of effective information security governance (ISG) to address emerging security risks, threats and vulnerabilities. The intent of this quantitative cross-sectional survey research is to evaluate the level of ISG effectiveness within the five ISG domain areas, namely strategic alignment (SA), risk management (RM), resource management (RM), performance measurement (PM), and value delivery (VD), identified by the Information Technology Governance Institute (ITGI) and required to improve ISG practices. Random sampling strategy is employed and an empirical survey, a Web-based questionnaire, is conducted using the Information Security Governance Assessment Questionnaire to collect data from five major industry sectors in Ghana. Simple and multiple regression analyses are employed to assess the extent of the relationship between ISG domain practices, outcomes, and effectiveness; and ANOVA (analysis of variance) is used to benchmark industry sectors' ISG effectiveness. Overall, the multiple regression model produced R2 = .505, indicating that 50.5% of the variance in ISG effectiveness was explained by ISG domain practices. The results highlight the consistent importance of RM, PM, and RK as the predictors of organizational ISG effectiveness while SA contributed marginally to the model. The linear regression analyses results highlight the importance of SA (R2 = .836) as the major predictor of organizational information security RK. The findings show significant contributions of SA to RM (R 2 = .747), SA to PM (R2 = .722), and SA to VD (R2 = .718). The ANOVA results also show that Financial Institutions outperforms all the other sectors in each of the five ISG domain areas, the Public Service and the Health Care sectors perform at the lowest level, and the PM is the least implemented domain. Accordingly, to attain higher ISG effectiveness, organizations should focus on strategic alignment between business and information security and performance measurement attributes. The study provides researchers the avenue to conduct comparative studies between developed and developing nations. From a practical standpoint, the study enables organizational leaders to gain better understanding of the factors that contribute to ISG effectiveness, benchmark industry sectors' performance, and to champion ISG development for business success in Ghanaian organizations.