Application of Q-methodology in critical success factors of information security risk management.

摘要

With more organizations undertaking information security initiatives, there is increasing awareness among Information Technology (IT) professionals regarding the risk management process. Successful implementation of a well-developed information security program depends on identifying the critical success factors (CSF) of risk management. An understanding of experiences and perspectives of IT professionals regarding the CSF is central to the delivery of a quality risk management process. Implicit with this is a need to understand the attributes and characteristics of these individuals, their subjectivity. Past studies have attempted to address this need by identifying a list of general CSF through interviews, case studies, and large surveys. In this paper, Q-methodology is offered as an alternative approach which provides insight into individual subjectivity through the use of factor analysis.;Within Q-methodology, individuals are asked to rank-order statements (Q-sort), which are then inter-correlated and subjected to factor analysis. In this way, groups of individuals holding similar viewpoints or opinions are identified. The factors are then interpreted to provide an understanding of underlying subjectivities. This paper explores the theoretical underpinnings of Q-methodology and its application as a research method in the field of information security.;In this study, we interviewed 50 IT professionals from various organizations, and systematically examined their subjectivity by applying the principles of Q-methodology. Our research revealed three distinct types of perspectives regarding the critical success factors in information security risk management initiatives. Our study also found senior management support to be the most critical success factor in such initiatives. However, the study revealed a difference of understanding between two groups of participants regarding the criticality of senior management support. Finally, our study found pre-selecting a risk assessment method is considered to be the least critical success factor in information security risk management.