Model of Managerial Effectiveness in Information Security: From Grounded Theory to Empirical Test

摘要

Information security is a critical issue facing organizations worldwide. in order to mitigate risk and protect valuable information, organizations need to operate and manage effective information security programs. Using a research methodology that combines qualitative and quantitative techniques, this study proposes and tests a theoretical model of managerial effectiveness in information security. Specifically, the model demonstrates the influence of top management support on perceived security effectiveness mediated by four constructs critical to successful information security programs: user training, security culture, policy relevance, and policy enforcement. Prior research has not yet examined the mediation factors between management support and information security effectiveness. During the qualitative phase of the study, and open-ended question was given to a sample of 220 certified information system security professionals (CISSPs). Responses were analyzed using a grounded theory strategy to develop a theoretical model as well as a survey instrument to test the model. Because of the potential sensitive nature of information security research, a special effort removed items appearing overly intrusive to the respondents. In this endeavor, an expert panel of security practitioners evaluated all proposed items on a willingness-to-answer scale. The instrument underwent further refinements through multiple pre-tests and a pilot test.