Role of the boards and senior management within formal, technical and informal components: IS/IT security governance in the Malaysian publicly listed companies

摘要

In IT governance, there are two types of responsibilities, first is IT value governance andudsecond is IT risk governance. The primary objective of this study is to examine the secondudtype of responsibility, IT risk governance and specifically looking into the involvement of theudboard, senior management and all management levels in IS/IT security.udPrior research has shown a lack of involvement by the board and senior management inudunderstanding IS/IT security problems, unbalanced implementation of IS/IT security withinudthe formal, technical and informal components and lack of internal controls application overudIS/IT security. The gap found in this study has lead to the development of two major researchudquestions, Research Question 1-In what way does the involvement of Boards and seniorudmanagement impact on the implementation of IS/IT security governance? and ResearchudQuestion 2-How can directing and monitoring actions in the technical, formal and informaludcomponents of IS/IT security governance in corporations be implemented effectively andudefficiently? The two research questions have steered the development of the conceptualudframework, the model of IS/IT security governance and the research methods.udThe IS/IT security governance model is an extension of the conceptual framework, the modeludprescribes several areas relating to the elements of the three components, formal, technicaludand informal and component interactions (Relationship Type 1-Formal/Informal,udRelationship Type 2-Formal/Technical and Relationship Type 3-Technical/Informal) withinudMalaysian Publicly Listed Corporations. The model suggests IS/IT security ought to beudincluded within risk management and internal controls practices, through ‘directing’ andud‘monitoring’ actions and exclusively emphasises the supervision role and the relationshipudbetween the supervisor (giver) and the holder of responsibility. Because the nature of study isudsensitive and confidential; the study has adopted a triangulation method. Data were collectedudusing interviews and a mail survey as primary sources and website analysis as a secondaryudsource. 12 interviews were conducted with CEOs, CIOs, other senior managers and ITudmanager from eight companies of Group A (Top) and Group B (Middle) across differentudindustries. Despite a low response rate for the mail survey, the data have high validity asudinterviews and responses involved appropriate people in leading organisations in Malaysiaudfrom Group A(Top) and Group B(Middle)- high profit and large market capitalisationudorganisations and experienced senior managers. Content analysis over 210 annual reports ofudwebsite data from Group A, Group B and Group C was conducted.udThe data from interviews, survey and website analysis have supported the model of IS/ITudsecurity governance. The findings from the interview data are consistent with the elements ofudformal, technical and informal components and component interactions; risk managementudand internal controls over IS/IT security and ‘directing’ and ‘monitoring’ actions over IS/ITudsecurity are supported. The results of the survey have shown that the respondents had similarudperspectives as the model. The website analysis revealed that two factors may determineudIS/IT security governance, the group type and industry type.