DEFINING VALUE BASED INFORMATION SECURITY GOVERNANCE OBJECTIVES

Author

Sushma Mishra, Virginia Commonwealth University

DOI

https://doi.org/10.25772/8S3W-ZD67

Defense Date

2008

Document Type

Dissertation

Degree Name

Doctor of Philosophy

Department

Information Systems

First Advisor

Gurpreet Dhillon

Abstract

This research argues that the information security governance objectives should be grounded in the values of organizational members. Research literature in decision sciences suggest that individual values play an important role in developing decision objectives. Information security governance objectives, based on values of the stakeholders, are essential for a comprehensive security control program. The study uses Value Theory as a theoretical basis and value focused thinking as a methodology to develop 23 objectives for information security governance. A case study was conducted to reexamine and interpret the significance of the proposed objectives in an organizational context. The results suggest three emergent dimensions of information security governance for effective control structure in organizations: resource allocation, user involvement and process integrity. The synthesis of data suggests eight principles of information security governance which guides organizations in achieving a comprehensive security environment. We also present a means-end model of ISG which proposes the interrelationships of the developed objectives. Contributions are noted and future research directions suggested.

Rights

© The Author

Is Part Of

VCU University Archives

Is Part Of

VCU Theses and Dissertations

Date of Submission

May 2009