The Role of Organizational Factors to the Effectiveness of ISMS Implementation in Malaysian Public Sector

  • Authors

    • Noralinawati Ibrahim
    • Nor’ashikin Ali
  • Information Security Management System, Public Sector, Information Security, Organizational Factors, Success Factors
  • Many organizations have initiated efforts to manage the security of their information by implementing an Information Security Management System (ISMS). ISMS is a set of guiding principles for managing organization’s confidential information and minimizing risk for business continuity. However, information security remains a major challenge and the effectiveness of ISMS is often argued due to the exposure of organizations to information security threats, incidents, risks, and vulnerabilities. One of the reasons is the unsuccessful ISMS current practices amongst all employees and lack of ISMS awareness in organizations. Several critical success factors are identified from previous studies that lead to the ISMS success. Among the success factors are human, organizational and technical factors. This study explores the factors that contribute to the success of ISMS and identify the organizational factors that relate to the information security effectiveness. The conceptual model is developed and will be tested within the Malaysian Public Sectors (MPS) organizations to provide a preliminary insight, understanding, and clarification of the organizational factors, together with the significant effects on ISMS effectiveness. This study used a quantitative approach and data collected from personnel’s that were directly involved with the ISMS implementation through a questionnaire survey.

  • References

    1. [1] S. Posthumus and R. Von Solms, “A framework for the governance of information security,†Comput. Secur., vol. 23, no. 8, pp. 638–646, 2004.

      [2] M. Zammani and R. Razali, “An Empirical Study of Information Security Management Success Factors,†Adv. Sci. Lett., vol. 22, no. 8, pp. 904–913, 2016.

      [3] R. Razali, “An assessment model of information security implementation levels,†Proc. 2011 Int. Conf. Electr. Eng. Informatics, no. July, pp. 1–6, 2011.

      [4] M. R. Fazlida and J. Said, “Information Security: Risk, Governance and Implementation Setback,†Procedia Econ. Financ., vol. 28, no. April, pp. 243–248, 2015.

      [5] Z. Tu and Y. Yuan, “Critical Success Factors Analysis on Effective Information Security Management : A Literature Review,†Inf. Secur. Manag., pp. 1–13, 2014.

      [6] G. Pavlov and J. Karakaneva, “Information Security Management System in Organization,†Trakia J. Sci., vol. 9, no. 4, pp. 20–25, 2011.

      [7] J. H. P. Eloff and M. Eloff, “Information security management: a new paradigm,†in Proceedings of the 2003 annual research conference of the South African institute of computer scientists and information technologists on Enablement through technology, 2003, pp. 130–136.

      [8] W. Ismail, N. M. Norwawi, and K. Saadan, “The Challenges in Adopting Information Security Management System for University Hospitals in Malaysia,†Proceeding Knowl. Manag. Int. Conf. 2014, Vols 1 2, no. August, pp. 902–907, 2014.

      [9] M. Kazemi, H. Khajouei, and H. Nasrabadi, “Evaluation of information security management system success factors: Case study of Municipal organization,†African J. Bus. Manag., vol. 6, no. 14, pp. 4982–4989, 2012.

      [10] ISO/IEC 27001, “ISO/IEC 27001:2013: Information technology – Security techniques – Information security management systems – Requirements,†ISO/IEC 27001. p. 23, 2013.

      [11] M. MAMPU, Jabatan Perdana Menteri, “Pelaksanaan Pensijilan MS ISO/IEC 27001:2007 Dalam Sektor Awam,†Unit Pemodenan Tadbiran dan Peranc. Pengur. Malaysia, vol. MAMPU.BPIC, no. November, p. 1, 2010.

      [12] J. M. Torres, J. M. Sarriegi, J. Santos, and N. Serrano, “Managing Information Systems Security : Critical Success Factors and Indicators to Measure Effectiveness,†Inf. Secur. S. Katsikas, J. López, M. Backes, S. Gritzalis B. Preneel (eds.), Springer Berlin Heidelberg, pp. 530–545, 2006.

      [13] N. Maarop, N. Mustapha, R. Yusoff, and R. Ibrahim, “Understanding Success Factors of an Information Security Management System Plan Phase Self-Implementation,†World Acad., 2015.

      [14] A. Alkalbani, “A Conceptual Framework for Information Security in Public Organizations for E-Government Development,†no. 2010, 2014.

      [15] N. S. Waly, Organisational information security management: The impact of training and awareness. 2013.

      [16] M. N. Masrek, Q. N. Harun, and M. K. Zaini, “Information Security Culture For Malaysian Public Organization : A Conceptual Framework,†Proc. INTCESS 2017 4th Int. Conf. Educ. Soc. Sci., no. February, pp. 156–166, 2017.

      [17] J. Choobineh et al., “Management of information security: challenges and research directions,†Commun. AIS, vol. 20, no. December, pp. 958–971, 2007.

      [18] E. Humphreys, “Information security management standards: Compliance, governance and risk management,†Inf. Secur. Tech. Rep., vol. 13, no. 4, pp. 247–255, 2008.

      [19] H. Susanto, M. Almunawar, and Y. Tuan, “Information security management system standards: A comparative study of the big five,†Int. J. Electr. Comput. Sci. IJECS-IJENS, vol. 11, no. 5, pp. 23–29, 2011.

      [20] A. Narain Singh, M. P. Gupta, and A. Ojha, “Identifying factors of ‘organizational information security management,’†J. Enterp. Inf. Manag., vol. 27, no. 5, pp. 644–667, 2014.

      [21] MAMPU, “Panduan Keperluan dan Persediaan Pelaksanaan Pensijilan MS ISO / IEC 27001 : 2007 dalam Sektor Awam,†no. November, 2010.

      [22] ISO Survey Report, “ISO Survey Report 2006-2016.†2016.

      [23] Q. Hu, T. Dinev, P. Hart, and D. Cooke, “Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture,†Decis. Sci., vol. 43, no. 4, pp. 615–660, 2012.

      [24] S. Dzazali, A. Sulaiman, and A. H. Zolait, “Information security landscape and maturity level: Case study of Malaysian Public Service (MPS) organizations,†Gov. Inf. Q., vol. 26, no. 4, pp. 584–593, 2009.

      [25] MyCERT Incident Statistics, “Reported Incidents based on General Incident Classification Statistics 2017,†Rep. Incidents bas ed Gen. Incid. C las s ification Statis tics 2 014, p. 11918, 2017.

      [26] C. V. Bullen and J. F. Rockart, “A primer on critical success factors,†Work. Pap., no. 69, pp. 1–64, 1981.

      [27] a Kankanhalli, “An integrative study of information systems security effectiveness,†Int. J. Inf. Manage., vol. 23, no. 2, pp. 139–154, 2003.

      [28] S. Ernest Chang and C. B. Ho, “Organizational factors to the effectiveness of implementing information security management,†Ind. Manag. Data Syst., vol. 106, no. 3, pp. 345–361, 2006.

      [29] R. Munira, N. A. Molok, and S. Talib, “Exploring the Factors Influencing Top Management Involvement in Information Security,†PACIS 2017 Proc., 2017.

      [30] N. Waly, R. Tassabehji, and M. Kamala, “Improving Organisational Information Security Management: The Impact of Training and Awareness,†in 2012 IEEE 14th International Conference on High Performance Computing and Communication & 2012 IEEE 9th International Conference on Embedded Software and Systems, 2012, pp. 1270–1275.

      [31] C. Hsu, T. Wang, and A. Lu, “The impact of ISO 27001 certification on firm performance,†in Proceedings of the Annual Hawaii International Conference on System Sciences, 2016.

      [32] S. Ernest Chang and C. Lin, Exploring organizational culture for information security management, vol. 107, no. 3. 2007.

      [33] R. Werlinger, K. Hawkey, and K. Beznosov, “An integrated view of human, organizational, and technological challenges of IT security management,†Inf. Manag. Comput. Secur., vol. 17, no. 1, pp. 4–19, 2009.

      [34] N. Alkhater, G. Wills, and R. Walters, “Factors Influencing an Organisation’s Intention to Adopt Cloud Computing in Saudi Arabia,†2014 IEEE 6th Int. Conf. Cloud Comput. Technol. Sci., pp. 1040–1044, 2014.

      [35] B. AbuSaad, F. A. Saeed, K. Alghathbar, and B. Khan, “Implementation of ISO 27001 in Saudi Arabia – Obstacles, Motivations, Outcomes, and Lessons Learned,†in Proceedings of the 9th Australian Information Security Management Conference, 2011, pp. 1–9.

      [36] Z. A. Soomro, M. H. Shah, and J. Ahmed, “Information security management needs more holistic approach: A literature review,†Int. J. Inf. Manage., vol. 36, no. 2, pp. 215–225, 2016.

      [37] R. Alavi, S. Islam, H. Jahankhani, and A. Al-Nemrat, “Analyzing Human Factors for an Effective Information Security Management System,†Stand. Stand., no. January 2015, pp. 1253–1278, 2013.

      [38] M. Eminaǧaoǧlu, E. Uçar, and Ş. Eren, “The positive outcomes of information security awareness training in companies - A case study,†Inf. Secur. Tech. Rep., vol. 14, no. 4, pp. 223–229, 2009.

      [39] I. Benbasat, “Special Issue Information Security Policy Compliance : An Empirical Study of Rationality - Based Beliefs,†vol. 34, no. 3, pp. 523–548, 2010.

      [40] K. Höne, J. H. P. Eloff, and P. Eloff, “Information security policy – what do international information security standards say?,†Comput. Secur., vol. 21, no. 5, pp. 402–409, 2002.

      [41] P. Ifinedo, “Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition,†Inf. Manag., vol. 51, no. 1, pp. 69–79, 2014.

      [42] T. Kayworth and D. Whitten, “Effective Information Security Requires a Balance of Social and Technology Factors,†Mis Q. Exec., vol. 9, no. 3, pp. 163–175, 2010.

      [43] B. Khan, K. S. Alghathbar, S. I. Nabi, and M. K. Khan, “Effectiveness of information security awareness methods based on psychological theories,†African J. Bus. Manag., vol. 5, no. 26, pp. 10862–10868, 2011.

      [44] M. Mackay, A. Maqousi, and T. Balikhina, “An Effective Method for Information Security Awareness Raising Initiatives,†Int. J. Comput. Sci. Inf. Technol., vol. 5, no. 2, pp. 63–72, 2013.

      [45] A. Alkalbani, H. Deng, and B. Kam, “Investigating the role of socio-organizational factos in the information security compliance in organizations,†Australas. Confrence Inf. Syst., no. 2010, 2015.

      [46] H. Susanto, M. N. Almunawar, and Y. C. Tuan, “Information Security Challenge and Breaches : Novelty Approach on Measuring ISO 27001 Readiness Level,†Int. J. Eng. Technol., vol. 2, no. 1, pp. 67–75, 2012.

      [47] H. Rehman, A. Masood, and A. R. Cheema, “Information security management in academic institutes of Pakistan,†Conf. Proc. - 2013 2nd Natl. Conf. Inf. Assur. NCIA 2013, pp. 47–51, 2013.

      [48] M. . Azuwa, R. Ahmad, S. Sahib, and S. Shamsuddin, “Technical Security Metrics Model in Compliance with ISO/IEC 27001 Standard,†Int. J. Cyber-Security Digit. Forensics, vol. 1, no. 4, pp. 280–288, 2012.

      [49] D. I. Kossyva, K. V. Galanis, K. K. Sarri, and N. B. Georgopoulos, “Adopting an information security management system in a co-opetition strategy context,†Int. J. Appl. Syst. Stud., vol. 5, no. 3, p. 215, 2014.

  • Downloads

  • How to Cite

    Ibrahim, N., & Ali, N. (2018). The Role of Organizational Factors to the Effectiveness of ISMS Implementation in Malaysian Public Sector. International Journal of Engineering & Technology, 7(4.35), 544-550.