Information Assurance Compliance with Government Regulations

Information Systems Management, 28:102–129, 2011 Copyright © Taylor & Francis Group, LLC ISSN: 1058-0530 print / 1934-8703 online DOI: 10.1080/10580530.2011.562127

Information Assurance and Corporate Strategy: A Delphi Study of Choices, Challenges, and Developments for the Future

Elspeth McFadzean1, Jean-Noël Ezingeard2, and David Birchall1 1Henley Business School, University of Reading, Greenlands, Henley-on-Thames, Oxfordshire, United Kingdom 2Faculty of Business and Law, Kingston University, Kingston Hill, Kingston Upon Thames, Surrey, United Kingdom

In this article, we identified processes associated with strengthening the alignment between information assurance, infor- mation systems and corporate strategies so that organizations could more effectively address legal and regulatory challenges. Our results are based on data gathered from 43 preliminary inter- views and a subsequent Delphi exercise. The Delphi panel rated these processes in terms of desirability and feasibility. After three rounds a consensus of opinion was achieved. The results of the Delphi together with some practical implications are presented.

Keywords information assurance; IA alignment; strategic alignment; Delphi

1. INTRODUCTION Due to constantly increasing threats to the security, integrity

and availability of organizational information, theorists have presented a number of studies on information assurance (IA), or different aspects of IA, in the literature (Baskerville, 1991; Kankanhalli, Teo, Tan, & Wei, 2003; Miller & Engemann, 1996; Zviran & Haga, 1999). Indeed, there has been a call from both government officials and in the academic literature to place security issues—often the most discussed element of IA—at a more senior level (Dutta & McCrohan, 2002). The legal envi- ronment is also changing and continuing concerns regarding individual privacy, security of sensitive information, account- ability for financial information and corporate governance are driving the development of new laws and regulations to ensure that organizations address potential security problems (Gilbert, 2008; Smedinghoff, 2008). These often include two key legal obligations:

• A duty to provide sufficient security for corporate data and information systems; and

Address correspondence to Elspeth McFadzean, Henley Business School, University of Reading, Greenlands, Henley-on-Thames, Oxfordshire RG9 3AU, United Kingdom. E-mail: elspeth.mcfadzean@ henley.reading.ac.uk

• A duty to reveal security breaches to those individuals or businesses who may be adversely impacted by these breaches (Smedinghoff, 2005).

Some theorists have suggested that information assurance should be undertaken as part of the corporate governance pro- cedures and, as such, should be the responsibility of the board of directors (Birchall, Ezingeard, & McFadzean, 2003; Von Solms, 2001a). In fact, organizational compliance regulations that cover IA are increasingly expanding. In the United States, the Sarbanes-Oxley Act is seen as a key driver of IA efforts at senior levels for publically traded companies (Linkous, 2008). Thus, according to the National Cyber Security Partnership Governance Task Force (2004, p. 12).

The board of directors should provide strategic oversight regard- ing information security, including:

1. Understanding the criticality of information and information security to the organization.

2. Reviewing investment in information security for alignment with the organization strategy and risk profile.

3. Endorsing the development and implementation of a comprehen- sive information security program.

4. Requiring regular reports from management on the program’s adequacy and effectiveness.

IA efforts can, however, be criticized for hampering business strategy and introducing restrictions to creativity, entrepreneur- ship and responsiveness. Organizations therefore need strong alignment between IS, IA and corporate strategies so that they can more effectively address the above legal and regulatory challenges (Ezingeard, McFadzean, & Birchall, 2005). In other words, organizations cannot view information assurance as an autonomous entity but as part of a holistic enterprise-wide framework that includes corporate and information strategies. A key advantage of developing IS, IA and corporate strate- gies at such a high level is the ability to build alignment between them. Senior executives are in a better position to gain a complete overview of the company, its goals and its pro- cesses (Lohmeyer, McCrory, & Pogreb, 2002). In addition, they

102

INFORMATION ASSURANCE AND CORPORATE STRATEGY 103

have the authority to ensure that these plans are implemented effectively (Kankanhalli et al., 2003; McFadzean, Ezingeard, & Birchall, 2006).

Unfortunately, there has been little research undertaken in the area of IA alignment. The aim of this article, then, is to ascertain what specific methods and processes can be utilized by management in order to strengthen the alignment of IA, IS, and corporate strategy. To this end, we have used the Delphi Technique to determine these actions. We have also asked the expert panel to rank both the desirability and the feasibility of these variables.

This article is structured as follows. The next section dis- cusses the importance of information assurance and its align- ment to IS and business goals. Moreover, a brief review of the alignment literature is presented. The methodology and research design are then described. This section discusses the use of the Delphi Methodology as well as the design of our study. Subsequent sections present the results of the project and dis- cuss the methods for strengthening IA and business alignment. Finally, some implications for managers are considered.

2. INFORMATION ASSURANCE ALIGNMENT

2.1. Information Assurance as a Strategic Necessity The UK Information Assurance Advisory Council (IAAC)

define IA as “a holistic approach to protect information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation” (Anhal, Daman, O’Brien, & Rathmell, 2002, p. 7). In other words, infor- mation assurance attempts to avoid security problems rather than fix them (Austin & Darby, 2003). Furthermore, a compre- hensive conceptualisation of information assurance ensures that the information systems that are supporting an organization’s transactional and transformational needs are kept operational and secure. This requires a complete view of the organization’s vision as well as its current information needs and systems. Additionally, IA specialists need to understand how value is cre- ated from information and how it can be used to enhance the organization’s success. As a result, Ezingeard, McFadzean, and Birchall (2005, p. 23) suggest that IA is a method for “deter- mining how the reliability, accuracy, security and availability of a company’s information assets should be managed to pro- vide maximum benefit to the organization, in alignment with corporate objectives and strategy.”

McFarlan (1984) and Ward (1988) propose that an issue is strategic if it has the potential to impact on the business as a whole. Thus, in this sense, information assurance can be defined as a strategic issue—and, therefore, should support corporate strategy—because the consequences of IA policy decisions can affect the entire business. For example, an ill-considered or poor IA strategy could result in

• Damage to a firm’s reputation (Chellappa & Pavlou, 2002; Logan & Logan, 2003).

• Financial loss due to poor controls (Dhillon, 2001; Ward & Smith, 2002).

• The inability to operate, loss of business and a reduc- tion in share price on the stock markets (Campbell, Gordon, Loeb, & Zhou, 2003; Ettredge & Richardson, 2002, 2003).

• A restriction of information flow causing poor cus- tomer service and loss of business over time (Cerullo & Cerullo, 2004; Sanderson & Forcht, 1996).

• Prohibitively high costs and the possibility that the organization may not survive the disruption (Garg, Curtis, & Halper, 2003; Logan & Logan, 2003).

• The migration of customers to competitors because of the inconvenience or risk of inadequate security, failing computer systems, lack of stability and poor reliability (Cockcroft, 2002; Hazari, 2005).

Information assurance is not just a technical problem. In fact, Dutta and McCrohan (2002) suggest that it is supported by three key areas, namely critical infrastructure, organization and technology—and it is the responsibility of managers to ensure that these three areas are aligned. Consequently, Dutta and McCrohan state that if information assurance is left to the IS function, only one of these issues—technology—will be strengthened. Furthermore, recent attacks on buildings—the World Trade Center being a prime example—show that criti- cal infrastructure and organizational issues are just as important as the technical side. Thus, information security is not just a problem for a series of single organizations. Rather, it is a national—indeed, global—challenge.

Organizational issues—including culture, structure, poli- tics and the business environment—can also have an impact on information assurance. For example, certain organizations won’t see the necessity to promote strict information security; while others—such as companies which primarily focus on e- commerce—are likely to perceive information security as a key factor and will be aware of the potentially significant implica- tions of a breach. On the other hand, small organizations or those that do not significantly rely on inter-organization infor- mation exchange will be less concerned with stringent security procedures (McFadzean, Ezingeard, & Birchall, 2007). In fact, a survey undertaken in the UK by BERR (2008), found that 10% of companies that accept payment on their websites do not encrypt the information. Furthermore, 52% do not carry out any informal risk assessment, 67% do not prevent confidential data being downloaded onto memory sticks and 78% of companies that had computers stolen did not encrypt hard discs.

In addition, the advent in the USA of the Sarbanes-Oxley Act, which holds executives personally liable for the accuracy of financial results—together with equivalent government guide- lines in other countries—could potentially prepare the way to similar liabilities for all types of compliance issues. This is a growing problem particularly due to the increasing anxiety amongst consumers regarding information privacy (Stewart &

104 E. MCFADZEAN ET AL.

Segars, 2002; Swartz, 2003; Viton, 2003). The latest survey undertaken by Ernst & Young (2007) suggests that regulation and compliance are now the leading drivers of information security investment. Indeed, 82% of managers now believe that information security positively contributes to the value of orga- nizations rather than just being seen as an IT overhead. In fact, under section 302 of the Sarbanes-Oxley Act, the chief executive and chief financial officers of public companies must personally certify the existence and effective operation of dis- closure controls and procedures. Additionally, they must declare that they have disclosed any substantial control deficiencies or any significant changes to control systems to their audit committees and independent auditors (Damianides, 2005).

Sixty percent of the respondents in the Ernst & Young (2007) survey also indicated that information security is instrumental in facilitating strategic initiatives. Likewise, the academic liter- ature emphasizes the need to ensure that information assurance is seen as a corporate governance issue (Von Solms, 2001b; Von Solms & Von Solms, 2004). This will provide the orga- nization with a more holistic view of security and include the development and implementation of risk planning models, security awareness programmes, counter measure matrix anal- ysis and the construction of a security architecture that closely relates to the requirements of the business (Sherwood, 1996; Straub & Welke, 1998). Furthermore, this will help to inte- grate IA policy with multiple functional levels within the firm and will aid both communication and control and provide a framework for feedback. It will also link key IA and business issues such as corporate goals, legal and regulatory processes, best practices and the IT infrastructure (Cresson Wood, 1991; Higgins, 1999; Lindup, 1996; Posthumus & Von Solms, 2004). Moreover, information assurance needs to be aligned to both corporate and information strategy so that appropriate organiza- tional assets and processes can be protected effectively without the need to invest in security procedures in unnecessary areas. Organizations should also seek to balance IA regulations with corporate objectives. Too much restriction can reduce business effectiveness and too little can leave the organization vulnerable to data loss or malicious attacks. Finally, information assurance can only work if stakeholders are aware of the risks and com- ply with the stated regulations. There is an increasing level of engagement between IA professionals and other stakeholders such as external auditors, lawyers, human resource managers and government agencies. Therefore, it is essential that infor- mation assurance is seen as a holistic discipline with senior management support and is championed together with the orga- nization’s objectives. Stakeholders are more likely to comply to the regulations if they are aware of the potential consequences to the business’s objectives—and their own roles—if they are not followed effectively. Hence, information assurance must become a concern from a corporate governance and strategic alignment perspective and should rise to the highest levels of the organization (Dutta & McCrohan, 2002; Ezingeard & Birchall, 2004; NACD, 2001; Von Solms, 2001a).

2.2. The Importance of Alignment The alignment of separate functional strategies—such as

information technology and human resources—to corporate strategy have consistently been found to be one of the con- cerns of top management for the past fifteen years (Brancheau, Janz, & Wetherbe, 1996; Niederman, Brancheau, & Wetherbe, 1991; Youndt, Snell, Dean, & Lepak, 1996). As a result, a great deal of research has been undertaken in this field especially on the relationship between IS and business functions and the antecedents that influence this relationship (Brown & Magill, 1994; Kearns & Lederer, 2003; Luftman & Brier, 1999).

Segars and Grover (1998, p. 143) define alignment as the “close linkage of IS strategy and business strategy.” This pro- cess encourages both areas to work together as partners and not, as Smaczny (2001) suggests, as a leader and a follower; the IS strategy being developed after the business strategy. Rather, both strategies are developed together, at the same time.

Reich and Benbasat (2000) argue that alignment is neces- sary for organizations so that they can take advantage of their IT opportunities and capabilities. Kearns and Lederer (2003) also found that sharing knowledge between the two functions, in order to devise an IT strategy that reflects the business plans, can create competitive advantage.

Unfortunately, there has been little research undertaken on the alignment of information assurance to either infor- mation strategy and/or corporate strategy. There have been calls for better governance in this field (Dutta & McCrohan, 2002; Entrust, 2004; IAAC, 2003; Von Solms, 2001a) but lit- tle mention is made about the links between the three areas. However theorists do recognize that IA is a holistic pro- cess and involves complex links between technology, exec- utive governance, human behavior and environmental factors (Backhouse & Dhillon, 1996; Baskerville & Siponen, 2002; Ettredge & Richardson, 2003).

Many organizations develop their information security poli- cies in conjunction with their information systems strategy (Knapp & Boulton, 2006; Tsohou, Karyda, Kokolakis, & Kiountouzis, 2006). However, the volume of security-related incidents, and their associated costs, continues to rise (Chang & Yeh, 2006), showing that crucial information assurance issues are being buried in the IS strategy and are not being com- municated to the board, when necessary. Indeed, van Opstal (2007, p. 6) found that, “A preponderance of board members report that boards are under-informed about operational risk”, which, in turn, can cause catastrophic problems as organiza- tions such as Barings Bank, TJX, and Société Générale have found to their cost (see Section 1.3.1). Security is both a human resource and organizational concern, and includes other—non- IS factors—such as staff motivation, awareness and training; ethics; compliance and legal issues; integration; stakeholder analysis; and information sharing and collaborative mechanisms (Hinde, 2003). Thus, companies cannot afford to hide security and compliance issues within IT strategy. Information assurance must be seen as a separate holistic and transparent component,

INFORMATION ASSURANCE AND CORPORATE STRATEGY 105

which is communicated in its own right to the appropriate stakeholders.

2.3. Improving IA Alignment Aligning information assurance strategy with IS strategy

and business strategy is not simply a case of developing all three strategies together. Rather, it involves gathering relevant information, developing relationships between functions and constructing appropriate processes and practices. The litera- ture presents a variety of methods for improving the links between specialist functions such as IA and IS and the gen- eral business functions (Chan, 2002; Luftman & Brier, 1999; Sabherwal & Chan, 2001). These can be divided into four cate- gories, which are similar to the strategy process of development, planning and implementation, control, and feedback (Cohen & Cyert, 1973; Frolick & Ariyachandra, 2006; Hansotia, 2002; Kolokotronis, Margaritis, Papadopoulou, Kanellis, & Martakos, 2002; Montealegre, 2002). These are

• Developing goals and critical success factors—the initial stage of strategy formulation includes the deter- mination of the future direction and performance of the organization (Bryson, Ackermann, & Eden, 2007; Preble, 1992), as well as the functions—such as IA— required to fulfil them.

• Constructing or improving strategy alignment— the next stage of strategy formulation involves the identification of the processes, management and skills required for fulfilling the goals and critical success factors (Barney, 1991; Henderson & Venkatraman, 1993).

• Measuring and reporting practices—after the strate- gies have been developed and implemented, a review of performance is generally undertaken and corrective actions carried out, if necessary (Daft & Macintosh, 1984; Govindarajan, 1988).

• Evaluating and communicating strategic informa- tion to the board—appropriate feedback pertaining to strategy implementation and performance is com- municated to the board (Raghupathi, 2007; Siebens, 2002).

In order to ensure alignment, strong links between business, IT and IA goals, critical success factors and strategies are essential. Furthermore, control and feedback will have an impact on strat- egy and, as a result, will also influence alignment. Finally, the organization’s environment—such as its competition, markets and resources—will help to shape strategy, too.

Improving information assurance alignment is discussed in more detail below using these four categories (see Figure 1).

2.3.1. Developing IA Goals and Critical Success Factors (CSFs)

Three predominant IA goals and CSFs are mentioned in the literature. These are

FIG. 1. IA Strategy alignment model.

• Anticipating threats to the organization and its goals—a breach in information security can have a severe impact on the organization (Logan & Logan, 2003; McHugh, 2001). For example, TJX—the owner of retail discount stores TJ Maxx and Marshalls— failed to comply with the Payment Card Industry Security Standard, which was established by the major credit card companies and sets minimum security expectations. TJX initially failed nine of the twelve compliance requirements and over a two year period avoided responsibility for improving its security. Due to this lack of diligence, TJX’s credit card data had been breached by hackers. Over 94 million credit card records had been compromised and TJX had to provide a $41 million settlement fund in order to com- pensate the affected customers and banks (Burnes, 2008; Chickowski, 2008). This example shows that TJX did not have suitable security controls in place in order to fulfil their business objectives effec- tively.

Likewise, Société Générale lost approximately C4.9 billion ($7.2 billion) due to unauthorised derivatives

106 E. MCFADZEAN ET AL.

trading—the result of insufficient risk management information. PriceWaterhouseCoopers reported that the Bank had “a heavy reliance on manual processing and the workload of operating staff meant that certain of the existing controls in place were not operating effectively” (Sandman, 2008, p. 4). As a result, the Bank failed to anticipate the potential threats to the business from its own staff (Vijayan, 2008). Moreover, Société Générale is not the only bank to suffer from the risky behavior exhibited by employees. Barings Bank, Bear Stearns and Credit Suisse have all suffered from financial losses attributed to employee miscon- duct, mismanagement or negligence, which were not caught in time by appropriate controls (Wailgum & Sayer, 2008).

Anticipating and preventing informational threats is, therefore, vital for ensuring continuing working practices. Thus, an information assurance policy that is linked to business goals and communicated to the employees is an important weapon for preventing potential threats. Whitman (2003, p. 92) states that, “The security policy is the first and potentially the most important layer of security available to the orga- nization.” This policy contains the organization’s basic security philosophy which dictates subsequent deci- sions, procedures and guidelines including prevention measures.

• Communicating IA procedures to the organiza- tion—Employees expect to gain strategic direction from their senior executives. They need to under- stand what changes to expect, the reasons behind these changes and how they will influence their own work (Edwards, 2000). As a result senior managers need to be the champions of employee communica- tion (Powers, 1996). In its guidelines, the Turnbull Report (Turnbull, 1999, p. 13), suggests that Boards of Directors may wish to consider whether the company “communicates to its employees what is expected of them and the scope of their freedom to act.” In addition, line managers must develop strong, on-going relation- ships with other functional managers. For example, managers responsible for the IA, IS and business func- tions must communicate with one another so that IA, IS and business capabilities are integrated effectively at all levels of the organization (Rockart, Earl, & Ross, 1996). IA procedures can also be communicated to staff through awareness and training programmes, which can cement the organization’s basic security philosophy into its culture (Dutta & McCrohan, 2002).

• Responding to the changing environment and orga- nizational needs—Today’s rapidly transforming busi- ness environment tends to encourage greater flexibil- ity and change within organizations. Reengineering

programmes, altering management information flows, re-designing business processes and developing new innovative product and services all require substantial input from information assurance experts (Dhillon & Backhouse, 2000; Rockart et al., 1996). In addition, it is important that information assurance issues do not constrain these changes by increasing bureau- cracy, rigidity and centralisation of security poli- cies. Baskerville and Siponen (2002) therefore sug- gest that organizations should develop a more flex- ible meta-policy which should provide guidelines on how security policies are created, implemented and enforced. This will enable security countermea- sures to keep pace with the organization’s business requirements.

2.3.2. Constructing or Improving IA Strategy Alignment Many studies on alignment have been based upon the sem-

inal work undertaken by Henderson and Venkatraman (1993) in which they present a model illustrating the link between IT and business strategy. This was constructed using two concepts, namely strategic fit and functional integration. The former con- cept acknowledges the need to address both the internal and external business domains in order to develop alignment. The external domain includes the organization’s market place and is concerned with aspects such as the company’s products, market- ing and customer information as well as other external factors such as competitors. The internal domain, on the other hand, is concerned with factors such as the company’s structure, culture and processes.

Henderson and Venkatraman suggest that the fit between the internal and external domains is critical for maximising orga- nizational and economic performance. They argue that failure to derive success from IT is frequently due to this lack of alignment. For instance, IT strategies are often unsuccessful because of the poor supporting infrastructure and/or poorly skilled human resources. Thus, strategic fit is a key driver for success.

This article is based on the premise that information assur- ance should also be part of the strategic fit (see Figure 1). Like Henderson and Venkatraman, we suggest that the position of the company in the IA’s external domain will involve choices in three areas:

• The extent of the organization’s willingness to ensure prevention of threats and the security of data—in other words, what are the specific technologies, processes and systems required by a company in order to defend against potential threats so that its business objectives can be fulfilled?

• Systemic competencies—what attributes of IA strategy could positively contribute to the development of a new business strategy or could more effectively support the

INFORMATION ASSURANCE AND CORPORATE STRATEGY 107

current strategy? This could include factors such as flexibility, reliability and speed.

• IA governance—what actions can be used in order to acquire the above systemic competencies? This could include alliances with vendors, joint research projects and education initiatives.

In addition, the internal IA domain must address three components:

• Security infrastructure—what technology and software should be included in the security infrastructure? How should this be configured?

• Processes—how should the IA processes and systems be developed, monitored and controlled?

• Skills—how should awareness, knowledge and the capabilities of employees and other stakeholders be developed?

The alignment literature also calls for a link between the busi- ness and IT domains. Henderson and Venkatraman label this functional integration. This link specifically deals with the impact that one function has on the other and includes the relationships of both the internal (operational integration) and external (strategic integration) domains. We suggest that infor- mation assurance should also be included in the integration between the domains.

The literature suggests a number of methods for developing or improving IA strategy alignment. These are

• Developing a relationship between IA, IT, and business functions—According to Henderson and Venkatraman (1993) and Ho (1996), the IT function should be capable of both influencing and support- ing the business strategy. This is particularly the case for organizations which use their information systems for competitive advantage. However, often organiza- tions focus too readily on technology rather than busi- ness, management and organizational issues (Luftman, Lewis, & Oldach, 1993). Likewise, the information assurance function needs to be able to shape and rein- force IT and corporate strategy as well as maintain a balance between security issues and organizational goals (Von Solms, 2001a). The relationships between these functions can be strengthened by encourag- ing more extensive participation in firm-wide strate- gic planning (Broadbent & Weill, 1993), improving resource utilization (Edwards, 2000) and enhancing communication and understanding between the three functions (Chan, 2002).

• Linking the formation of IA, IT, and business strategies—Rapid strategic change and the highly competitive nature of today’s business environment requires organizations to gather, interpret and synthe- size information effectively and securely in order to remain flexible and to enable them to amend corporate

initiatives, when necessary (Bergeron, Raymond, & Rivard, 2004). As a result, IA, IT and business strate- gies need to be strongly linked. Chan (2002) and Luftman and Brier (1999) suggest that this link is critical to developing successful alignment. Theorists have found that the link between these three strate- gies can be facilitated by (a) specifying who has authority and responsibility for risk, conflict resolu- tion and the allocation of resources, (b) having a longer experience of undertaking organization-wide strategic planning processes, (c) focusing on critical and long-term issues, (d) making certain that strategic plans are well documented and are clear and consis- tent, (e) guaranteeing that the plans enhance overall organizational effectiveness, and (f) ensuring that the reporting level of those responsible for IT and IA are at board level (Broadbent & Weill, 1993; Chan, 2002; Luftman, 2003; Sledgianowski & Luftman, 2005; Tallon, Kraemer, & Gurbaxani, 2000).

2.3.3. Measuring and Reporting Practices The literature suggests that measuring and reporting infor-

mation assurance procedures and practices can help to instil a greater commitment to IA from all employees. These include:

Controlling and measuring the effectiveness of IA, IS, and business strategies—one of the greatest challenges of information assurance is to be able to communicate its value to the rest of the organization. In order to achieve this, managers must be able to assess its worth. All too often, however, both IA and IS metrics are difficult for the business to understand. Luftman (2003) therefore suggests a service level agreement which assesses the IA and IS functions’ level of commitment to the organization. The agreement should consist of business related metrics such as information quality, user satisfaction and business responsiveness and should be presented in language that is easy for non-technical people to understand (Peak & Guynes, 2003; Sledgianowski & Luftman, 2005). The strength of alignment between the IA, IS, and business functions can also be measured. This could include evaluating communica- tion, learning and knowledge sharing, governance, partnerships, processes and skills (Chan, Huff, Barclay, & Copeland, 1997; Luftman, 2000).

2.3.4. Evaluating and Communicating Strategic Information to the Board

According to Von Solms (2001a), the board of directors should be provided with appropriate strategic information on IA. This will help to engage senior managers in the alignment process. This category, therefore, included the following:

Keeping senior management informed—Often, organiza- tions invest considerable sums of money in developing per- formance measures but fail to take any action based on these

108 E. MCFADZEAN ET AL.

measures (Luftman, 2003). This could have disastrous conse- quences for organizations if security is breached and there is a failure to act. Chan (2002) suggests that constructing formal reporting relationships and developing evaluation committees are vital. This will enable more effective monitoring and con- trol by senior managers. In addition, the evaluation committees need to define the risk factors—often involving multiple dimen- sions and meanings—and their impact within the context of information security (Baker, Rees, & Tippett, 2007; Bodin, Gordon, & Loeb, 2008). Accurate measurement, communica- tion and control of potential information security threats and countermeasures can not only save an organization from disas- ter but they may also “assist organizations in converting today’s security threats into tomorrow’s business opportunities” (Da Veiga & Eloff, 2007, p. 369).

This research will attempt to determine the factors that help to strengthen the alignment between IA and corporate strategy. Due to the scarcity of research in this area, we developed quite a broad research question:

What methods and processes included in the above four areas can be utilized effectively by organizations in order to align IA and corporate strategy?

3. METHODOLOGY AND RESEARCH DESIGN The data collection for this research was divided into

two stages. The first stage consisted of gathering informa- tion through interviews and the second stage involved under- taking the Delphi approach. Anderson, Rungtusanatham, and Schroeder (1994, p. 478) describe the Delphi approach as a technique “intended for systematically soliciting, organizing and structuring judgments and opinions on a particularly com- plex subject matter from a panel of experts until a consensus on the topic is reached or until it becomes evident that further convergence is not possible.” The Delphi technique is typically employed in circumstances where judgemental information is essential (Okoli & Pawlowski, 2004). In addition, the approach ensures that the data collection process is both reliable and valid because it exposes the investigation to differing, and often divergent, opinions and seeks convergence through structured feedback (Schmidt, Lyytinen, Keil, & Cule, 2001).

The objectives of this Delphi study focus on two points: (a) identifying the factors that can influence information assurance alignment, and (b) establishing a consensus on the desirability and the feasibility of implementing each factor.

In order to gather an initial list of statements for our Delphi, we interviewed a number of executives. Forty-three in-depth interviews were undertaken. The interviewees were senior man- agers; most were appointed to the board of their respective companies. These organizations ranged from SMEs to large multi-national corporations; the majority of which are listed on the stock market. The list of interviewees was drawn up from personal and organizational contacts and aimed to pro- vide a good cross section of companies. The sampling strategy

we used is that described by Strauss and Corbin (1990) as ‘open sampling’ where participants are selected to maximize the opportunities for augmenting the pool of relevant data [see Appendix A for further demographic information]. Interviews lasted between 60 and 90 minutes. They were open-ended and discovery oriented (Flint, Woodruff, & Gardial, 2002). Moreover, we tried to maintain a continuous ‘conversation’ rather than follow a rigid list of questions or themes (see Appendix C for some examples of the questions that we asked). Senior executives were engaged with this form of interview- ing and we felt they were happy to enter into fairly detailed discussions, perhaps more than they would have been with an interaction based on questions and answers. Few guidelines exist on the optimum size of interview data pools. The idea of theoretical saturation is normally recommended (Locke, 2001) as a guide to sample size, and we feel this saturation was reached in our study.

The interviews were transcribed verbatim and transferred into Atlas-ti (a qualitative analysis software programme) where they were coded using the processes advocated by Strauss and Corbin (1998), namely open, axial and selective coding.

Open coding is “the analytic process through which concepts are identified and their properties and dimensions are discovered in data” (Strauss & Corbin, 1998, p. 101). In general, the data is examined and coded line-by-line, by sentence or paragraph or by a holistic analysis of an entire document (Sarker, Lau, & Sahay, 2001). Although the open coding process is procedu- rally guided, it is fundamentally interpretive in nature and must include the perspectives and voices of the people that are studied (Strauss & Corbin, 1998). Open coding allows the researcher to name similar events, occurrences and objects so that they can be categorized under common headings.

Next, axial coding was undertaken, which involved the pro- cess of sorting all the relevant open codes on alignment into varying categories. Whereas open coding breaks up the data so that it can be analyzed, axial coding reassembles the fractured data in order to discover relationships between the different categories and sub-categories. In this case, the codes in each category were associated with one particular topic on align- ment. For instance, one family group was entitled, Options for Evaluating and Communicating Strategic Information to the Board.

Selective coding involves the identification of the core category—or the central phenomenon—and the linking of this core category to other major categories. This integration often occurs as a process model, which illustrates how the axial codes are related. In order to choose our principal category, we needed to ensure that all our other major categories could be linked to this central idea. The central idea chosen for this research was “methods for improving IA-corporate alignment”.

Finally, a number of statements were formed from the inter- view data for each of the axial categories. These statements each suggested one potential method for improving alignment. One

INFORMATION ASSURANCE AND CORPORATE STRATEGY 109

statement from the above category, for example, was “Including IA metrics in general IT reports”. These statements were then combined and used for the second stage of the research—the Delphi study.

The first step in the Delphi procedure is to choose an expert panel (Brancheau et al., 1996; Larreche & Montgomery, 1977; Malhotra, Steele, & Grover, 1994). This is a particularly impor- tant step because it is the panel that lends content validity to the task (Anderson et al., 1994). Preble’s (1984) research has found that there is little difference between a panel of members chosen from a single organization and a panel of experts cho- sen from multiple organizations. The latter, however, provides a greater range of views and helps improve the generalizability of the results (Nambisan, Agarwal, & Tanniru, 1999; Okoli & Pawlowski, 2004).

We selected the second method and chose two different types of panelists. The first type included senior managers who are prominent members of the information security community (Mitchell & McGoldrick, 1994). Each have at least five years of practical experience within the IA field and are renowned for their competence in this area. The second type of pan- elists are academics who have expertise in information assur- ance (Guimaraes, Borges-Andrade, Machado, & Vargas, 2001; Okoli & Pawlowski, 2004). This provided a wider knowledge- base and a greater range of experience. There were 36 members in the panel (see Appendix B for more information on the participants).

The Delphi approach started with two preliminary rounds (Schmidt et al., 2001). The initial stage involved generating the concepts that would be evaluated in later rounds. In some research studies these have been supplied for the panel as a start- ing point for idea generation (Anderson et al., 1994; Guimaraes et al., 2001; Nambisan et al., 1999; Saunders & Jones, 1992) while in others, the panel commences with a completely blank sheet of paper (Okoli & Pawlowski, 2004; Schmidt et al., 2001; Schmidt, 1997). We preferred to follow the example of the for- mer studies where we used the results from our interviews to provide a list of factors that influence information assurance alignment. The panel members were free to amend or com- ment upon these ideas as well as generate their own concepts. The comments produced by the panel in each round were always fed-back to the participants in the next round (Schmidt, 1997). This provided them with qualitative information on the thoughts, ideas and questions raised by other panel members. In addition, many panelists developed a rationale for why cer- tain statements were important—or less important—to them, and this was presented anonymously to the rest of the panel in subsequent rounds. This helped the group to better understand the concepts and encouraged a form of nominal group debate (Malhotra et al., 1994).

Once the ideas had been collected and consolidated, the terminology was clarified and exact duplicates were removed. The resulting list was then sent back to the panel members for the second preliminary round. The objective here was to reduce

the number of concepts into a manageable list. We achieved this by asking the panel to rate the concepts in terms of desirability and feasibility on a scale of one to six. The aggregate mean for each concept was calculated for the desirability score and those with a very low mean—that, is, those that were deemed to be undesirable—were either refined for clarity or removed. The resulting list—which consisted of 29 statements—was then sent back to the panel. The members were again asked to rate the concepts in terms of desirability and feasibility. This was the first of the consensus rounds. After each round the panel were assessed for consensus using the standard deviation. A standard deviation of less than one implied a high consensus for that statement and it was, therefore, removed from the list and set aside for later consideration during the theory building process. If the consensus was low, however, the statement was left on the list. The amended list was subsequently sent back to the panel with the aggregated means for each statement and a record of the comments made by the members so that they were aware of the reasons for particular scores. This continued for three rounds until consensus was achieved. The resulting list of statements was then used to develop our theory (a more detailed summary of the analysis process is shown in Appendix D). This was achieved in the following way:

• The final statements were categorized into the four key groups.

• The statements for each group were plotted on a graph which showed the relationship between desirability and feasibility.

• Each graph was divided into four quadrants denot- ing the levels of desirability and feasibility. This was achieved by plotting the mean for desirability and feasibility in each category.

• Finally, we developed a number of models showing the relationships between the concepts (Anderson et al., 1994; Strauss & Corbin, 1998).

4. RESULTS As stated above, the 29 statements were classified using the

four categories from the literature review. These are discussed in more detail below.

4.1. Options for Developing IA Goals and CSFs The panel developed a consensus regarding ten desirable

goals and critical success factors pertaining to information assurance alignment. As for all the options put to the panel, we asked for the CSFs to be given a feasibility rating, shown in Figure 2.

The most desirable critical success factor was considered to be acquiring senior management support for information assurance (Statement A). According to the panel of experts,

110 E. MCFADZEAN ET AL.

Key

A Gaining senior executive support for information assurance

B Instilling IA values and awareness amongst employees

C Anticipating IA threats

D Developing a security architecture that can rapidly respond to changes in the business environment

E Clarifying individual IA roles and responsibilities for all employees in the organization

F Developing IA policy beyond legislation and regulation

G Developing a 3 to 5 year IA strategy

H Working together with members of the same industry to develop solutions for IA issues

I Responding to changing organizational needs by providing flexible IA procedures and regulations

J Using the latest security technology, when appropriate

K Improving communication between IA and business functions

L Aligning IA measures with business objectives

M Prioritising IT/IA projects in line with organizational goals

N Improving the knowledge of both IA and Corporate goals and requirements for all relevant personnel

O Involving the IA function in corporate strategy development

P Developing collaboration between IA and the organization’s other functions

Q Discussing at board level key strategic dilemmas e.g. sharing information vs. tight security pertaining to IA

R Ensuring IA practitioners’ discuss how IA processes can support or restrict corporate strategy when undertaking IA changes

S Dedicating resources to making the IA practices responsive to changes in the environment

T Identifying different (internal and external) stakeholders’ requirements in terms of IA

U Determining information assurance success by qualitative as well as quantitative measures

V Using metrics to measure information assurance

W Evaluating employees’ IA practices

X Benchmarking IA against external organizations (best practices/standards)

Y Having IA metrics which focus on time performance (for example, how long did it take to discover incidents and how long did it take to recover)

Z Providing non-technical reports to the Board of Directors so that they can understand and approve IA policy

(a) Reporting to the board on how IA goals are being achieved

(b) Frequent auditing of IA policies

(c) Including IA metrics in general IT reports

5.2

Incomplete Options Incomplete OptionsPremier Choices

Incomplete Options Incomplete OptionsPremier Choices Premier Choices

Premier Choices

N O

R

Q S

P

L

M

KF A

B

E

D C

T (b) (a) Z

(c)

U W

X Y

V

Challenges

G H

I J

Not Right Yet ChallengesNot Right Yet

ChallengesNot Right Yet ChallengesNot Right Yet

5.3 5.2 5.1 5.0 4.9 4.8 4.7 4.6 4.5

5.1

5.0

4.9

4.8

4.7

4.6

4.5

4.4 4.3

5.15 5.25 5.35 5.45 5.55 5.65 5.75 5.85

5.0

4.8

4.6

4.4

4.2

4.0

5.2

5.0

4.8

4.6

4.4

4.2

4.0

3.8

4.7 4.8 4.9 5.0 5.1 5.2 5.3 5.4 5.5 5.6 4.7 4.8 4.9 5.0 5.1 5.2 5.3 5.4 5.5 5.6

4.4 4.6

Less Desirable

L es

s Fe

as ib

le

Fe as

ib ili

ty

More Desirable

Desirability

Measuring & Reporting Practices

Developing IA Goals & CSF Improving Strategy Alignment

Evaluating and Communicating Strategic Information to the Board

Less Desirable More Desirable

Desirability

Less Desirable More Desirable

Desirability

Less Desirable More Desirable

Desirability

M or

e Fe

as ib

le L

es s

Fe as

ib le

Fe as

ib ili

ty M

or e

Fe as

ib le

L es

s Fe

as ib

le

Fe as

ib ili

ty M

or e

Fe as

ib le

L es

s Fe

as ib

le

Fe as

ib ili

ty

M or

e Fe

as ib

le

4.8 5.0 5.2 5.4 5.6 5.8 6.0

FIG. 2. Options for improving IA alignment.

INFORMATION ASSURANCE AND CORPORATE STRATEGY 111

• This aim is very desirable; it is far easier to implement this kind of—not inexpensive—change with top down support. However as always it is getting that support that is where the difficulty lies.

• I think it’s been proven [that] this is both possible and [that it] yields far better results—security needs to be instilled into the culture which requires efforts from the top down. If senior management won’t take IA seriously, they can’t expect their employees to do so.

• This is one of the main CSFs for a successful implemen- tation of an IA plan.

Anticipating IA threats (C) was also seen as highly desirable. As one expert commented,

Many people try to measure incidents as a way to get insight into their situation. However, incidents are normally very few and far between . . . There is much more insight to be gained from measuring the threats and anticipating threat trends.

Although the panel did suggest that anticipating IA threats was feasible, the experts did, however, give it the lowest feasibility rating. The reasons they gave can be summarized as follows:

It is not always possible to anticipate the unexpected and it becomes too onerous to keep up to date—the overhead in gathering data to allow anticipation can be high.

Statements A, B, and F are all seen as highly desirable and highly feasible. Consequently, “gaining senior executive sup- port for information assurance” (A), “instilling IA values and awareness amongst employees” (B), and “developing IA policy beyond legislation and regulation” (F) are seen to be essential and practical for organisations. Statement G – “developing a 3–5 year IA strategy”—was found to be slightly less attractive. Thus, although creating a medium term strategy is feasible it is less desirable than other possible approaches. Organisations may, therefore, want to experiment with this concept in order to construct an approach that is much more desirable. In fact, one expert suggested that the development of tactics rather than strategy was more advantageous.

“Developing a security architecture that can rapidly respond to changes in the business environment” (Statement D) and “clarifying individual IA roles and responsibilities for all employees in the organisation” (E) were both seen as desirable but their feasibility scores were lower. Many of the panel mem- bers believed that the implementation of these two approaches could be difficult. In particular, they perceived that creating solid and flexible security architecture could be problematical due to expense and constantly changing threats. In addition, the clarification of roles and responsibilities can also prove to be problematical. As one of our experts stated,

There are staff who simply make mistakes through lack of knowledge and awareness, and staff who knowingly ignore con- trols or transgress codes of acceptable behaviour through holding unacceptable attitudes or behavioural principles.

The last three approaches, “working together with members of the same industry to develop solutions for IA issues” (H),

“responding to changing organizational needs by providing flexible IA procedures and regulations” (I) and “using the lat- est security technology, when appropriate” (J) had much lower desirability and feasibility scores.

Working with other organizations to resolve IA issues was seen to be desirable. In fact, one panel member suggested that

Information sharing is a crucial and critical part of each enter- prise’s IA practice. Others will disagree but this is definitely feasible if only enterprises, public and private sector, stop behaving like mini silos.

It was this lack of cooperation, which was of greatest concern to the panel members. Indeed, many respondents were highly enthusiastic about sharing information with other organizations, but as one member stated, “there may be many issues of com- mercial conflicts that affect this . . . [but] it is also a benefit to get ideas from others outside one’s own industry to see how they have addressed these issues. Once can learn a lot from other industry sectors.”

Responding to changing organizational needs (Statement I) was also believed to be problematical. This was primarily due to time and cost issues as well as the need to be both consistent and compliant.

However, one expert suggested that if inflexible security policies impeded the organization’s development, it would project a negative image of IA. In addition, another panel member stated,

The linkage between security and business requirements is essential and the ability to deliver procedures and regulations which match a changing business environment is a powerful way to pro- vide benefit rather than be seen as an obstructive overhead. It is not easy to do as frequently it may impose budget or time constraints on projects and business initiatives.

In order to reconcile the need to be flexible with the difficul- ties in changing IA procedures, the panel recommended that IA should operate, where possible, at the level of general principles rather than detailed procedures.

Finally, using the latest security technology (Statement J) was also believed to be less feasible than many of the other options. Indeed, the experts offered some strong opinions on this issue:

• The latest technology is expensive and not always the most robust.

• Technology is only a minor feature of a sound IA regime. Simple procedures or education may be more cost-effective.

• It can create a false sense of security and possibly raise the level of risk.

• Integrating new technology can be difficult especially for organizations growing by acquisitions.

4.2. Options for Improving IA Strategy Alignment The nine factors found in this category were ranked in order

of desirability by the expert panel (see Figure 2) and plotted on a graph using the desirability and feasibility mean scores. The

112 E. MCFADZEAN ET AL.

results show that effective IA strategy alignment is dependent on the following:

• Raising IA decisions up the organization chart, by either ensuring that the Board is involved in such decisions or make certain that IA practitioners are involved in strategic decision making. As one panel member commented, “The risk is carried by the busi- ness function. The purpose of the IA programme is to quantify and articulate that risk to the business function who will then judge how to manage it.”

• Better communication between the functions involved with IA and the rest of the business, and communication of IA goals widely in the organization. As pointed out by one of our experts, “Good IA is the art of communication”. This includes a mutual understanding of the goals and requirements for each function which is frequently seen as a barrier to alignment. In fact, two panel members argued that, “[communication] has to be in a language the functions understand, can relate to and place importance on.” Thus, “We still need to develop suitable terminology where both the IA and the business functions can have a shared understanding.”

• The need for clear mechanisms to ensure that the business impact of IA decisions is checked, at either project level or policy level.

Whatever their desirability, not all options were deemed as fea- sible as others by the experts involved in our panel. Accordingly, there are five options that can be used to align IA strategy and business strategy that are not only very desirable but also very feasible. Three of these options are concerned with raising the profile of information assurance in the organization. These are

• Involving the IA function in corporate strategy devel- opment (Statement O).

• Improving communication between IA and business functions (K).

• Improving the knowledge of both IA and Corporate goals and requirements for all relevant personnel (N).

If the involvement of IA managers in strategic decisions is not possible, then better communication is the key to ensuring alignment. The objective of such communications, according to our expert panelists, is to ensure that ‘the business’ knows the reasons behind IA decisions.

Examples of how this can be achieved vary, but in our research we have come across an interesting example of an organization running some form of security intranet:

We have a corporate security website which is frequently referred to in corporate communications which is to do with the softer issues around security and the development of an appropriate culture.

The other two desirable options that were found are con- cerned with ensuring that there is an element of cross checking between business projects and their IA impact and vice-versa. These are

• Aligning IA measures with business objectives (L). • Prioritizing IT/IA projects in line with organizational

goals (M).

These two statements generated much debate amongst our pan- elists. In the words of one expert, “If this is not done the IT/IA is out of control and the boss should be fired.” However, many other panelists suggested that, sadly, only a few organizations ensured that the ideas contained in the above two statements were adhered to. The answer to why this may be the case is, perhaps, referred to by one panelist who suggested that there were ‘many people’ involved in ensuring alignment at project level and this made it a complex exercise. Interestingly, we had come across a strategy of how this could be achieved in one of our earlier interviews in a multi-national bank with head- quarters in central Europe. Here, the bank runs a forum where different parts of the business can exchange ideas with IA staff. This has been very beneficial for the participants because the forum facilitates communication. At the same time, control is used to guarantee alignment within the bank by ensuring that the IA function scrutinizes all IT projects at a detailed level. The bank leaves no room for basic technical flaws that could have a negative security impact.

“Developing collaboration between IA and the organiza- tion’s other functions” (P) was perceived as desirable by our panel members but it was also seen as potentially hazardous to implement. The importance of this collaboration was empha- sized by our respondents. As one member stated, “The business drives the requirements and IA requirements needs to be incor- porated at source, otherwise there will be conflict between business and IA objectives.” However, the ease in which this collaboration takes place depends on a number of factors includ- ing the way in which security is organised within the company, the culture of the organization, and the level of understanding between IA officials and the rest of the staff. According to one panel member, collaboration “has to be in the language of the manager” so that they can relate to it.

There were three options that were seen to be less desir- able and feasible in this category. These are “discussing at board level key strategic dilemmas e.g. sharing information vs. tight security pertaining to IA” (Statement Q), “ensuring IA practitioners’ discuss how IA processes can support or restrict corporate strategy when undertaking IA changes” (R), and “dedicating resources to making the IA practices responsive to changes in the environment” (S). Statement Q, discussing key strategic dilemmas was seen as important, but the major- ity of our panel members thought this should not be undertaken at board level. According to one respondent, “Board agendas can make it difficult to achieve the correct level of interest but audit committee, risk committee etc may provide opportunities

INFORMATION ASSURANCE AND CORPORATE STRATEGY 113

to raise [these issues] with executive management and [provide] a vehicle for placing [them] before the board.” The opportunity to place relevant issues before the board was seen as impor- tant. As one panel member said, “The accountability is at board level so this is where it should be resolved.” However, if was felt that the detailed discussions on these dilemmas should be undertaken at the audit or risk committee level.

The lower desirability and feasibility scores for “ensuring IA practitioners’ discuss how IA processes can support or restrict corporate strategy when undertaking IA changes” (Statement R) indicates that there was a lack of confidence in communicating possible problems. According to one respondent, “That would take a good understanding of the impacts [of IA on corporate strategy] which most of us don’t have. It could also be seen as a red flag by managers.” However, many in our panel stressed that IA should not just be seen in terms of risk but also as a business enabler.

Finally, Statement S, “dedicating resources to making the IA practices responsive to changes in the environment” also had a lower desirability and feasibility score. The idea of flex- ibility was generally seen as advantageous but there was some concern about the impression that this may give to employees, namely that IA was a collection of moveable goalposts when in reality there is a large number of immutable rules. Moreover, calculating the cost and the amount of resources required to provide this flexibility was seen as highly problematical.

4.3. Options for Measuring and Reporting Practices

This category contains six statements. “Identifying dif- ferent (internal and external) stakeholders’ requirements” (Statement T) was deemed to be very desirable by the panel of experts. This is because

• Every organization has to interact with others and share information. Interoperability requires a reconciliation of different policy stances.

• Those selling via the Internet need to ensure cus- tomers’ personal and credit card details are secure as well as protecting their “own” information.

• It is a BS7799/ISO 17799 requirement. • It helps to encourage a security-focused culture for all

organizations involved in the value chain. • The information is useful to feed into strategies, aware-

ness initiatives, etc.

“Benchmarking IA against external organizations (best practices/standards)” (X) was also perceived as a desirable method of measuring and reporting information assurance issues. However, although it was seen as an attractive option, the panel of experts were less enthusiastic about its feasibility. Two of the major disadvantages of benchmarking with external companies are the lack of willingness to share information between organizations and the fact that other firms may be

located in different business environments and therefore they are difficult to compare. Thus, “Identifying different (internal and external) stakeholders’ requirements” (T) was perceived to be a more feasible approach for measuring and reporting IA practices. However, the experts suggested a number of potential problems with ascertaining stakeholder requirements:

• We may not know who the stakeholders are or, if we do, they may not be able to communicate their requirements in any meaningful way.

• Often the stakeholders are not sure of their requirements.

The experts, therefore, suggested that a stakeholder analysis should be undertaken by management followed by the devel- opment of a framework mapping out the stakeholders and their information assurance requirements. Once this map had been completed it should be evaluated and updated regularly.

Moreover, the panel strongly felt that using metrics to mea- sure information assurance (V) was desirable. In particular, the respondents considered that IA should be measured using both quantitative and qualitative methods (U). As one respondent stated, traditional quantitative metrics do not provide a thorough evaluation of IA processes:

I feel that both quantitative and qualitative measures can more accurately show the contribution of information security.

Another metric that was deemed desirable was the focus on speed of responsiveness (Y). In fact, one respondent suggested that the only metric that mattered in determining the effective- ness of internal control was time—how long it took to discover an incident and to recover. However, evaluating incidents is not always easy. As one panel member stated, “It is difficult to estimate how many unsuccessful attempts to access a sys- tem have been made but it is possible to determine those that succeed—sometimes. Metrics can cause a lot of problems if used incorrectly.”

Assessing employees’ IA practices (W) provided a lot of comments from the panel of experts. They suggested that this was an important issue and should be part of the annual appraisal process. However, it was proposed that this assess- ment should only occur after the employee has been on an appropriate awareness and training programme. This assess- ment of employees was deemed to be desirable for the following reasons:

• Assessment is one method of identifying and reporting on the state of security awareness in the company.

• Regular audits are essential to ensure that the docu- mented processes and procedures are being followed and to ascertain the reasons they are not being fol- lowed, if this is the case.

• IA is about culture and the cultural values can only be reinforced by reference to current behavior.

• Regular assessment can exert pressure on employees to comply with information assurance standards.

114 E. MCFADZEAN ET AL.

The respondents were also asked to look at the feasibility of each statement. Although some options were seen as desir- able to the panel of experts, they can be difficult to implement effectively. For example, two panel members pointed out that measuring and evaluating the employees’ IA practices (W) can be expensive. In addition, these practices need to be defined and communicated to the employees and the employees, them- selves, are required to recognize and accept the need for IA controls.

From Figure 2, it can be seen that statements T (Identifying different (internal and external) stakeholders’ requirements in terms of IA) and W (Evaluating employees’ IA practices) are shown to be both highly desirable and highly feasible. Organizations can, therefore, implement these processes with relative ease. Consequently, these actions may be two of the organization’s initial IA processes to be implemented. However, statements U (Determining information assurance success by qualitative as well as quantitative measures) and V (Using met- rics to measure information assurance) are seen to be desirable by the experts but their feasibility scores are lower. Statement U is, in fact, seen as a very desirable option but finding the most appropriate and accurate qualitative and quantitative measures could be challenging for managers.

4.4. Options for Evaluating and Communicating Strategic Information to the Board

This category consists of four factors which are listed in terms of desirability and plotted against feasibility in Figure 2.

“Providing non-technical reports to the board” (Statement Z) was seen as the most desirable reporting practice. The panel of experts suggested that the report could consist of the following:

• Clear cost/benefit statements • An evaluation of the organization’s risk environment • The organization’s IA performance measured against

industry peers • A forecast of potential threats and their impact on

current policy • Clear recommendations on future strategy and focus • A list of business benefits that have accrued with the

help of the current IA strategy • A statement of commitment and compliance for the

organization.

Similarly, “Reporting to the board on how IA goals are being achieved” (Statement (a)) was also seen to be highly desirable and feasible. Indeed, many in the panel thought that this was “critical in most businesses today” and is essential for good gov- ernance and control. As one panel member suggested effective communication is a key part of information assurance.

Two further evaluating and reporting practices were also mentioned by the panel, “Frequent auditing of IA policies” [Statement (b)] and “Including IA metrics in general IT

reports”[Statement (c)]. According to one panel expert, the for- mer “will clearly have a role in helping to ensure compliance, but the frequency must be such that it does not become overly burdensome for all concerned.” There was general agreement amongst the panel that IA policy auditing should occur no more frequently than once a year although organizations which are not so dependent on technology should audit, “every two to three years given legislation and changing market expectations.”

Including IA metrics in general IT reports (c) was seen as “a good awareness tool” by the panel. However, many of the experts suggested that developing the IA metrics in the first instance could be problematical. Indeed, one panel member went so far as to suggest that, “Metrics are not fully devel- oped enough for this to be effective” although others indicated that developing effective measures was possible as long as they are acceptable to all the appropriate stakeholders. Furthermore, our experts felt that the IT/IS function was not the only area that should include these metrics. As one Delphi participant stated, this “implies that IA is just part of IT. This is a very bad concept as it increases the extant communications gap with all non-IT people. The metrics should be in all the line managers’ reports starting with finance and sales/marketing.” Nonetheless, one expert suggested that auditing is only useful if supported by enforcement methods and if it actively helps to resolve breaches—in other words, the audit should also ask ‘why’ questions. In general, a large number of the panel agreed that auditing should not be used to develop a “blame culture”.

5. DISCUSSION: STRENGTHENING IA AND CORPORATE ALIGNMENT In total, the expert panel agreed on twenty-nine factors

that influenced IA and corporate alignment. However, although most of these actions were recognized as desirable, the panel thought that a number of them were not easily implemented. Consequently, we plotted desirability against feasibility on a scatter graph for each of the four categories. We then calcu- lated the midpoint for each scale in order to produce the 2×2 matrices (see Figure 2).

5.1. Premier Choices The top right hand box in the matrices were seen by the

panel as both highly desirable and highly feasible. We, there- fore, named this segment “Premier Choices”. Twelve of the factors were positioned in this sector.

According to Bergeron, Raymond, and Rivard (2001), Miller (1981), and Venkatraman (1989), strategic alignment can be viewed as a series of frequently recurring clusters of attributes—or gestalts—which are predictive in nature. This perspective of alignment seeks “to look simultaneously at a large number of variables that collectively define a meaning- ful and coherent slice of organizational reality” (Miller, 1981, p. 8). Thus, the twelve factors were placed into six predictive clusters for enhancing alignment, namely Intra-Organizational

INFORMATION ASSURANCE AND CORPORATE STRATEGY 115

Improving communications between IA & business functions

Improving the knowledge of both IA & corporate goals & requirements for all relevant personnel

• •

• •

Training & Awareness

Evaluating Practices

IA – IS – Business Unity

Identifying Requirements

Senior Management Involvement & SupportAlignment

Premier Choices for Enhancing

Aligment

Instilling IA values and awareness amongst employees

Evaluating employees’IA practies

Aligning IA measures with business objectives

Developing IA policy beyond legislation & regulation Identifying different (internal and external) stakeholders’ requirements in terms of IA

Gaining senior executive support for information assuranceImproving Strategic

Alignment Evaluating & Communicating Strategic Information to the Board Developing IA Goals & CSF Measuring & Reporting Practices

Prioritising IA/IT projects in line with organizational goals Involving the IA function in corporate strategy development

Intra-Organizational Communication

Providing non-technical reports to the Board of Directors so that they can understand and approve IA policy Reporting to the board on how IA goals are being achieved

FIG. 3. Methods for enhancing alignment—premier choices.

Communication, Training and Awareness, Evaluating Practices, IA—IS—Business Unity, Identifying Requirements and Senior Management Involvement and Support (see Figure 3).

5.1.1. Intra-Organizational Communication The research found three premier choices for develop-

ing alignment through intra-organizational communication. These are

• Improving communication between IA and business functions.

• Providing non-technical reports to the board of direc- tors so that they can understand and approve IA policy.

• Reporting to the board on how IA goals are being achieved.

Improving communication between functions as well as throughout the hierarchy was therefore seen as an essential ele- ment for enhancing information assurance alignment. Similar ideas can also be found in the work of Broadbent and Weill (1993), Chan (2002), and Willcoxson and Chatham (2004). Brown and Ross (1996) suggest that enhanced cooperation and communication will improve mutual understanding, apprecia- tion and trust between functions. However, this crucial commu- nication is often left to a few individuals who tend to converse regularly with other departments (Huang & Hu, 2007).

Research has found that alignment can be enhanced when the senior managers of each function share and communicate

domain knowledge with one another (Reich & Benbasat, 2000). Lack of understanding and poor job security both contribute to inadequate communication between technologists and busi- ness leaders (Jeffery & Leliveld, 2004) According to Ward and Peppard (1996), the different functions within organizations must recognize that there is a problem with communication and trust before these challenges can be solved. In an effort to reduce these problems, structural overlays such as top manage- ment advisory groups, audit and IA steering committees, matrix reporting, cross-functional job rotations, physical co-location and inter-departmental events could be implemented (Brown, 1999; Brown & Ross, 1996). This would provide oppor- tunities for developing partnerships and undertaking mutual education and training. In addition, ensuring a greater under- standing of information assurance and providing feedback on how IA goals are being achieved would help to convey the value of IA to both board members and employees alike. They could encourage greater commitment from staff for maintaining and/or improving information security procedures and policies throughout the organization. This is particularly the case for board members. As one of our experts stated, “Corporate strate- gists are not so interested in IA unless there is an obvious need and reason.” It is therefore important to provide board mem- bers with a greater understanding of the value and goals of information assurance. Furthermore, developing a forum where ideas—and potential disagreements—can be discussed between functions acts as an additional enabler for alignment. This can encourage mutual respect and a greater sense of teamwork.

116 E. MCFADZEAN ET AL.

5.1.2. Training and Awareness The panel suggested two premier choices for enhancing

alignment through training and awareness. These are

• Instilling IA values and awareness amongst employ- ees.

• Improving the knowledge of both IA and Corporate goals and requirements for all relevant personnel.

Instilling IA awareness and values amongst employees was seen as a crucial factor for enhancing alignment. In fact, one expert stated that

An essential element in providing security is that it needs to be implemented. Failure to engage employees means that it is unlikely to be implemented. The trick is to make it meaningful to employees both in business terms and in terms of their own day-to-day work.

In addition, employees need to feel personally responsible for the security of their organization and they need to be able to learn and react quickly when the need arises (Kesh & Ratnasingam, 2007). This is especially the case during a secu- rity crisis where contingency plans need to be implemented promptly. It is therefore essential that all employees are pro- vided with the necessary training and given adequate infor- mation on the latest security threats (D’Arcy & Hovav, 2007; Whitman, 2003).

The panelists also suggested that engagement was equally necessary for senior managers. To achieve this, it was recom- mended that IA personnel should emphasize the relationship between business goals and security when communicating with business managers:

The senior executives, particularly in the current climate, are sen- sitised to ensuring internal control is effective. IA is part of internal control and assists in addressing business risks. If senior executive are approached on a business risk basis (not a technical risk basis) then getting buy-in (or better transfer of ownership) is much easier to accomplish.

Along a similar vein, Broadbent and Weill (1993) advocate that rotating middle and senior managers between functions may serve as an effective method for improving both understanding and relationships between the different departments.

5.1.3. Evaluating Practices According to Vroom and Von Solms (2004, p. 193), “The

role of the employees is vital to the success of any company, yet unfortunately they are also the weakest link when it comes to information security.” Employees can pose a significant IA risk to organizations due to the number of security breaches under- taken by staff each year (Schultz, 2002). These include both malicious attacks and accidental breaches, which can be caused by negligence or ignorance of IA policies. Mitnick (2003) demonstrates how easily it is for employees to be deceived into giving out personal information to potential hackers.

One of the premier choices for enhancing alignment advo- cated by our panel—evaluating employee IA practices—would help to reduce security breaches undertaken by staff as well as helping to instil IA awareness into the business culture. This

evaluation should include basic technical “good practice” such as monitoring the installation of unauthorized software (Da Veiga & Eloff, 2007) and assessing employee security aware- ness (Kruger & Kearney, 2006) as well as monitoring any changes in behavior or the exacerbation of excessive personal or group conflicts (D’Arcy & Hovav, 2007; Dhillon, 2001). Moreover, it is essential that any carelessness, lack of knowl- edge or disregard of procedures is dealt with quickly in order to ensure compliance.

5.1.4. IA—IS—Business Unity The panel suggested that there are three premier choices for

ensuring unity between functions. These are

• Aligning IA measures with business objectives. • Prioritising IA/IT projects in line with organizational

goals. • Involving the IA function in corporate strategy devel-

opment.

Previous alignment research has shown that developing strong links between functions helps organizational performance (Bergeron et al., 2004). Luftman (2000), for example, found that prioritising projects was a key enabler of alignment. In this instance, prioritising IA/IT projects implies that managers are able to incorporate security policies and measures into their IT and business strategies in order to keep abreast of com- petitors (Luftman, Papp, & Brier, 1999). For example, e-Bay emphasizes peace of mind to its customers by providing infor- mation on safety and security protocols in its safety Center. This information has been built into e-Bay’s key service, namely its internet site.

The above three premier choices are designed to develop a sense of collaboration, unity and understanding between the functions (Kearns & Lederer, 2003). This should enhance com- munication and provide greater commitment towards fulfilling both IA and organizational goals (Brown & Magill, 1994).

5.1.5. Identifying Requirements Identifying the IA requirements of internal and external

stakeholders and developing IA policies, procedures and guide- lines to help support these requirements were both seen by the panel as essential enablers of information assurance alignment.

Post and Kagan (2007) and McFadzean, Ezingeard, and Birchall (2007) suggest that excessively tight information secu- rity can hinder both employees and customers alike. Systems can become inaccessible due to tight controls, which can reduce staff productivity, or access controls—such as passwords—can be too complex thereby forcing stakeholders to write them down in order to aid memory. Moreover, stakeholders can have dif- ferent perceptions of risk. For example, employees’ views of potential threats may not correspond to that of information secu- rity professionals (Tsohou et al., 2006). It is for these reasons, that some theorists believe that a more holistic view of IA is required (Backhouse, Hsu, & Silva, 2006; Zuccato, 2004). Understanding the needs of stakeholders, therefore, is essential

INFORMATION ASSURANCE AND CORPORATE STRATEGY 117

for developing this holistic view and encouraging greater align- ment and compliance. This information can also be used to develop more effective IA policies.

IA policies should present the company’s overall purpose and direction of information assurance as directed by senior managers and should be in accordance with the organization’s vision (Da Veiga & Eloff, 2007). These should include Internet and e-mail policies, access control policies, physical and envi- ronmental policies as well as policies dealing with specific threats such as social engineering (Mitnick, 2003). In addition, these policies need to be audited to ensure that they are in the best interests of the company, that they guarantee compliance and that they help to fulfil the organization’s goals (Vroom & Von Solms, 2004).

5.1.6. Senior Management Involvement and Support The alignment literature has acknowledged the need for

senior management involvement and support in order to enhance the link between functions (Brown & Magill, 1994; Chan, 2002; Kearns & Lederer, 2003). According to Edwards (2000, p. 49), “Individuals and groups within the organization will look for direct and indirect signs [from senior managers] in order to understand what strategic changes to expect, the

rationale behind the changes and the direct connections to their individual work.” In addition, Reich and Benbasat (2000) found that the social dimensions of alignment were influenced by the sharing and communication of domain knowledge by the senior managers of each function. In fact, Luftman, Papp, and Brier (1999) identified senior management support as the most important enabler of alignment. Likewise, the panel of experts also found that this is an essential ingredient of effective IA alignment. Senior managers must recognize and communicate the importance and value of information assurance to the rest of the organization. Furthermore they need to define and con- vey a clear IA vision and strategy to all internal and external stakeholders as well as providing the appropriate resources for IA projects.

5.2. Challenges The bottom right hand box of the matrices includes those

factors that are desirable but are not easily implemented. In other words, there are still barriers to be overcome before these issues can be put into action. We have called this seg- ment “Challenges.” Six factors were placed in this category (see Figure 4).

Further Options

Challenges

Incomplete Options

Improving Strategic

Alignment

Evaluating & Communicating

Strategic Information to the Board

Developing IA Goals & CSF

Measuring & Reporting Practices

Not Right Yet

Information Assurance Alignment

Premier Choices

Require further work

May require change in managerial

philosophy/business environment

Developing collaboration between IA and the organization’s other functions

Discussing at board level key strategic dilemmas pertaining to IA Ensuring IA practitioners discuss how IA processes can support or restrict corporate strategy when undertaking IA changes Dedicating resources to making the IA practices responsive to changes in the environment

Frequent auditing of IA policies

Including IA metrics in general IT reports

Anticipating IA threats Developing a security architecture that can rapidly respond to changes in the business environment Clarifying individual IA roles and responsibilities for all employees in the organization

Developing a 3 to 5 year IA strategy

Working together with members of the same industry to develop solutions for IA issues Responding to changing organizational needs by providing flexible IA procedures and regulations Using the latest security technology, when appropriate

Determining information assurance success by qualitative as well as quantitative measures Using metrics to measure information assurance

Benchmarking IA against external organisations (best practices/standards) Having IA metrics which focus on time performance (for example, how long did it take to discover incidents and how long did it take to recover).

• •

FIG. 4. Methods for enhancing alignment—options requiring further work.

118 E. MCFADZEAN ET AL.

The panelists agreed that the need for communication between the business and IA functions was important and feasible—and was, therefore, placed in Premier Choices—but that going beyond communication towards collaboration was much more challenging. The statement “Developing collab- oration between IA and the organisation’s other functions” achieved high scores for desirability but lower scores for feasibility—suggesting that many barriers would have to be overcome for collaboration to be achieved. Yet, collaboration between IA and the business functions is a major key to success for an effective relationship (Chan, 2002). As pointed out by an IA expert in banking, ensuring alignment is often a matter for “joined up thinking” rather than radical change:

So what I can say to a board is . . . we’re not talking about huge amounts of extra expenditure, we are talking about looking at things slightly differently . . . about co-ordinating things properly.

What, then, are the barriers to collaboration that caused our panelist to rank the statement lower in terms of feasibility? From our initial interviews and the comments from the panel, it was clear that conflicting objectives between different business functions was the key cause. This occurs at two levels.

Firstly, there can be significant tensions between IA objec- tives and business objectives. Information assurance can, at times, hinder many business ideas by emphasising caution at the expense of flexibility. The solution that seems to be favored by many of the experts is that collaboration is made easier by an understanding that the business function will always be the owner of the risk whatever decision is taken. This may appear paradoxical but it can be explained by the fact that the busi- ness function may feel more inclined to treat the IA function as a business partner if it sees it as an advisor rather than a ‘policeman’. The latter is, of course, counter-productive.

Secondly, the objectives of different business functions can conflict. According to one senior manager in charge of IA,

It’s to do with people having a very vertical view of things. People are focused on achieving their objectives and I think that prevents broader perspectives, broader thinking.

Here, the solution offered is that of a ‘horizontal’ IA view across the organization, which ensures that the consequences of deci- sions in one part of the organization are acceptable in another part of the business, as well.

Anticipating IA threats, developing a security architecture that can rapidly respond to changes in the business environ- ment and clarifying individual IA roles and responsibilities for all employees in the organization were all seen as desir- able but due to the volatile nature of the environment—both internally and externally—they were also seen as a challenge. Developing awareness programmes and appropriate appraisal systems for staff help clarify their roles and responsibilities but unpredictable staff behavior will always be a threat. Moreover, anticipating threats from both inside and outside the organiza- tion, and the subsequent development of security architecture was perceived to be too onerous and expensive. However, one

of our expert panel suggested that a greater understanding could be developed from evaluating the threats and anticipating threat trends; “We have much still to learn regarding how to do this well, but this is a highly desirable goal to aim for and is feasi- ble nonetheless.” Indeed, measuring information assurance was perceived to be demanding. As one expert suggested, “Some security aspects can be measured by metrics, but measuring security risk is difficult. This is an important nut to crack if security initiatives are to succeed and get the support of senior management.”

5.3. Incomplete Options and Not Right Yet The top left hand box of the matrices consists of those ele-

ments that are highly feasible but are not very desirable in their present form. Thus, these factors need to be developed further in order to make them more effective. We have, there- fore, called this segment “Incomplete Options.” Two factors have been placed in this category (see Figure 4). Both of these focus on time issues—the frequency of audits and the strate- gic planning period. Our experts suggested that it is difficult to plan long-term goals because the security environment is changing too rapidly. New threats are occurring almost daily and technology needs to develop quickly in order to counter these threats.

Finally, the bottom left hand quadrant of the matrices— which we have called “Not Right Yet”—includes actions that have both lower desirability and feasibility scores. Eight fac- tors were located in this segment. The majority of these factors involve greater communication and team work with stake- holders. For example, industry-wide cooperation is seen as advantageous but unlikely to occur because of potential compet- itive pressures. In addition, discussing key strategic dilemmas pertaining to IA at board level and considering how IA pro- cesses can support or restrict corporate strategy are both viewed as problematical because they would require a sufficient level of understanding from the business community. At present, IA officials are not confident that the corporate functions have this understanding. However, the alignment literature stresses the importance of communication, training and awareness and team work (Broadbent & Weill, 1993; Brown, 1999; Huang & Hu, 2007) but there is a need to explore this further in order to determine the type and complexity of information to be communicated as well as how this can be improved.

The information security literature also suggests that appro- priate resources should be provided in order to guarantee ade- quate safety measures (Dutta & McCrohan, 2002). Moreover, there is pressure from vendors to ensure that the latest technol- ogy is utilized (Stewart, 2005) and that up-to-date metrics are in place (Huang, Lee, & Kao, 2006; Kim, Lee, Han, & Lee, 2002; Kulkarni & Bush, 2006). However, these can be expen- sive and not necessarily advantageous. For instance, one panel member pointed out that the latest technology is not necessarily very robust.

INFORMATION ASSURANCE AND CORPORATE STRATEGY 119

Although information security metrics are seen as important by both the literature and our panel members, the communi- cation of these metrics requires further examination. First, our experts suggest that metrics should measure more than tech- nology. Indeed, they propose that metrics should be developed for all areas of the business. This will signify that informa- tion assurance is not just a technical problem; rather it is also a human problem. Second, although metrics are essential, it is important that they do not help to create a culture of blame or secrecy. Finally, metrics need to be analyzed, and subse- quently, they need to be communicated to the organization’s employees, and if necessary, inadequate procedures need to be improved and/or enforced. Further research, therefore, needs to be undertaken on the behavioral aspects—culture, commu- nication, and enforcement—of developing and implementing security metrics.

In order to increase the desirability and feasibility of all the factors in the bottom left hand quadrant of the matrices, a major change in the organization’s internal and/or external environ- ments may need to occur. Moreover, a change in managerial philosophy may be necessary. For example, a new philosophy of collaboration and commitment may be required from all stake- holders. This may be particularly the case when it comes to other organizations:

It is pretty feasible [to work with other institutions], but there may be issues of commercial conflicts that may affect this. It is, how- ever, a benefit to get ideas from others outside one’s own industry to see how they have addressed issues. One can learn a lot from other industry sectors.

6. IMPLICATIONS, LIMITATIONS AND CONCLUDING REMARKS

6.1. Implications There are a number of implications for managers that can be

proposed from the above discussion. These are as follows:

• Incorporate IA into corporate governance guidelines—over the past decade, there have been many calls to ensure that information assurance should be part of the corporate governance processes (Birchall et al., 2003; Dhillon & Backhouse, 2000; Von Solms, 2001a). This is advantageous for a number of reasons. Firstly, organizations must be compliant with govern- ment regulations especially as there is a desire to make senior executives personally liable for fraudulent, erroneous or incompetent practices (Damianides, 2005). Secondly, the board is able to gain an overview of the company including ascertaining information on corporate goals, financial data, legislation, infor- mation strategy, and security requirements. Thirdly, senior executives are able to influence subordinates

to ensure that the IA processes and guidelines are carried out.

• Encourage senior executive involvement in alignment—in order to gain functional and strategic integration, Baskerville and Siponen (2002) suggest developing an information assurance meta-policy. They define an IA meta-policy as “a ‘policy about policies’ [which declares] the organization’s plan for creating and maintaining its information security policies” (Baskerville & Siponen, 2002, p. 339). In other words, senior managers should produce a policy document stating who is responsible for the development of policies and when, and how often, this policy-making should occur. Thus, the document can state the necessity for including both IA and business executives as co-policy makers.

• Promote IA to employees, customers and other stakeholders by emphasising strategic inter- relationships—one of the most popular methods of ensuring that employees and other stakeholders are educated on security matters is the introduction of security awareness programmes. However, one of our interviewees suggested,

It may happen that employees are aware of IA issues with- out having the competence to actually adhere to these values in their work.

Thus, relevant training programmes should be pro- vided in order to ensure that all employees are given appropriate instruction on security practices and are aware of the strategic importance of these issues.

• Develop effective communication, measurement and feedback—it could be argued that ‘silo’ think- ing is not a problem that is unique to IA. It is a problem that is addressed in many other areas of busi- ness and in particular performance management. One of the solutions generally offered in this discipline is that of using a balanced scorecard approach for objective setting and evaluation (Kaplan & Norton, 1996). According to Ittner and Larcker (1998, p. 217), “Proponents of the balanced scorecard contend that this approach provides a powerful means for trans- lating a firm’s vision and strategy into a tool that effectively communicates strategic intent and moti- vates performance against established strategic goals.” In addition, the balanced scorecard is advantageous because it encourages senior managers to view both the business and its IA issues from the perspective of different stakeholders—customers, suppliers, finan- cial managers, employees and so on. Consequently, some form of balanced scorecard could promote align- ment by pushing together the IA, IT and business paradigms.

120 E. MCFADZEAN ET AL.

6.2. Limitations While the Delphi technique used for consensus building is

based on ordinal data, the conclusions from this study are inter- pretive and rely on the depths of the qualitative data and the literature findings. One criticism that is often cited for qual- itative data collection methods such as interviews is that the size of the sample is too small to enable the generalisation of results. We recognize this weakness and emphasize that this study was not intended to collect the entire range of perspectives on IA alignment. Rather, the data reflects the views expressed by the interviewees and panel members (Brancheau et al., 1996). Further research is required to permit the generalisation of findings.

Strauss and Corbin’s (1998) coding methodology was used to analyse the interview data in order to develop the initial list of statements for the Delphi. We undertook a number of different strategies to ensure accuracy and rigour during this analysis phase. Firstly, we constructed memos—analytical notes—which allowed us to capture ideas, comparisons, con- nections and categories from the data during analysis (Charmaz, 2006; Clarke, 2005; Strauss & Corbin, 1998). In addition, they provided a paper-trail of our analysis. Secondly, we used mem- ber checking to ensure accuracy (Creswell, 2003). This was useful for two reasons: it allowed us to confirm the precision of the interviews and the coding and it allowed us to gather addi- tional information from the subjects, when necessary (Charmaz, 2006).

The Delphi approach that we used for this research was advantageous because it reduced the possibility of “groupthink” or the inappropriate influence of choices by those participants with greater status or perceived ability (Parente, Anderson, Myers, & O’Brien, 1984; Sniezek, 1990). However, we also rec- ognize that the technique has a number of potential weaknesses. Eschenbach and Geistauts (1985), for example, suggest that it may be difficult to ascertain what constitutes expertise when choosing an appropriate panel. This relates to a second possible weakness; that is, whether the feedback and consensus derived from the panel offers any value. In order to pre-empt these argu- ments, we chose both senior IA practitioners and distinguished IA academics for our panel. This ensured that the Delphi group included both practical and theoretical expertise enabling the participants to provide the necessary high quality feedback.

The polling process can also be seen as problematical. Researchers must recognize that too many polling rounds are a waste of resources and a tax on the panel members’ time. However, too few rounds could make the results meaning- less. In addition, researchers must make sure that they do not overload their experts with too much information. Thus, they need to balance the number of items carried through to sub- sequent rounds; too many items could confuse the participants and cloud their judgement while too few would provide little useful information (Schmidt, 1997). In order to manage these potential weaknesses, we removed statements which showed high agreement levels thereby only using statements that had

a low consensus rating for subsequent rounds. This reduced the information given to the panel members. After three rounds, we decided to use all the statements that we had collected that had high consensus scores.

This research provides three basic streams for further con- ceptual and empirical work on information assurance align- ment. The first is the necessity of subjecting this research to further empirical examination to ascertain whether these results are supported by more extensive organizational data. Second, the 29 Delphi statements could be examined further in order to explore the relationships between the concepts. One possibility would be to develop a set of practices which could act as a change agent in order to modify poorly aligned organizations. Third, opportunities exist for exploring each of the concepts in more depth. This is particularly the case for those in the “Challenges” category; that is, those concepts that are seen as desirable but are currently less feasible to implement. For instance, further research could be undertaken on developing the value of IA at board level, methods for measuring soft and hard security processes and systems, and effective approaches for ensuring appropriate employee security processes, communication systems and awareness programmes to ensure greater security compliance.

6.3. Concluding Remarks This article has argued that alignment between IA, IS and

corporate strategy is an important element for organizational success. Using interviews and the Delphi Method, we have pre- sented a number of options for enhancing this alignment. These, together with the use of a balanced scorecard—which empha- sizes key metrics, communication and understanding of the inter-connectedness between different aspects of IA practices and business operations—and a strategic meta-policy, can help strengthen the sometimes troublesome relationships between the IA and business functions. This, as research has shown, can significantly improve the chances of adoption and effective- ness of IA practices and performance and is one of the major issues that concern today’s managers (Bendoly & Jacobs, 2004; Bergeron et al., 2004; Sabherwal & Chan, 2001).

Finally, this research contributes to the body of IA litera- ture from both a practical and academic perspective. From a practical point-of-view, the study increases understanding of the different concepts that have an impact on information assur- ance alignment including their desirability and feasibility. This understanding should help senior business, IT and IA man- agers to improve the processes that enhance alignment. To this end, organizations need to improve communication between functions and hierarchical levels regarding IA. This can be achieved by setting up groups that overlay the functions and hierarchical levels such as inter-departmental events, security awareness programmes and conferences, senior management advisory groups and audit and IA steering committees.

From a theoretical perspective, this article has suggested three potential streams for future research in this area. These

INFORMATION ASSURANCE AND CORPORATE STRATEGY 121

provide an opportunity for examining information assurance alignment from a softer, human relations perspective rather than the more popular technical perspective.

AUTHOR BIOS Elspeth McFadzean, a Visiting Academic Fellow at Henley

Business School, University of Reading, and an Honorary Recognized Teacher at the University of Liverpool received her PhD in 1996 from Brunel University in London. Her research interests are in the relationships between informa- tion systems/knowledge management and human behavior, including information assurance, group support systems, cre- ativity and innovation, and team leadership and facilitation. Her research has appeared in the Journal of Information Systems Security, Online Information Review, Journal of Enterprise Information Management, Information Systems Management, Interfaces, European Journal of Innovation Management, Harvard Business Review, Strategic Change, and Journal of Management Development.

Jean-Noël Ezingeard, the Dean of the Faculty of Business and Law at Kingston University (London), focuses on the topics of Information Assurance, Information Security and Enterprise Risk Management, which he has researched, taught, and consulted about in Europe, North America, and South Africa. His work on Information Assurance has been used in publications by QinetiQ, Axa, and the Federation against Software Theft. A founding member of the British Computer Society’s Information Assurance work- ing group, he joined the Business School world 12 years ago. Previously, he worked as a Chartered Manufacturing Engineer (Operations Management), and a Lecturer in Computer Integrated Manufacturing.

David Birchall is an associate faculty member and Emeritus Professor at Henley Business School, University of Reading. His activities include studies into innovation management, off-shoring, methodologies for identifying future capabili- ties needs, leadership competencies in global enterprise, as well as in the third sector, spin-outs, and relationships to the founding university, knowledge management, and talent management. He has worked with global companies, as well as small medium enterprise and the third sector, and he has written a number of books on innovation and future work.

NOTE 1. Results taken from Osiris. Where results are available in a currency other

than US dollars, the exchange rate published at TrustNet (http://www.trustnet. com/general/rates.asp) on 10th March 2008 was used for converting the revenue figures.

REFERENCES Anderson, J. C., Rungtusanatham, M., & Schroeder, R. G. (1994). A Theory

of Quality Management Underlying the Deming Management Method. Academy of Management Review, 19(3), 472–509.

Anhal, A., Daman, S., O’Brien, K., & Rathmell, A. (2002). Engaging the Board: Corporate Governance and Information Risk. Cambridge, UK: Information Assurance Advisory Council (IAAC).

Austin, R. D., & Darby, C. A. (2003). The Myth of Secure Computing. Harvard Business Review, 81(6), 120–126.

Backhouse, J., & Dhillon, G. (1996). Structures of Responsibility and Security of Information Systems. European Journal of Information Systems, 5, 2–9.

Backhouse, J., Hsu, C. W., & Silva, L. (2006). Circuits of Power in Creating De Jure Standards: Shaping an International Information Systems Security Standard. MIS Quarterly, 30, 413–438.

Baker, W. H., Rees, L. P., & Tippett, P. S. (2007). Necessary Measures. Communications of the ACM, 50(10), 101–106.

Barney, J. (1991). Firm Resources and Sustained Competitive Advantage. Journal of Management, 17(1), 99–120.

Baskerville, R. (1991). Risk Analysis: An Interpretive Feasibility Tool in Justifying Information Systems Security. European Journal of Information Systems, 1(2), 121–130.

Baskerville, R., & Siponen, M. (2002). An Information Security Meta-Policy for Emergent Organizations. Logistics Information Management, 15(5/6), 337–346.

Bendoly, E., & Jacobs, F. R. (2004). ERP Architectural/Operational Alignment for Order-Processing Performance. International Journal of Operations & Production Management, 24(1/2), 99–117.

Bergeron, F., Raymond, L., & Rivard, S. (2001). Fit in Strategic Information Technology Management Research: An Empirical Comparison of Perspectives. Omega, 29(2), 125–142.

Bergeron, F., Raymond, L., & Rivard, S. (2004). Ideal Patterns of Strategic Alignment and Business Performance. Information and Management, 41(8), 1003–1020.

BERR – The Department for Business Enterprise & Regulatory Reform. (2008). Information Security Breaches Survey. www.security-survey.gov.uk.

Birchall, D., Ezingeard, J.-N., & McFadzean, E. S. (2003). Information Security: Setting the Boardroom Agenda. London: Grist Ltd.

Bodin, L. D., Gordon, L. A., & Loeb, M. P. (2008). Information Security and Risk Management. Communications of the ACM, 51(4), 6–68.

Brancheau, J. C., Janz, B. D., & Wetherbe, J. C. (1996). Key Issues in Information Systems Management: 1994-95 SIM Delphi Results. MIS Quarterly, 20(2), 225–242.

Broadbent, M., & Weill, P. (1993). Improving Business and Information Strategy Alignment: Learning from the Banking Industry. IBM Systems Journal, 32(1), 162–179.

Brown, C. V. (1999). Horizontal Mechanisms under Differing IS Organization Contexts. MIS Quarterly, 23(3), 421–454.

Brown, C. V., & Magill, S. L. (1994). Alignment of the IS Functions with the Enterprise: Toward a Model of Antecedents. MIS Quarterly, 18(4), 371–403.

Brown, C. V., & Ross, J. W. (1996). The Information Systems Balancing Act: Building Partnerships and Infrastructure. Information Technology & People, 9(1), 49–62.

Bryson, J. M., Ackermann, F., & Eden, C. (2007). Putting the Resource- Based View of Strategy and Distinctive Competencies to Work in Public Organizations. Public Administration Review, 67(4), 702–717.

Burnes, G. (2008). Top 10 Enterprise Risk Management Myths. Financial Executive, 24(4), 56–58.

Campbell, K., Gordon, L. A., Loeb, M. P., & Zhou, L. (2003). The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market. Journal of Computer Security, 11(3), 431–448.

Cerullo, V., & Cerullo, M. J. (2004). Business Continuity Planning: A Comprehensive Approach. Information Systems Management, 21, 70–78.

Chan, Y. E. (2002). Why Haven’t We Mastered Alignment? The Importance of the Informal Organization Structure. MIS Quarterly Executive, 1(2), 97–112.

Chan, Y. E., Huff, S. L., Barclay, D. W., & Copeland, D. G. (1997). Business Strategic Orientation, Information Systems Strategic Orientation, and Strategic Alignment. Information Systems Research, 8(2), 125–150.

122 E. MCFADZEAN ET AL.

Chang, A. J.-T., & Yeh, Q.-J. (2006). On Security Preparations against Possible IS Threats across Industries. Information Management & Computer Security, 14(4), 343–360.

Charmaz, K. (2006). Constructing Grounded Theory: A Practical Guide Through Qualitative Analysis. London: Sage.

Chellappa, R. K., & Pavlou, P. A. (2002). Perceiving Information Security, Financial Liability and Consumer Trust in Electronic Commerce Transactions. Logistics Information Management, 15(5/6), 358–368.

Chickowski, E. (2008). Preventing Another TJX. Baseline, (81), 22–37. Clarke, A. E. (2005). Situational Analysis: Grounded Theory and the Post-

Modern Turn. Thousand Oaks, CA: Sage. Cockcroft, S. (2002). Gaps between Policy and Practice in the Protection of

Data Privacy. Journal of Information Technology Theory and Application, 4(3), 1–13.

Cohen, K. J., & Cyert, R. M. (1973). Strategy: Formulation, Implementation, and Monitoring. The Journal of Business, 46(3), 349–367.

Cresson Wood, C. (1991). Planning as a Means to Achieve Appropriate Data Communications Security. In K. Dittrich, S. Rautakivi & J. Saari (Eds.), Computer Security and Information Integrity (pp. 119–131). Amsterdam: Elsevier Science Publishers.

Creswell, J. W. (2003). Research Design: Qualitative, Quantitative, and Mixed Methods Approaches (Second Edition). Thousand Oaks, CA: Sage Publications.

D’Arcy, J., & Hovav, A. (2007). Deterring Internal Information Systems Misuse. Communications of the ACM, 50(10), 113–117.

Da Veiga, A., & Eloff, J. H. P. (2007). An Information Security Governance Framework. Information Systems Management, 24(4), 361–372.

Daft, R. L., & Macintosh, N. B. (1984). The Nature and Use of Formal Control Systems for Management Control and Strategy Implementation. Journal of Management, 10(1), 43–66.

Damianides, M. (2005). Sarbanes-Oxley and IT Governance: New Guidance on IT Control and Compliance. Information Systems Management, 22(1), 77–85.

Dhillon, G. (2001). Violation of Safeguards by Trusted Personnel and Understanding Related Information Security Concerns. Computers & Security, 20(2), 165–172.

Dhillon, G., & Backhouse, J. (2000). Information System Security Management in the New Millennium. Communications of the ACM, 43(7), 125–128.

Dutta, A., & McCrohan, K. (2002). Management’s Role in Information Security in a Cyber Economy. California Management Review, 45(1), 67–87.

Edwards, B. A. (2000). Chief Executive Officer Behavior: The Catalyst for Strategic Alignment. International Journal of Value-Based Management, 13(1), 47–54.

Entrust. (2004). Information Security Governance (ISG): An Essential Element of Corporate Governance. Retrieved 24th February 2005, from http://www. bitpipe.com/detail/RES/1082396487_702.html

Ernst & Young. (2007). 10th Annual Global Information Security Survey: Achieving a Balance of Risk and Performance. Retrieved 15th July 2008, from http://www.ey.com/Global/assets.nsf/UK/GISS_2007/$file/GISS% 202007%20FINAL.pdf

Eschenbach, T. G., & Geistauts, G. A. (1985). A Delphi Forecast for Alaska. Interfaces, 15(6), 100–109.

Ettredge, M., & Richardson, V. J. (2002). Assessing the Risk in E-Commerce, In Proceedings of the 35th Annual Hawaii International Conference on System Sciences. January 7–10, Computer Society Press, (11 pages). Hawaii.

Ettredge, M., & Richardson, V. J. (2003). Information Transfer among Internet Firms: The Case of Hacker Attacks. Journal of Information Systems, 17(2), 71–82.

Ezingeard, J.-N., & Birchall, D. (2004). Securing Information: Governance Issues. In S. Crainer & D. Dearlove (Eds.), Financial Times Handbook of Management. London: Financial Times Prentice Hall.

Ezingeard, J.-N., McFadzean, E., & Birchall, D. (2005). A Model of Information Assurance Benefits. Information Systems Management, 22(2), 20–29.

Flint, D. J., Woodruff, R. B., & Gardial, S. F. (2002). Exploring the Phenomenon of Customers’ Desired Value Change in a Business-to-Business Context. Journal of Marketing, 66, 102–117.

Frolick, M. N., & Ariyachandra, T. R. (2006). Business Performance Management: One Truth. Information Systems Management, 23(1), 41–48.

Garg, A., Curtis, J., & Halper, H. (2003). Quantifying the Financial Impact of IT Security Breaches. Information Management & Computer Security, 11(2/3), 74–83.

Gilbert, F. (2008). Is Your Due Diligence Checklist Obsolete? Understanding How Information Privacy and Security Affects Corporate and Commercial Transactions. Computer and Internet Lawyer, 25(10), 13–18.

Govindarajan, V. (1988). A Contingency Approach to Strategy Implementation at the Business-Unit Level: Integrating Administrative Mechanisms with Strategy. Academy of Management Journal, 31(4), 828–853.

Guimaraes, T. A., Borges-Andrade, J. E., Machado, M. d. S., & Vargas, M. R. M. (2001). Forecasting core competencies in an R&D environment. R & D Management, 31(3), 249–255.

Hansotia, B. (2002). Gearing up for CRM: Antecedents to Successful Implementation. Journal of Database Management, 10(2), 121–132.

Hazari, S. (2005). Perceptions of End-Users on the Requirements in Personal Firewall Software: An Exploratory Study. Journal of Organizational and End User Computing, 17(3), 47–65.

Henderson, J. C., & Venkatraman, N. (1993). Strategic Alignment: Leveraging Information Technology for Transforming Organizations. IBM Systems Journal, 32(1), 4–16.

Higgins, H. N. (1999). Corporate System Security: Towards an Integrated Management Approach. Information Management & Computer Security, 7(5), 217–222.

Hinde, S. (2003). The Law, Cybercrime, Risk Assessment and Cyber Protection. Computers and Security, 22(2), 90–95.

Ho, C.-F. (1996). Information Technology Implementation Strategies for Manufacturing Organizations: A Strategic Alignment Approach. International Journal of Operations & Production Management, 16(7), 77–100.

Huang, C. D., & Hu, Q. (2007). Achieving IT-Business Strategic Alignment via Enterprise-Wide Implementation of Balanced Scorecards. Information Systems Management, 24(2), 173–184.

Huang, S.-M., Lee, C.-L., & Kao, A.-C. (2006). Balancing Performance Measures for Information Security Management: A Balanced Scorecard Framework. Industrial Management + Data Systems, 106(1/2), 242–255.

IAAC. (2003). Engaging the Board: Corporate Governance & Information Assurance. Cambridge: Information Assurance Advisory Council.

Ittner, C. D., & Larcker, D. F. (1998). Innovations in Performance Measurement: Trends and Research Implications. Journal of Management Accounting Research, 10, 205–238.

Jeffery, M., & Leliveld, I. (2004). Best Practices in IT Portfolio Management. Sloan Management Review, 45(3), 41–49.

Kankanhalli, A., Teo, H.-H., Tan, B. C. Y., & Wei, K.-K. (2003). An Integrative Study of Information Systems Security Effectiveness. International Journal of Information Management, 23, 139–154.

Kaplan, R. S., & Norton, D. P. (1996). Using the Balanced Scorecard as a Strategic Management System. Harvard Business Review, 74(1), 75–85.

Kearns, G. S., & Lederer, A. L. (2003). A Resource-Based View of Strategic IT Alignment: How Knowledge Sharing Creates Competitive Advantage. Decision Sciences, 34(1), 1–29.

Kesh, S., & Ratnasingam, P. (2007). A Knowledge Architecture for IT Security. Communications of the ACM, 50(7), 103–108.

Kim, J., Lee, J., Han, K., & Lee, M. (2002). Business as Buildings: Metrics for the Architectural Quality of Internet Businesses. Information Systems Research, 13(3), 239–254.

Knapp, K. J., & Boulton, W. R. (2006). Cyber-Warfare Threatens Corporations: Expansion into Commercial Environments. Information Systems Management, 23(2), 76–87.

Kolokotronis, N., Margaritis, C., Papadopoulou, P., Kanellis, P., & Martakos, D. (2002). An Integrated Approach for Securing Electronic Transactions over the Web. Benchmarking, 9(2), 166–181.

Kruger, H. A., & Kearney, W. D. (2006). A Prototype for Assessing Information Security Awareness. Computers & Security, 25(4), 289–296.

Kulkarni, A., & Bush, S. (2006). Detecting Distributed Denial-of-Service Attacks Using Kolmogorov Complexity Metrics. Journal of Network and Systems Management, 14(1), 69–80.

INFORMATION ASSURANCE AND CORPORATE STRATEGY 123

Larreche, J.-C., & Montgomery, D. B. (1977). A Framework for the Comparison of Marketing Models: A Delphi Study. Journal of Marketing Research, 14(4), 487–498.

Lindup, K. (1996). The Role of Information Security in Corporate Governance. Computers & Security, 15(6), 477–485.

Linkous, J. (2008). Put the ‘i’ in IT compliance. Communications News, 45(12), 26; 28.

Locke, K. D. (2001). Grounded Theory in Management Research. London: Sage.

Logan, P. Y., & Logan, S. W. (2003). Bitten by a Bug: A Case Study in Malware Infection. Journal of Information Systems Education, 14(3),301–305.

Lohmeyer, D. F., McCrory, J., & Pogreb, S. (Writer) (2002). Managing Information Security, McKinsey Quarterly.

Luftman, J. (2000). Assessing Business-IT Alignment Maturity. Communications of the Association of Information Systems, 4(14), 1–50.

Luftman, J. (2003). Assessing IT/Business Alignment. Information Systems Management, 20(4), 9–15.

Luftman, J., & Brier, T. (1999). Achieving and Sustaining Business-IT Alignment. California Management Review, 42(1), 109–122.

Luftman, J., Papp, R., & Brier, T. (1999). Enablers and Inhibitors of Business- IT Alignment. Communications of the Association of Information Systems, 1(11), 1–33.

Luftman, J. N., Lewis, P. R., & Oldach, S. H. (1993). Transforming the Enterprise: The Alignment of Business and Information Technology Strategies. IBM Systems Journal, 32(1), 198–221.

Malhotra, M. K., Steele, D. C., & Grover, V. (1994). Important Strategic and Tactical Manufacturing Issues in the 1990s. Decision Sciences, 25(2), 189– 214.

McFadzean, E. S., Ezingeard, J.-N., & Birchall, D. (2006). Anchoring Information Security Governance Research: Sociological Groundings and Future Directions. Journal of Information Systems Security, 2(3), 3–47.

McFadzean, E. S., Ezingeard, J.-N., & Birchall, D. (2007). Perception of Risk and the Strategic Impact of Existing IT on Information Security Strategy at Board Level. Online Information Review, 31(5), 622–660.

McFarlan, F. W. (1984). Information Technology Changes the Way You Compete. Harvard Business Review, 62(3), 98–103.

McHugh, J. (2001). Intrusion and Intrusion Detection. International Journal of Information Security, 1(1), 14–35.

Miller, D. (1981). Toward a New Contingency Approach: The Search for Organizational Gestalts. Journal of Management Studies, 18(1), 1–26.

Miller, H. E., & Engemann, K. G. (1996). A Methodology for Managing Information-Based Risk. Information Resources Management Journal, 9(2), 17–24.

Mitchell, V. W., & McGoldrick, P. J. (1994). The Role of Geodemographics in Segmenting and Targeting Consumer Markets: A Delphi Study. European Journal of Marketing, 28(5), 54–72.

Mitnick, K. D. (2003). Are You the Weak Link? Harvard Business Review, 81(4), 18–20.

Montealegre, R. (2002). A Process Model of Capability Development: Lessons from the Electronic Commerce Strategy at Bolsa de Valores de Guayaquil. Organization Science, 13(5), 514–531.

NACD. (2001). Information Security Oversight: Essential Board Practices: National Association of Corporate Directors.

Nambisan, S., Agarwal, R., & Tanniru, M. (1999). Organizational Mechanisms for Enhancing User Innovation in Information Technology. MIS Quarterly, 23(3), 365–395.

National Cyber Security Partnership Governance Task Force. (2004). Information Security Governance: A Call to Action. Retrieved February 24 2005, from http://www.cyberpartnership.org/InfoSecGov4_04.pdf

Niederman, F., Brancheau, J. C., & Wetherbe, J. C. (1991). Information Systems Management Issues for the 1990s. MIS Quarterly, 15(4), 475–500.

Okoli, C., & Pawlowski, S. D. (2004). The Delphi Method as a Research Tool: An Example, Design Considerations and Applications. Information & Management, 42(1), 15–29.

Parente, F. J., Anderson, J. K., Myers, P., & O’Brien, T. (1984). An Examination of Factors Contributing to Delphi Accuracy. Journal of Forecasting, 3(2), 173–183.

Peak, D., & Guynes, S. (2003). The IT Alignment Planning Process. Journal of Computer Information Systems, 44(1), 9–15.

Post, G. V., & Kagan, A. (2007). Evaluating Information Security Tradeoffs: Restricting Access can Interfere with User Tasks. Computers & Security, 26(3), 229–237.

Posthumus, S., & Von Solms, R. (2004). A Framework for the Governance of Information Security. Computers & Security, 23(8), 638–646.

Powers, V. J. (1996). Benchmarking Study Illustrates how Best-in-Class Achieve Alignment, Communicate Change. Communication World, 14(1), 30–33.

Preble, J. F. (1984). The Selection of Delphi Panels for Strategic Planning Purposes. Strategic Management Journal, 5(2), 157–170.

Preble, J. F. (1992). Towards a Comprehensive System of Strategic Control. Journal of Management Studies, 29(4), 391–409.

Raghupathi, W. R. (2007). Corporate Governance of IT: A Framework for Development. Communications of the ACM, 50(8), 94–99.

Reich, B. H., & Benbasat, I. (2000). Factors that Influence the Social Dimension of Alignment between Business and Information Technology Objectives. MIS Quarterly, 24(1), 81–113.

Rockart, J. F., Earl, M. J., & Ross, J. W. (1996). Eight Imperatives for the New IT Organization. Sloan Management Review, 38(1), 43–55.

Sabherwal, R., & Chan, Y. E. (2001). Alignment between Business and IS Strategies: A Study of Prospectors, Analyzers, and Defenders. Information Systems Research, 12(1), 11–33.

Sanderson, E., & Forcht, K. A. (1996). Information Security in Business Environments. Information Management & Computer Security, 4(1), 32–37.

Sandman, J. (2008). Watching for Rogue Traders. Securities Industry News, 20(23), 4.

Sarker, S., Lau, F., & Sahay, S. (2001). Using an Adapted Grounded Theory Approach for Inductive Theory Building about Virtual Team Development. The DATA BASE for Advances in Information Systems, 32(1), 38–56.

Saunders, C. S., & Jones, J. W. (1992). Measuring Performance of the Information Systems Function. Journal of Management Information Systems, 8(4), 63–82.

Schmidt, R. C. (1997). Managing Delphi Surveys using Nonparametric Statistical Techniques. Decision Sciences, 28(3), 763–774.

Schmidt, R., Lyytinen, K., Keil, M., & Cule, P. (2001). Identifying Software Project Risks: An International Delphi study. Journal of Management Information Systems, 17(4), 5–36.

Schultz, E. E. (2002). A Framework for Understanding and Predicting Insider Attacks. Computers & Security, 21(6), 526–531.

Segars, A. H., & Grover, V. (1998). Strategic Information Systems Planning Success: An Investigation of the Construct and its Measurement. MIS Quarterly, 22(2), 139–163.

Sherwood, J. (1996). SALSA: A Method for Developing the Enterprise Security Architecture and Strategy. Computers & Security, 15(6), 501–506.

Siebens, H. (2002). Concepts and Working Instruments for Corporate Governance. Journal of Business Ethics, 39(1/2), 109–116.

Sledgianowski, D., & Luftman, J. (2005). IT-Business Strategic Alignment Maturity: A Case Study. Journal of Cases on Information Technology, 7(2), 102–120.

Smaczny, T. (2001). Is an Alignment between Business and Information Technology the Appropriate Paradigm to Manage IT in Today’s Organizations? Management Decision 39, 797–802.

Smedinghoff, T. J. (2005). The New Law of Information Security: What Companies Need to Do Now. Computer and Internet Lawyer, 22(11), 9–25.

Smedinghoff, T. J. (2008). The State of Information Security Law: A Focus on the Key Legal Trends. EDPACS, 37(1/2), 1–52.

Sniezek, J. A. (1990). A Comparison of Techniques for Judgmental Forecasting by Groups with Common Information. Group & Organization Studies, 15(1), 5–19.

Stewart, A. (2005). Information Security Technologies as a Commodity Input. Information Management & Computer Security, 13(1), 5–15.

Stewart, K. A., & Segars, A. H. (2002). An Empirical Examination of the Concern for Information Privacy Instrument. Information Systems Research, 13(1), 36–49.

124 E. MCFADZEAN ET AL.

Straub, D. W., & Welke, R. J. (1998). Coping With Systems Risk: Security Planning Models for Management Decision Making. MIS Quarterly, 22(4), 441–469.

Strauss, A., & Corbin, J. (1990). Basics of Qualitative Research: Grounded Theory Procedures and Techniques. Thousand Oaks, CA: Sage.

Strauss, A., & Corbin, J. (1998). Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory. Thousand Oaks, CA: Sage Publications.

Swartz, N. (2003). The Cost of Sarbanes-Oxley. Information Management Journal, 37(5), 8.

Tallon, P. P., Kraemer, K. L., & Gurbaxani, V. (2000). Executives’ Perceptions of the Business Value of Information Technology: A Process-Oriented Approach. Journal of Management Information Systems, 16(4), 145–173.

Tsohou, A., Karyda, M., Kokolakis, S., & Kiountouzis, E. (2006). Formulating Information Systems Risk Management Strategies through Cultural Theory. Information Management & Computer Security, 14(3), 198–217.

Turnbull, N. (1999). Internal Control: Guidance for Directors on the Combined Code. London: The Institute of Chartered Accountants in England & Wales.

van Opstal, D. (2007). The Resilient Economy: Integrating Competitiveness and Security. Washington, D.C.: Council on Competitiveness.

Venkatraman, N. (1989). The Concept of Fit in Strategy Research: Toward Verbal and Statistical Correspondence. Academy of Management Review, 14(3), 423–444.

Vijayan, J. (2008). Inside Job Highlights IT And Oversight Failures At Bank. Computerworld, 42(23), 16.

Viton, P. L. (2003). Creating Fraud Awareness. S.A.M. Advanced Management Journal, 68(3), 20–27; 43.

Von Solms, B. (2001a). Corporate Governance and Information Security. Computers & Security, 20(3), 215–218.

Von Solms, B. (2001b). Information Security: A Multidimensional Discipline. Computers & Security, 20(6), 504–508.

Von Solms, B., & Von Solms, R. (2004). The 10 Deadly Sins of Information Security Management. Computers & Security, 23(5), 371–376.

Vroom, C., & Von Solms, R. (2004). Towards Information Security Behavioural Compliance. Computers & Security, 23(3), 191–198.

Wailgum, T., & Sayer, P. (2008). Risk without Reward. CIO, 21(14), 42–45. Ward, J. M. (1988). Information Systems and Technology Application Portfolio

Management – an Assessment of Matrix-Based Analyses. Journal of Information Technology, 3(3), 205–215.

Ward, J., & Peppard, J. (1996). Reconciling the IT/Business Relationship: A Troubled Marriage in need of Guidance. Journal of Strategic Information Systems, 5(1), 37–65.

Ward, P., & Smith, C. L. (2002). The Development of Access Control Policies for Information Technology Systems. Computers & Security, 21(4), 356–371.

Whitman, M. E. (2003). Enemy at the Gate: Threats to Information Security. Communications of the ACM, 46(8), 91–95.

Willcoxson, L., & Chatham, R. (2004). Progress in the IT/Business Relationship: A Longitudinal Assessment. Journal of Information Technology, 19(1), 71–80.

Youndt, M. A., Snell, S. A., Dean, J. W., & Lepak, D. P. (1996). Human Resource Management, Manufacturing Strategy, and Firm Performance. Academy of Management Journal, 39(4), 836–866.

Zuccato, A. (2004). Holistic Security Requirement Engineering for Electronic Commerce. Computers & Security, 23(1), 63–76.

Zviran, M., & Haga, W. J. (1999). Password Security: An Empirical Study. Journal of Management Information Systems, 15(4), 161–185.

APPENDICES

Appendix A: Information on Interview Sample

Subject Code Position Industry Company

Board Member Last Turnover Figure $m1

S1 CEO Finance Subsidiary of UK Public Quoted

Yes Group Results: $43,000

S2 E-Commerce Development Director

Finance Subsidiary of UK Public Quoted

No Group Results: $43,000

S3 Advisor Defence UK Government department Yes Not applicable Chairman Energy UK Public Quoted Yes $9,511

S4 Chief Information Security Officer & VP Operations

Electronics US Public Quoted Yes $151.3

S5 IT Director Finance UK Subsidiary of Swiss Public Quoted

No Group Results: $31,151

S6 Chief Operating Officer Finance UK Subsidiary of Swiss Public Quoted

Yes Group Results: $31,151

S7 Company Secretary Energy UK Public Quoted Yes $16 344 S8 Managing Director Manufacturing UK Private Yes $3.1 S9 Managing Director Consulting UK Public Quoted Yes $761 S10 Chief Information Officer Consulting UK Public Quoted Yes $761 S11 Chief Information Security

Officer IT UK Subsidiary of US Public

Quoted No Group Results: $60, 420

S12 Chief Executive Officer Communications UK Public not-quoted Yes $12,001

(Continued)

INFORMATION ASSURANCE AND CORPORATE STRATEGY 125

Appendix A (Continued)

Subject Code Position Industry Company

Board Member Last Turnover Figure $m1

S13 Senior Manager, Business Process Industrial Products

Consulting Private Yes $21,100

S14 Group Security Adviser Finance UK Public Quoted No $36 780 S15 Director of Finance &

Corporate Services Public Sector UK public sector authority Yes $295.3

S16 Chief Finance Officer Pharmaceutical UK Subsidiary of Swiss Public Quoted

Yes $38, 947

S17 IT Director Pharmaceutical UK Subsidiary of Swiss Public Quoted

No $38, 947

S18 Director of Global Security Energy UK Public Quoted No $285 010 S19 Finance Director Finance UK Public Quoted Yes $583 S20 Finance Director Electronics Private Yes $2056 S21 IT Director Electronics Private No $2056 S22 Chief Technology Officer Transportation &

Logistics Multi-national subsidiary of

US Public Quoted No $2,900

S23 Director of Finance, Personnel & Information Systems

Education Private Yes Unavailable

S24 Director of Finance, Personnel & Information Systems

Education Private Yes Unavailable

S25 Chief Executive Officer Consulting Private Yes Unavailable S26 Group Marketing Director Consulting Multi-national subsidiary of

US Public Quoted Yes $373

S27 Marketing Director Consulting Multi-national subsidiary of US Public Quoted

No $373

S28 Information Security Project Manager

IT German Subsidiary of US Public Quoted

No Group Results: $98,785

S29 Chief Information Security Officer

Electronics US Public Quoted Yes $151.3

S30 Senior Manager, Business Process Industrial Products

Consulting Private Yes $21,100

S31 Chief Security Officer Finance Swiss Public Quoted No $27 760 S32 Advisor Defence UK Government department Yes Not applicable

Chairman Energy UK Public Quoted Yes $9,511 S33 Knowledge Manager Finance Subsidiary of Spanish Public

Quoted No $5 339

S34 Senior Civil Servant Public Sector UK Government Department Not applicable

Not applicable

S35 Chief Finance Officer Pharmaceutical UK Subsidiary of Swiss Public Quoted

Yes $38, 947

S36 Information Assurance Program Director

Communications UK Public Quoted No Group Results: $41,674

S37 Group Security Adviser Finance UK Public Quoted No $36 780 S38 Head of IT Electronic

Trading Subsidiary of UK Public

Quoted Yes Unavailable

S39 Benchmark Programs Manager

Scientific Solutions

US Public Quoted No $30,653

(Continued)

126 E. MCFADZEAN ET AL.

Appendix A (Continued)

Subject Code Position Industry Company

Board Member Last Turnover Figure $m1

S40 Head of Information Finance Global Organization with listings in London, Hong Kong and New York

No Group Results: $43,000

S41 IT Director Finance UK Subsidiary of Swiss Public Quoted

No Group Results: $31,151

S42 CEO Finance Subsidiary of UK Public Quoted

Yes Group Results: $43,000

S43 IT Director Finance Subsidiary of UK Public Quoted

No Group Results: $43,000

Appendix B: Information on Delphi Panel

Code Company Role Sector Turnover ($m)

56277 Academia Professor Education Sector Not applicable 56272 Academia Professor Education Sector Not applicable 56276 UK Public Quoted Information Security Officer Electronics $85.85 56242 US Public Quoted Chief Information Security

Officer Electronics $151.3

56258 UK Private Managing Director IT Services/Consultancy Unknown 56273 Academia Professor Education Sector Not applicable 56267 Swiss Public Quoted Director, Security Risk Finance $27 760 56279 UK Private Information Security

Consultant IT Services/Consultancy Unknown

56257 Academia Professor Education Sector Not applicable 56251 UK Public Quoted Head of Information Security Retail $25,900 56264 Belgian Public Quoted Chief Security Officer (for

the Group) Finance $1669

56239 Subsidiary of UK Public Quoted

IT Security and Business Continuity Principal Analyst

IT Services/Consultancy $63

56232 Academia Professor Education Sector Not applicable 56249 UK Government Department Senior civil servant Public Sector Not applicable 56240 Academia Professor Education Sector Not applicable 56275 UK Private Information Security

Consultant IT Services/Consultancy Unknown

56271 Academia Professor Education Sector Not applicable 56259 Subsidiary of UK Public

Quoted Head of Security IT Services/Consultancy Group Results:

$41,674 56253 Academia Reader in Information

Security Education Sector Not applicable

56244 UK Public Quoted Group Security Adviser Finance Group Results: $43,000

56247 UK Public Quoted Project Director, Information Assurance

IT Services/Consultancy Group Results: $41,674

56235 Academia Professor Education Sector Not applicable

(Continued)

INFORMATION ASSURANCE AND CORPORATE STRATEGY 127

Appendix B (Continued)

Code Company Role Sector Turnover ($m)

56246 Swiss Public Quoted Executive Director, Global Head of Security Risk

Finance $27 760

56270 Academia Lecturer Education Sector Not applicable 56245 Subsidiary of UK Public

Quoted Head of IT IT Services/Consultancy Unavailable

56231 Academia Professor Education Sector Not applicable 56252 Global Organization Security Consultant IT Services/Consultancy Unknown 56278 Academia Lecturer Education Sector Not applicable 56248 Global Organization with

listings in London, Hong Kong and New York

Head of Information Assurance

Finance Group Results: $43,000

56255 US Public Quoted Information Security Consultant

IT Services/Consultancy $1,213

56263 Subsidiary of UK Public Quoted

Head of Security Architecture Finance Group Results $14,200

56268 Academia Associate Editor, Information Management and Computer Security

Education Sector Not applicable

56236 UK Subsidiary of US Public Quoted

Chief Information Security Officer

IT Services/Consultancy Not published (1,600 employees)

56262 UK Public Sector Organization

Head of Information Security Public Sector $12,001

56243 UK Subsidiary of Swiss Public Quoted

IT Director Finance Group Results: $31,151

56234 UK Private Security Consultant and Government Adviser

IT Services/Consultancy Unknown

Appendix C: Sample of Interview Questions Developing IA Goals and Critical Success Factors

• What are the objectives of IA within your organiza- tion?

• What are your key drivers behind your IA objectives? • How do you know when you have achieved your IA

goals? How do you know when you have fulfilled them? What critical success factors do you require in order to achieve your IA goals?

Constructing or Improving IA Strategy Alignment

• What processes do you use to link business direction with security strategy, measures and benchmarking?

• How do you find out about the potentially disparate views of different people and/or functions and develop an agreement between them?

• How do you ensure that your IA strategy is aligned to the business plans?

• How do you make sure that you’ve got the right met- rics in place and that they are aligned to the business strategy?

• How would you improve the alignment between IA, IT and business strategy within your organization?

Measuring & Reporting Practices

• What specific areas do you measure in terms of infor- mation assurance and security?

• Do you employ outside consultants to ascertain whether the organization has appropriate and effective IA competencies and processes in place?

• What levels would information assurance be dis- cussed? Is it at board level or is it a level just below that? What issues are discussed at these meetings?

• Is there a person at senior level that is responsible for IA across the whole group or is it seen as part of everyone’s job?

128 E. MCFADZEAN ET AL.

• How are IA metrics developed? Who develops them and what are they?

• How is information assurance presented to the audit committee?

Evaluating & Communicating Strategic Information to the Board

• What information in terms of IA is communicated to the board?

• How is this information communicated to the board? • How does the board satisfy itself in terms of IA

effectiveness across the organization? • Does the board feel any growing pressures in terms

of IA due to the growing number of scandals that are shared with the public?

• How often does that IA strategy paper go to the board and what is included in the paper?

Appendix D: Example of Analysis Process Step 1. Interviews

INFORMATION ASSURANCE AND CORPORATE STRATEGY 129

Step 2. Coding Process

Step 3. Delphi Procedure

Copyright of Information Systems Management is the property of Taylor & Francis Ltd and its content may not

be copied or emailed to multiple sites or posted to a listserv without the copyright holder’s express written

permission. However, users may print, download, or email articles for individual use