• 主题
高级搜索  >
历史搜索 清空历史
首页> 外文学位 >Institutionalizing information security risk management: A multi-method empirical study on the effects of regulation.
【24h】

Institutionalizing information security risk management: A multi-method empirical study on the effects of regulation.

机译:制度化信息安全风险管理:监管效果的多方法实证研究。

获取原文
获取原文并翻译 | 示例
页面导航
  • 摘要
  • 著录项
  • 相似文献
  • 相关主题

摘要

Information security has traditionally focused on known vulnerabilities to technological assets in order to safeguard organizational information from external threats, such as hackers and viruses. However, the majority of information security breaches are believed to be caused by internal employees, suggesting that more attention may be needed in managing internal people and process-related threats and vulnerabilities. In recent years, a series of regulations has forced organizations to manage various aspects of information security-related risk. The research question examined is: How does regulation affect information security risk management?; A multi-method study was conducted. Interviews with twenty practitioners across ten organizations were conducted as part of a qualitative interpretive study. Informants included participants in Sarbanes-Oxley compliance and information security experts. Interpretive results informed a theoretical model that was tested in a subsequent positivist study.; Institutional theory and process maturity were applied to examine the effects of regulation on institutionalizing information risk management practices. Two hundred and eighteen completed survey responses were obtained from ISACA members, a professional association specialized in IT audit and governance. A multi-dimensional model was examined using structural equation modeling. The model contained both causal and effect indicators, resulting in a model that is both descriptive and predictive.; Findings from both the interpretive and positivist studies suggest that regulation may contribute to institutionalized risk management in at least two ways. First, regulation encourages a more formalized risk management process because organizations must be able to provide documented proof of their practices for compliance. Secondly, regulation raises the level of organizational awareness of information risk management when business managers are explicitly held accountable or when the regulation is aimed at business processes. Mature risk management practices and business participation in managing risk were found to result in an organizational culture that exhibits a shared language, heightened awareness and business ownership of risk management.; Results from the interpretive study suggested that information security has two dimensions: management and practice. Support for these two dimensions was found in the positivist study. Institutionalized information security risk management was found to result in improved performance of operational and technical security controls from increased efficiency.
机译:传统上,信息安全关注于技术资产的已知漏洞,以保护组织信息免受黑客和病毒等外部威胁的侵害。但是,大多数信息安全漏洞被认为是由内部员工造成的,这表明在管理内部人员以及与流程相关的威胁和漏洞方面可能需要更多的关注。近年来,一系列法规迫使组织管理与信息安全相关的风险的各个方面。研究的研究问题是:法规如何影响信息安全风险管理?进行了多方法研究。作为定性解释研究的一部分,对十个组织的二十位从业人员进行了访谈。参会人员包括Sarbanes-Oxley合规性和信息安全专家的参与者。解释结果为随后的实证主义研究中测试的理论模型提供了依据。制度理论和过程成熟度被用来检验法规对制度化信息风险管理实践的影响。从ISACA成员(一个专门从事IT审计和治理的专业协会)获得了218个完整的调查答复。使用结构方程模型检查了多维模型。该模型既包含因果指标,又包含效果指标,从而形成了具有描述性和预测性的模型。解释性和实证研究的结果表明,监管至少可以通过两种方式促进制度化风险管理。首先,法规鼓励采用更加正规的风险管理流程,因为组织必须能够提供其实践的书面证明,以确保合规。其次,当业务经理被明确追究责任时,或者法规针对业务流程时,法规提高了组织对信息风险管理的意识。研究发现,成熟的风险管理实践和企业参与风险管理可以形成一种组织文化,这种文化表现出共同的语言,增强的风险管理意识和业务所有权。解释性研究的结果表明,信息安全具有两个方面:管理和实践。在实证研究中发现了对这两个方面的支持。人们发现,制度化的信息安全风险管理可以通过提高效率来提高运营和技术安全控制的绩效。

著录项

相似文献

  • 外文文献
  • 中文文献
  • 专利
获取原文

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有

  • 客服微信

  • 服务号