An Empirical Study of Information Security Management Success Factors

— Information security management (ISM) is a continuous, structured and systematic security approach to managing and protect the organisation's information from being compromised by irresponsible parties. To ensure the information remains secure, many organisations have implemented ISM by establishing and reviewing information security (IS) policy, processes, procedures, and organisational structures. Regardless of the efforts, security threats, incidents, vulnerabilities, and risks are still plaguing many organisations. Lack of awareness of ISM effectiveness due to low understanding of the success factors is one of the major factors that cause this phenomenon. This study aimed to address this subject by firstly identifying the ISM key factors from existing literature and then by confirming the factors and discovering other related factors from practitioners’ perspective. This study used a qualitative method where it adopted semi-structured interviews involving nine practitioners. The data were analysed using content analysis technique. Through the analysis, the study validated several ISM factors and their elements that contribute to the success of ISM. The findings provide practitioners with the high understanding of ISM key factors and could guide practitioners in implementing proper ISM.


I. INTRODUCTION
In the era of globalisation, protection of information is critical in order to ensure business continuity [1]. Addressing security breaches become a challenge to organisations [2]. Information Security (IS) is a concept that is related to protecting information in order to preserve the value it has for organisations and individuals [3], [4]. Information's confidentiality, integrity, availability, authenticity, accountability, and reliability are ensured through IS [5], [6], [7], [8], [9], [10]. Organisations which are lacking in IS will usually prone to a large number of security breaches and incidents [11]. Recognising this, many organisations have put in place substantial efforts in managing and handling the security of their information. They have implemented Information Security Management (ISM) initiatives by reviewing IS processes, policies, procedures, controls and organisational structures. ISM is a comprehensive approach that involves the implementation of activities and controls to protect organisation's information assets from any intrusion [7], [12], [13], [14]. In spite of the efforts, organisations are still exposed to information security threats, incidents, vulnerabilities and risks [6], [8], [15]. One of the contributing reasons is the ineffective ISM current practices [16]. Organisations often emphasise on the technical aspects without appropriate considerations on the non-technical aspects when implementing ISM [17], [18]. They normally perpetrate into the initiatives without knowing the key factors that affecting its success [19]. Based on the above facts, there is a need to identify the key factors that contribute to the success of ISM. This paper aims to address this issue by identifying and collating the key factors from theoretical and empirical perspectives. The identified factors can be used as a guidance to organisations in improving their ISM practices. This paper is organised as follows. The next section presents ISM factors and elements that were gathered from the literature and the methodology used to collect and analyse the theoretical and empirical data. Section III presents the findings of the analysis. Finally, section IV concludes the paper by summarising the finding and outlining the future work.

II. MATERIALS AND METHODS
ISM is an ongoing process that involves planning, implementing, monitoring and improving IS activities [8], [9], [20]. In order to ensure the information is well maintained and the organisation's mission, vision and goals can be achieved, the organisation should have an effective ISM.
The main process in ISM is risk management which consists of risk assessment and risk treatment activities [9]. The purpose of risk management is to identify, analyse and evaluate IS risks, as well as implementing actions to modify and control the risks [24], [25], [26]. Besides risk management process, business continuity management (BCM) also contributes to the success of ISM [8], [22]. The goal of BCM is to ensure the continuity of organisation's business operations during or after adverse situations [27], [28], [29], [30]. BCM requires a comprehensive business continuity plan which is derived from business impact analysis and risk assessment [5]. The business continuity plan determines the processes, procedures, resources, roles and responsibilities involved. To ensure the BCM is effective and valid during the adverse situations, the organisation shall exercise and test the business continuity plan [5], [8], [31], [32].
ISM technical operation activities are carried out by the ISM team. The team is accountable for implementing ISM processes and controls by following the steps written in the ISM procedures. Thus, the procedures should be clear, complete and communicated to the ISM team [5], [8], [32]. The knowledge, commitment and technical skills of the ISM team are highly required in implementing IS processes, procedures and controls [5], [9], [10], [19].

A. Research Questions Formulation
The study focused on answering the following questions: i. What are the factors that contribute to the success of ISM? ii. What are the specific elements for each of these factors?
The questions acted as the basis for data collection during theoretical and empirical studies.

1) Theoretical Study
This study was initiated by analysing the existing literature. This theoretical study reviewed published and unpublished documents in multiple online databases. The findings of the study have been elaborated in [36].

2) Empirical Study
This study aimed to verify the factors that were derived from the theoretical study as well as discovering other relevant factors. This study used semi-structured interviews. A series of individual and focus group interviews with experienced ISM practitioners were conducted.
i. Sampling The sampling was based on the ability of informants to answer the research questions. Thus, purposive sampling method was adopted. For the individual interviews, five ISM practitioners who had actively experienced and involved in ISM from five different agencies were invited to participate in the study. The profiles of the five participants are shown in Table 2.
Meanwhile, the participants for the focus group interview comprised of a head of ICT department, ISM coordinator, ISM implementer and ISM auditor. All participants possessed at least five years' experience in ISM. Table 3 outlined the participants' profiles.
ii. Instruments Interview questions were used as the instruments for individual and focus group interviews. The questions were derived based on the findings of the theoretical study. The questions were broken into two parts, A and B. Part A covers the ISM implementation in participants' organisations as well as the participants' experience in implementing ISM. While the questions in part B revolve around twelve ISM success factors which are Top Management, ISM Team, IS Audit Team, Employees, Third Parties, IS Policy, IS Procedures, Competency Development & Awareness, Resource Planning, Risk Management, Business Continuity Management and IS Audit. Table 4 summarised and described the twelve factors that were included in the interview questions.
iii. Protocol For individual interviews, the participants' consents were obtained before conducting the sessions. The appointments were made in advance to set the date and time of interviews. The participants were provided with a brief description of the interview objectives. After obtaining the participants' agreement, formal invitations were sent to the participants. The interviews were conducted between February 2016 and May 2016. The participants were interviewed individually at their workplace which took an average of 90 minutes per person. Each session was recorded using a tape recorder and field notes.
Likewise, participants' agreements were also obtained before conducting the focus group session. Two weeks before the focus group session, an invitation letter containing information about the objectives, date, time and venue was sent to participants. The focus group session was conducted on 14 May 2016 at 10.00 am. The session was recorded using video recorder, audio tape recorder, and field notes. The session took almost three hours.

C. Data Analysis
The data gathered from the theoretical and empirical study were transcribed and analysed using content analysis. Content analysis is a qualitative research technique that has been widely used to analyse written, oral or visual communication messages [39]. The analysis involved identifying the frequent elements in the data. Later, the elements were categorised according to several logical groups of factors by using inductive and deductive reasoning technique. The deductive reasoning involved using the factors and elements identified in the theoretical study and later confirming or disapproving them by comparing with the data from the empirical study. The inductive reasoning recognised new emergent data from the empirical study and then abstracted the data as new factors or grouped it into the existing factors.

Factors Description Top Management
To verify whether top management should have full commitment and strong leadership in order to achieve ISM outcomes.

ISM Team
To confirm the team must have wide IS knowledge and be updated with the current security issues as well as be skilful and committed to implementing IS process and activities.

IS Audit Team
To substantiate whether the auditors should possess the required knowledge on the people and processes to be audited; technical skills for identifying problems, getting the information and reporting the audit results; and provide fully commitment to ensure the effectiveness and completion of the auditing process. Employees To affirm whether the awareness, motivation, and compliance of the employees impact the ISM success.

Third Parties
To confirm whether the awareness and compliance of the third parties affect the ISM success.

IS Policy
To confirm whether the policy must be comprehensive which covers the requirements and controls prescribed by the ISM standards; clear in describing IS objectives and the responsibilities of the parties involved; communicated to the employees and stakeholders and regularly reviewed to ensure it is significant to the recent needs.

IS Procedures
To identify the required characteristics of good quality procedures.

Competency Development & Awareness
To validate whether the competency development and awareness programmes are important to develop the competency of ISM team and employees.

Resource Planning
To confirm whether it is important to include resource planning process to support and carry out ISM activities. Resource planning comprises human and financial resources.

Risk Management
To substantiate whether the risk management, which consists of risk assessment and risk treatment, is a key to the success of ISM.

Business Continuity Management
To verify whether the Business Continuity Management plan and testing contribute to the success of ISM.

IS Audit
To affirm whether it is important to monitor, measure and evaluate the compliance of IS processes, controls, and activities in order to ensure the effectiveness of ISM. The main tasks relating to IS audit are audit programme and audit finding & reporting.

III. RESULTS AND DISCUSSION
The results of data analysis are presented in the following paragraphs. To support the results, a number of interview excerpts are provided. The elements pertaining to the respective factors are shown in bold.

A. People
People refer to the individuals or teams who are directly involved in the planning, implementing, monitoring and improving the ISM processes. Six factors identified in the people aspect are the Top Management, Coordinator Team, IS Team, IS Audit Team, Employees and Third Parties.

1) Top Management
The success of ISM in the organisation is strongly associated with the knowledge, leadership, and commitment of its top management. Top management should have a clear understanding regarding ISM governance, objectives, and issues. Top management is accountable for ensuring the policy, procedures, processes, and controls are established, implemented and complied by the entire organisation and the external parties. In addition, top management is also responsible for monitoring and reviewing the effectiveness of ISM as well as providing adequate resources to support ISM processes. Below are some of the comments from the participants: •

2) ISM Team
ISM Team consists of a designated staff involved in most IS activities. The knowledge, skills, commitment, willingness and cooperation of ISM team are desirable in carrying out the ISM processes. The team must always be updated with the current security issues and should own broad IS knowledge. Moreover, the team must be skilful, cooperate, and committed to their work tasks. They must be always willing to accept new directed tasks.
A number of comments from the participants are presented below: •

3) Coordinator Team
The coordinator team plays a major role in coordinating ISM activities. Major ISM documents and activities are managed by the team. The team acts as a liaison between top management, ISM team, IS audit team and employees. The team is responsible for organising the training and awareness programmes, managing the resources, harmonising ISM documents and presenting the progress of ISM to the top management. Thus, the team must own ISM knowledge, give a commitment in coordinating ISM activities and have good communication skills when communicating with other parties.
The statement is supported by the following participant's comment: • "The coordinator team is the owner of major ISM documents. They harmonise the documents and present the progress of ISM to the top management. They also coordinate ISM activities. Therefore knowledge is very important as the team must be familiar with the whole processes of ISM. Their commitment is required to conduct ISM activities such as training and awareness programmes. In order to deliver information, the team should be able to communicate effectively with all level of staff in the organisation. " -INF5

4) IS Audit Team
The IS audit team is accountable to ensure IS controls, processes, procedures, and activities are executed correctly. The team should have appropriate knowledge on the people, processes, and procedures that need to be audited. Moreover, auditing skills, communication skills, commitment and cooperation within team members are required throughout the auditing process.
The comments below express the perception of IS audit team: • "IS audit team need to be familiar with ISM objectives, designated ISM personnel, and ISM processes and procedures before implementing the auditing process. Auditing skills, commitment and cooperation among team members are essential to guarantee the effectiveness of the auditing process." -INF2 • "The IS audit team contributes to the success of ISM.
The compliance with IS policy and procedures can be monitored through auditing." -INF3 • "The team's commitment is necessary to complete the auditing task in the prescribed time.

5) Employees
The organisation's employees should have awareness on the IS policy, controls, threats, and risks. The employees have to comply with the IS policy, rules, and laws in order to reduce security incidents. The motivation of the employees enhances the success of ISM implementation.
The statement is supported by the following participants' comments: •

6) Third Parties
Third parties are referring to individuals or companies involved in providing services to organisations on a contract basis in a particular period of time. To ensure the organisation's information remain secure, the third parties must be aware and comply with security policy, laws, and contract.
The statement is supported by the following participants' comments: • "Awareness is not only important to the employees, but also to the third parties. Third parties' awareness contributes to the success of ISM. Third parties must be aware on IS policy and comply with the policy." -FG 1 • "Organisation receives services from third parties.
Therefore, third parties have to conform to the contract and the policy. They need to sign a nondisclosure agreement. If they violate the policy or contract, the organisation must take action against them." -INF 5 • "Third parties are affecting the success of ISM. They must comply with the organisation's security controls and laws. " -INF 4

B. Organisation
Organisation aspect refers to the strategic and technical documents that must be established and followed during the ISM processes. Two factors identified in organisation aspect are IS policy and IS procedures.

7) IS Policy
IS policy is a strategic document that consists of objectives, directions, and rules that must be established and followed by the entire employees and third parties. The policy must be clear in defining IS objectives, and the roles and responsibilities of the employees and third parties. It must be comprehensive which covers the requirements and controls set by the ISM standards and aligns with the organisation's mission and vision. IS policy shall be reviewed regularly to ensure it is relevant to the present needs and must be communicated to the employees, stakeholders and third parties.
A number of comments from the participants are presented below: • "The scope of IS policy should be broad which cover all IS requirements and the parties involved in the organisation. In addition, the policy should be reviewed regularly. It is not a static document. The policy must be communicated to the entire organisation through multiple channels such as organisation's website or pamphlets. "-INF5 • "IS policy is a strategic document and must be established before performing any IS activities. The policy is important to the success of ISM. The goals and objectives of the policy must be clear and understandable. The policy should be reviewed at least once a year and be communicated to entire employees, third parties and stakeholders." -FG1 • "A comprehensive security policy covers all security aspects. The periodic review must be done to make sure the policy is up to date. Most importantly, the policy must be communicated to everyone." -INF 2 • "In developing IS policy, each component in the policy must be identified thoroughly. It includes the control and responsibilities of the delegated personnel and employees. Based on international standards, the policy should also be revealed to the entire organisation. " -FG4

8) IS Procedures
IS procedures are the operating guidelines that contain a series of actions that explain how to perform IS processes. The procedures are directly derived from the IS policy. To ensure the implementation of ISM is executed appropriately and correctly, the procedures must be clear and completely describe the steps to accomplish IS processes or activities. The procedures should be reviewed periodically or when environment changes and must be communicated among IS team members.
Some of the comments from the participants are presented below: • "Recently, there are many IS procedures have been developed in the organisation, for example 'password change procedure'. All steps in the procedure need to be correctly followed. Thus, the procedure must be clear and complete to enable users to follow the prescribed steps." -FG3 • "The clarity and completeness of the procedure can be seen from the steps written in the procedure. It is more understandable if the procedure is complete and explaining in detail the steps to be taken. The objective, roles, responsibilities should be included in the procedure. " -FG4 • "The clarity of procedures is similar to the clarity of IS policy. However, the procedures must be more specific. The procedures need to be frequently reviewed and communicated to the team members as the members turn in and out of the organisation." -

9) Resource Planning
Resource planning is essential to support and perform ISM processes. Resource planning consists of financial resources and human resources. Financial resources comprise the cost of buying new assets and maintaining existing assets, the cost of manpower and the cost to perform IS activities. Meanwhile, human resources refer to the teams or individuals to be engaged in ISM activities.
The statements are supported by the following participants' comments: • "The more manpower is allocated, the faster tasks can be completed.

10) Competency Development and Awareness
The competency and awareness of ISM teams, IS audit team, employees and third parties can be gained through the training and awareness programmes. The purpose of the training programmes is to ensure that the people have knowledge and skills in each task handling. Meanwhile, the purpose of the awareness programmes is to ensure the people are aware of IS policy, threats, risks as well as their roles and responsibilities.
A number of comments from the participants are presented below: •

11) Risk Management
Risk management is the key process in ISM. Risk management is a process of measuring and analysing the risk levels and taking appropriate actions to control the risks. Two major components in risk management are risk assessment and risk treatment. Risk assessment involves sub-activities such as establishing the risk acceptance criteria, identifying assets and threats, determining the impacts and probability of risk occurrence and determining the risk levels. The risk treatment involves the activity of implementing the protection strategies based on the risk assessment results.
The statements are supported by the following participants' comments: • "Risk management is an important process in ISM.

12) IS Audit
IS audit is one of the requirements in ISM standards. Through the IS audit process, the compliance of IS policy, procedures, processes, controls and activities can be monitored, measured and evaluated. The components in audit process are audit programme which consists of audit planning, audit execution, and auditor training; audit findings and reporting; and follow-up audit to check the corrective and preventive actions that have been done. Below are some of the comments from the participants: • "IS audit is one of the requirements in ISM standards.

13) Business Continuity Management
Business continuity management ensures the organisation's businesses operate smoothly during and after the unintended events. When the unintended events occur, business continuity plan that outlines the resources, processes, procedures, and responsibilities should be activated. Organisation shall carry out periodic tests on the business continuity plan to ensure its validity and effectiveness. Below are some comments from the participants: • "The important thing in Business Continuity Management is the business continuity plan. The organisation should determines IS requirements and must be embedded in the business continuity plan. The plan outlines the processes, procedures, resources and responsibilities for controlling incidents or disasters." -INF4 • "Business continuity plan and simulations are closely related to each other. Business continuity plan should be developed, documented and approved by the top management. The plan must be tested to observe its effectiveness. "-FG3 • "Organisations whose adopt ISM standard must implement business continuity management. The purpose of business continuity management is to ensure the sustainability of organisation's operations during and after the unintended events. Business continuity plan should be activated when the unintended events occur. " -FG1 Table 5 lists the significant ISM success factors together with their corresponding elements that were found in the theoretical and empirical data. The factors and elements that were gathered in the theoretical or agreed in the empirical data are marked with '√'. The factors and elements that were not supported by theoretical or empirical data are marked with 'x'. The numbers in the brackets represent the number of participants who agreed or supported the existence of the data. For example, 3/9 means three out of nine participants agreed on the factor and element. The factors and elements were categorised into three aspects, which are People, Organisation and Process.
The empirical study has confirmed that most factors found in the theoretical study are relevant to the success of ISM. There are several new factors and elements added in people, organisation, and process aspect. The new elements added in people aspect are the knowledge of top management, cooperation and willingness of ISM team, and cooperation and communication skills of the audit team. In addition, people aspect includes one new factor namely coordinator team. The elements under the coordinator team are knowledge, commitment and communication skills.
In terms of organisation aspect, reviewed procedures are the new element considered in IS procedures factor. Meanwhile, in the process aspect, follow-up audit is the new element of IS audit factor.
The finding indicates that IS policy, competency developments and awareness, and risk management are the most factors agreed by the participants. Simultaneously, majority agreed that leadership and commitments of top management; knowledge, skills and commitment of ISM team; and knowledge of IS audit team are essential for ISM initiatives. In addition, resources planning and business continuity management are also highlighted by the participants. On the other hand, the knowledge, commitment and communication skills of coordinator team, as well as the cooperation of IS audit team, are less supported in the empirical study.