ebook img

Exploring the factors influencing the adoption of ISMS standards or frameworks PDF

123 Pages·2017·2.19 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Exploring the factors influencing the adoption of ISMS standards or frameworks

Exploring the factors influencing the adoption of ISMS standards or frameworks Kai Song A dissertation submitted to the University of Dublin in partial fulfilment of the requirements for the degree of MSc in Management of Information Systems 1st September 2017 Declaration I declare that the work described in this dissertation is, except where otherwise stated, entirely my own work, and has not been submitted as an exercise for a degree at this or any other university. I further declare that this research has been carried out in full compliance with the ethical research requirements of the School of Computer Science and Statistics. Signed: _______________________________ Kai Song 1st September 2017 Permission to lend and/or copy I agree that the School of Computer Science and Statistics, Trinity College may lend or copy this dissertation upon request. Signed: _____________________________________ Kai Song 1st September 2017 Acknowledgements I would like to thank my supervisor, Brian O'Kane, for his invaluable advice, encouragement and guidance throughout this research. I would like to thank my best friend, Dr. Bryan Duggan for his constant advice and guidance at all stages of this research without whom I could not have completed this research. I would like to acknowledge my colleagues for their support and encouragement over the past two years. I would also like to thank all the participants who responded to my online survey and took time to complete it without whom this research is impossible. Finally, I must thank my parents and sister for their love and support. They have been very caring throughout the duration of this course. Abstract In the world of new technologies, information, as a key corporate resource, is often regarded as the lifeblood of business. It is imperative for organisations to protect information assets through a system of information security to ensure organisational competencies. As a result of the continued escalation of cyber-attacks and the increasingly regulated data protection landscape, organisations tend to comply with Information Security Management System (ISMS) best practices. This research attempts to unveil the reasons for the low adoption of ISMS standards or frameworks. In addition, this research draws a clear picture of currently popular ISMS standards and frameworks, adoption status, benefits, drivers, and challenges of adoption. These findings provide a greater understanding and a comprehensive analysis of factors influencing the adoption of ISMS standards or frameworks. This research is based on an extensive literature review and findings resulting from quantitative data collected from 92 IT or information security professionals through an online survey. Findings indicate that human factors and external influences are the two main factors influencing adoption. Human factors include defining the scope, change resistance, obtaining employee buy-in, conducting risks assessments, and creating and managing ISMS documents. External influences include the cost of implementation and the complexity of ISMS standards and frameworks. Table of Contents Chapter 1 – Introduction…………………………………………………………………………1 1.1 Context and Background ................................................................................... 1 1.2 Objectives ......................................................................................................... 3 1.3 Research Questions .......................................................................................... 3 1.4 Beneficiaries of Research ................................................................................. 4 1.5 Scope of Research ............................................................................................ 4 1.6 Chapter Structure .............................................................................................. 5 Chapter 2 – Literature Review…………………………………………………………………..6 2.1 Background ....................................................................................................... 6 2.2 Definition of ISMS ............................................................................................. 7 2.3 ISMS Standards and Frameworks .................................................................... 8 2.3.1 ISO 27001 ............................................................................................... 8 2.3.2 PCI DSS .................................................................................................. 9 2.3.3 COBIT ................................................................................................... 10 2.3.4 ITIL ........................................................................................................ 11 2.4 Key factors affecting information security management and limitations of existing research ................................................................................................... 12 2.4.1 Senior Management Commitment ........................................................ 12 2.4.2 External influences ................................................................................ 15 2.4.3 Human factors ....................................................................................... 18 2.5 Summary of the literature ................................................................................ 22 Chapter 3 – Methodology and Fieldwork……………………………………………………24 3.1 Research Philosophies.................................................................................... 24 3.2 Inductive Research Approach ......................................................................... 32 3.3 Research Design ............................................................................................. 33 3.4 Quantitative Research Method ........................................................................ 34 3.5 Research Purpose .......................................................................................... 35 3.6 Research Strategy .......................................................................................... 36 3.7 Samples .......................................................................................................... 37 3.8 Time Horizon ................................................................................................... 38 3.9 Ethics of the research ..................................................................................... 38 3.10 Limitations ..................................................................................................... 38 3.11 Lessons Learned ........................................................................................... 39 3.12 Summary ....................................................................................................... 39 Chapter 4 – Findings and Analysis…………………………………………………………..40 4.1 Introduction ..................................................................................................... 40 4.2 Research Strategy .......................................................................................... 40 4.3 Data Analysis .................................................................................................. 43 4.4 Analysis Results .............................................................................................. 45 Section 1 – Organisation Profile ..................................................................... 46 Section 2 Participant Profile ........................................................................... 49 Section 3 Information Security Environment .................................................. 50 Section 4 Challenges and Barriers ................................................................. 63 Section 5 Benefits of adopting ISMS standards or frameworks ..................... 69 Section 6 Plans for the future ......................................................................... 71 4.5 Summary of Findings ...................................................................................... 74 Chapter 5 – Conclusions and Future Work………………………………………………….76 5.1 Introduction ..................................................................................................... 76 5.2 Research questions and objectives ................................................................. 76 5.3 Research Findings .......................................................................................... 77 5.4 Research questions and answers ................................................................... 80 5.5 Generalisability of Findings ............................................................................. 82 5.6 Limitations of research .................................................................................... 83 5.7 Future Research Opportunities ....................................................................... 84 5.8 Summary ......................................................................................................... 85 References……………………………………………………………………………………….87 Appendices………………………………………………………………………………………98 Appendix A: Ethics Approval ................................................................................. 98 Appendix B: Information Sheet for Participants ................................................... 101 Appendix C: Informed Consent Form .................................................................. 104 Appendix D: Online Survey Questions ................................................................ 107 List of Figures Figure 2. 1 PDCA Model (Humphreys, 2011) .................................................................... 9 Figure 2. 2 COBIT 5 Principles Source: ISACA, COBIT 5, USA, 2012 ........................... 11 Figure 2. 3 Key factors affecting information security management ................................. 12 Figure 2. 4 External Influences –Conceptual Framework ................................................ 16 Figure 2. 5 External Influences in detail ........................................................................... 17 Figure 2. 6 Human Factors (Alavi et al., 2014) ................................................................ 20 Figure 3. 1 Philosophy's place in research model (Lee & Lings, 2008) ............................ 25 Figure 3. 2 Philosophy Assumptions ............................................................................... 26 Figure 3. 3 Inductive and deductive approach ................................................................. 33 Figure 3. 4 Main stages of the research .......................................................................... 34 Figure 4. 1 Business Sector ............................................................................................ 47 Figure 4. 2 Company Size ............................................................................................... 48 Figure 4. 3 Key Stakeholders for making ICT decisions .................................................. 49 Figure 4. 4 No. of years of ICT management experience................................................. 50 Figure 4. 5 ISMS in business sector ................................................................................ 51 Figure 4. 6 ISMS and senior management ...................................................................... 53 Figure 4. 7 ISMS and company size ................................................................................ 54 Figure 4. 8 ISMS owner ................................................................................................... 55 Figure 4. 9 The adoption status of ISMS standards or frameworks .................................. 56 Figure 4. 10 ISMS status in each business sector ........................................................... 57 Figure 4. 11 ISMS status in different business sizes ........................................................ 58 Figure 4. 12 Adopted ISMS standards or frameworks ..................................................... 59 Figure 4. 13 Adopted ISMS standards or frameworks in four business sectors ............... 60 Figure 4. 14 The average cost of ISMS standards or frameworks adoption ..................... 61 Figure 4. 15 Main drivers of adopting ISMS standards or frameworks ............................. 62 Figure 4. 16 Difficulties in choosing ISMS standards or frameworks ................................ 65 Figure 4. 17 Main barriers to adopting ISMS standards or frameworks ............................ 67 Figure 4. 18 Control areas where participants had concerns ........................................... 69 Figure 4. 19 Benefits to overall organisation .................................................................... 70 Figure 4. 20 Benefits to ICT team .................................................................................... 71 Figure 4. 21 Reasons why not to adopt ISMS standards or frameworks .......................... 72 Figure 4. 22 How to improve the adoption rate ................................................................ 73 List of tables Table 3. 1 Philosophical assumptions (Saunders et al., 2016) ......................................... 26 Table 3. 2 Positivism, interpretivism and pragmatism ...................................................... 30 Table 3. 3 Comparison of Inductive and deductive approach .......................................... 32 Table 4.1 Information Security Groups on LinkedIn ......................................................... 41 Table 4.2 Information Security communities on ISACA ................................................... 43 Table 4. 3 Overview of responses ................................................................................... 45 Table 4. 4 Participant Position ......................................................................................... 50 Table 4. 5 ISMS and company size ................................................................................. 53 Table 4. 6 External resources .......................................................................................... 63 Table 4. 7 Challenges and barriers .................................................................................. 65 Table 4. 8 Challenges of convincing the board ................................................................ 68 Table 5. 1 Confidence Level and z-score ........................................................................ 83

Description:
1 Philosophical assumptions (Saunders et al., 2016) . COBIT. Control Objectives for Information and Related Technologies. COO. Chief Operating Officer. DTI. Department of Trade and Industry. GDPR .. practice IT governance framework created by international professional association ISACA.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.