An information security framework for reducing information security costs and sustaining information security culture
Loading...
Authors
Govender, Sunthoshan G.
Issue Date
2023-06-13
Type
Thesis
Language
en
Keywords
Information security , Information security architecture , Information security assessment , Information security culture , Information security cost , Information security framework , Information security risk , Organisational behaviour , Organisational culture , Design science research
Alternative Title
Abstract
As the velocity and volume of data breaches increases, information security is a
cornerstone to the sustainability of business functionality in organisations. The
focus of traditional information security has been to address concerns through
the implementation of technology. Nonetheless, the profound catalyst behind
data breaches often stems from the influence of individuals on information
security, necessitating human involvement to bolster the intricate array of
information security technologies. Elevating the information security culture
among staff members should stand as a pivotal impetus in tandem with the
enhancement of information security technology. This leads to a greater need to
focus on sociological solutions with lesser emphasis on technological solutions.
This research aims to concentrate on mitigating the risks associated with
information security breaches through the enhancement of information security
culture, while decreasing the overall expenses tied to managing information security within organisations. The study was conducted using Design Science
Research Methodology (DSRM), wherein artefacts, including three models, a
framework and a supporting evaluation tool were developed. Through the
DSRM process, these artefacts were evaluated, tested and iteratively improved.
The results obtained from the assessments of the framework and tool
demonstrated their efficacy in enabling organisations to derive value by
assessing their security posture, prioritising cost-reduction endeavours, and
formulating strategies to enhance information security culture. The practical
significance of this research lies in the fact that the developed framework and
tool offer a streamlined and comprehensive approach to appraising an
organisation's information security status, particularly emphasising nontechnical
aspects for improvement. What sets these artefacts apart is their unique integration of elements that emphasise the human impact on information
security, aligning with both cost-reduction goals and the enhancement of
security assessment within an organisation. Through testing, second iterations of
the framework and tool were designed along with a web-based application for using the framework. Information was also gathered to be able to determine a
roadmap to further improve the framework and tool over time.