Effective Information Security Requires a Balance of Social and Technology Factors

EffEctivE information SEcurity rEquirES
MIS
Uarterly a BalancE of Social and tEchnology xecutive factorS1,2

Q
E

Tim Kayworth
Baylor University
(U.S.)
Dwayne Whitten
Texas A&M University
(U.S.)

Executive Summary 2
Industry experts have called for organizations to be more strategic in their approach to information security, yet it has not been clear what such an approach looks like in practice or how firms actually achieve this. To address this issue, we interviewed 21 information security executives from 11 organizations. Our results suggest that a strategically focused information security strategy encompasses not only IT products and solutions but also organizational integration and social alignment mechanisms. Together, these form a framework for a socio-technical approach to information security that achieves three objectives: balancing the need to secure information assets against the need to enable the business, maintaining compliance, and ensuring cultural fit. The article describes these objectives and the security alignment mechanisms needed to achieve them and concludes with guidelines that can be applied to ensure effective information security management in different organizational settings.

INFORMATION SECURITY HAS BECOME A
STRATEGIC ISSUE
Information security continues to be a major concern among corporate executives.
The threat of terrorism, a growing dependence on the Internet, globalization, and new government regulations requiring companies to protect data have heightened awareness of the need for effective corporate governance of information security.
Further, the staggering financial and reputational loss associated with large-scale data breaches has made executives acutely aware of the need to protect corporate