To read this content please select one of the options below:

Information security management objectives and practices: a parsimonious framework

Qingxiong Ma (Department of Computer Information Systems, University of Central Missouri, Warrensburg, Missouri, USA)
Allen C. Johnston (Department of Accounting and Information Systems, University of Alabama Birmingham, Birmingham, Alabama, USA)
J. Michael Pearson (Department of Management, Southern Illinois University, Carbondale, Illinois, USA)

Information Management & Computer Security

ISSN: 0968-5227

Article publication date: 18 July 2008




As part of their continuing efforts to establish effective information security management (ISM) practices, information security researchers and practitioners have proposed and developed many different information security standards and guidelines. Building on these previous efforts, the purpose of this study is to put forth a framework for ISM.


This framework is derived from the development of an a priori set of objectives and practices as suggested by literature, standards, and reports found in academia and practice; the refinement of these objectives and practices based on survey data obtained from 354 certified information security professionals; and the examination of interrelationships between the objectives and practices.


The empirical analysis suggests: four factors (information integrity, confidentiality, accountability, and availability) serve as critical information security objectives; most of the security areas and items covered under ISO 17799 are valid with one new area – “external” or “inter‐organizational information security”; and for moderately information‐sensitive organizations, “confidentiality” has the highest correlation with ISM practices; for highly information‐sensitive organizations, “confidentiality”, “accountability”, and “integrity” are the major ISM objectives. The most important contributor to information security objectives is “access control”.

Research limitations/implications

This study contributes to the domain of information security research by developing a parsimonious set of security objectives and practices grounded in the findings of previous works in academia and practical literature.

Practical implications

These findings provide insights for business managers and information security professionals attempting to implement ISM programs within their respective organizational settings.


This paper fulfills a need in the information security community for a parsimonious set of objectives and practices based on the many guidelines and standards available in both academia and practice.



Ma, Q., Johnston, A.C. and Pearson, J.M. (2008), "Information security management objectives and practices: a parsimonious framework", Information Management & Computer Security, Vol. 16 No. 3, pp. 251-270.



Emerald Group Publishing Limited

Copyright © 2008, Emerald Group Publishing Limited

Related articles