To read the full version of this content please select one of the options below:

Perception of risk and the strategic impact of existing IT on information security strategy at board level

Elspeth McFadzean (Centre for Business in the Digital Economy, Henley Management College, Henley on Thames, UK)
Jean‐Noel Ezingeard (Centre for Business in the Digital Economy, Henley Management College, Henley on Thames, UK)
David Birchall (Centre for Business in the Digital Economy, Henley Management College, Henley on Thames, UK)

Online Information Review

ISSN: 1468-4527

Article publication date: 2 October 2007

Abstract

Purpose

Information security is becoming increasingly more important as organisations are endangered by a variety of threats from both its internal and external environments. Many theorists now advocate that effective security policies should be created at senior management level. This is because executives are able to evaluate the organisation using a holistic approach as well as having the power to ensure that new systems and procedures are implemented in a timely manner. There is, however, a continuing lack of understanding regarding the strategic importance of managing information security. In addition, there is a gap in the literature on the relationship between directors and information security strategy. This paper attempts to close this gap by exploring how directors perceive their organisation's security and what factors influence their decisions on the development and implementation of information security strategy.

Design/methodology/approach

The research is based on constructivist grounded theory. Forty‐three interviews were conducted at executive level in 29 organisations. These interviews were then coded and analysed in order to develop new theory on directors' perception of risk and its effect on the development and implementation of information security strategy.

Findings

The analysis shows that senior managers' engagement with information security is dependent on two key variables: the strategic importance of information systems to their organisation and their perception of risk. Additionally, this research found that these two variables are affected by both organisational contextual factors and the strategic and operational actions undertaken within the business. Furthermore, the results demonstrated that the two board variables also have an impact on the organisation's environment as well as its strategic and operational actions. This paper uses the data gathered from the interviews to develop a model of these factors. In addition, a perception grid is constructed which illustrates the potential concerns that can drive board engagement.

Practical implications

The paper illustrates the advantages of using the perception grid to understand and develop current and future information security issues.

Originality/value

The paper investigates how organisational directors perceive information security and how this perception influences the development of their information security strategy.

Keywords

Citation

McFadzean, E., Ezingeard, J. and Birchall, D. (2007), "Perception of risk and the strategic impact of existing IT on information security strategy at board level", Online Information Review, Vol. 31 No. 5, pp. 622-660. https://doi.org/10.1108/14684520710832333

Publisher

:

Emerald Group Publishing Limited

Copyright © 2007, Emerald Group Publishing Limited