Comparison between the IS/IT Security Governance Model and other existing security models 113

To date, a number of security models and theories have been developed to improve IS/IT security within organisations. This section compares the IS/IT Security Governance Model with another researcher’s model and the security models found in the literature, analysing their strengths and weaknesses. The weaknesses identified in the previous security models are addressed in the IS/IT Security Governance Model.

Mishra et al. (2007) stressed the importance of the three elements which were the Formal, Technical and Informal aspects in IS/IT security. A theoretical framework by Mishra has proposed that the management of people such as security culture, individual values and beliefs in organisation is crucial to ensure that the policies and technical procedures relating to IS/IT security are followed. The anomie theory was applied in the Mishra’s theoretical framework which came from the sociology discipline to investigate the IS/IT security behaviour within groups. The anomie theory is useful in IS/IT security because it involves cultural and environmental pressure for achieving organisational rules and norms. However, Mishra’s theoretical framework only addressed the management of the informal aspects but did not align it with the Technical and Formal aspects. The relationship interactions of the three components were not presented in Mishra’s paper. Therefore, in this study it is proposed that the implementation of the three components and the interaction of these components is needed within the IS/IT Security Governance Model in order to overcome the limitations of Mishra’s model.

Other researchers, Straub et al. (1998), have applied the General Deterrence Theory (GTD) from criminology within the risk planning model in order to reduce security incidents in organisations. GTD includes four lines of sequential actions—Deterrence, Prevention, Detection and Remedy. In their IS security risk planning model Straub et al (1998) using GTD, counter-measures work according to lines of controls. If potential offenders ignore the Deterrence control, the next line control takes place which is Prevention control. Remedy control is effected when there is non-compliance with the first- three lines and the examples of Remedy controls are warnings, reprimands, termination of employment and legal action. Clearly, the directing elements of IS/IT security were presented in the Straub’s model. However, the model by Straub et al (1998) has limitations where the monitoring element by the Board and senior management was less emphasised. If the security internal controls of the lines are not effectively monitored by the supervisor of the responsibility, the organisation may be likely to re-invent

the wheel from time to time. The investment in resources may not be returned or the Return on Investment (ROI) may not be adequate.

To address these weaknesses, the IS/IT Security Governance Model suggests that effective internal controls and monitoring of the policies and procedures will help organisations to achieve the goals of the directives. The monitoring process will help the supervisor of the responsibility to detect risks and address immediate actions by improving directives for achieving IS/IT security. For example, through the monitoring action of IS/IT security governance, the implementation of the lines of control in Straub’s model can be evaluated. After evaluation, the management can improve directive actions such as endorsing new policies, changing management strategies and approving security budgets for establishing security controls. The role of the Board and senior management is crucially important in the IS/IT Security Governance Model because they are responsible and have the power to respond to all types of business risk.

The next model to be identified is ISO 17799. IS/IT security standards like ISO 17799 have been used internationally to improve IT security management practices within organisations. The standard is comprehensive and is seen as the best reference framework for IT security management where it covers multi-facets which range from technical, human and legal to business survivability. External standards like ISO 17799 can be used as a reference for internal policy development and as a tool for achieving internal policy. However, ISO 17799 has some limitations in the way that IS/IT security controls are being practised; it focuses on the existence of processes rather than on how effectively the processes are being implemented (Siponen, 2006). For example, the topic of the standard, the goal and the prescription of the ISO 17799 standard are presented below.

BS ISO/IEC17799: 2000, p. 11BS ISO/IEC1

6.2 User Training7799: 2000, p. 11 SSE-CMM, (2003 p. 319).

To ensure that users are aware of information security threats and concerns, and are equipped to support organizational security policy in the course of their normal work.

Users should be trained in security procedures and the correct use of information processing facilities to minimize possible security risks.

The standard is merely ensuring that employees follow its contents but does not provide strategies on how to achieve it. Having the standard in place does not guarantee that the goal of IS/IT security is achieved. To overcome this problem, the IS/IT Security Governance Model proposes the application of internal controls over the intended goals. The internal controls help management to determine whether certain elements have achieved their objectives. The IS/IT Security Governance

Model highlights the important role of the supervisor of the responsibility and holder of the responsibility in ensuring that the internal controls are applied to achieve certain goals of the standard.