INFORMATION SECURITY
RESEARCH RELEVANCE
In the light of Von Solms analysis of the beneficial effects of the exchange of practices between Corporate Governance practices and Security Governance, research into Corporate Governance practices is needed. Following the strategic organisational theory of De Wit & Meyer [216], De Haes and Van Grembergen researched “effective” IT governance practices and their ease of implementation [217]. Their Governance practices have been successfully applied into organisations and are therefore also relevant to the aim of this research.
3.1.7 INTERVENTIONS & PRACTICES
An intervention is an activity or event that changes the current status quo into a desired state, i.e. it involves the development of the organisation. In relation to the maturing process of Information Security within the organisation this requires insight into a current situation, maturity models that relate to this view, and insights into the activities and events an organisation needs to attend in order to achieve the desired state. Cummings and Worley [218] define the term intervention as “a sequence of activities, actions, and events intended
to help an organisation improve its performance and effectiveness”. In order to establish a
desired outcome the authors emphasise the importance of intervention “design principles”. “Intervention design, or action planning, derives from careful diagnosis and is meant to
resolve specific problems and to improve particular areas of organisational functioning identified in the diagnosis. In order to distinguish effective interventions that are relevant for
the influence and measurement of Business and IT Alignment (BITA) Pols [123] adopted the Cummings and Worley method in order to establish a core set of interventions that contribute to influencing and measuring BITA. These interventions have been applied in consultancy practices throughout the Netherlands.
Therefore, in this research project, we also adopt the Cummings and Worley design principles for interventions such as situational factors that must be considered when designing any intervention [219]. In this research we refer to the following more precisely formulated situational factors: Barriers, Practices, Critical Success Factors and Preconditions that enable or limit organisational development (OD). The authors also refer to readiness for change. This element is addressed in this research due to the use of numerous methods to engage all relevant stakeholders (i.e. mid-market companies, security professionals, experts, target groups) [220], [221]. The capability to change is addressed through the element “resource capabilities”, which denotes the elements that are required in order to determine capability (skills, experiences, competences, knowledge) and ability (willingness, commitment, culture) [222]. By engaging the environment (organisations) in this research 18 ISO/IEC 38500 is the international standard for corporate governance of information technology (IT).
Governance Control Accountability Delegation IT-environment Business- environment Plan Implementation Control Plan Business IT Alignment Implementation Control
project the Capabilities of the Change Agent are addressed, hence the fact that; “Many
failures in OD result when change agents apply interventions beyond their competence”. An
interesting finding from Pols’ research is that most of the derived interventions are indeed general Business Management practices (page 439). An interesting research assumption in relation to BIS is if the interventions and practices that can be applied to BIS in fact originate
in generic business management principles.
PRACTICE
In the context of this research project we refer to practices as a working method or activity introduced to establish or maintain a certain state. A collective set of practices can be part of a larger whole, e.g. an intervention. In this research project we relate to interventions as a set or sequence of activities, working methods or practices with the objective to help an organisation improve BIS maturity. A security control such as identity and access management is considered a control and is part of one or more activities. As mentioned above, a situational factor can be a practice that is applied prior to the execution of the intervention in order to increase its effect [218].
3.1.8 STRUCTURES, PROCESSES AND RELATIONAL MECHANISMS
Strategic management theories address the core purpose of the company and the desired organisational design needed to achieve business goals. These methods capture all of the dimensions that could influence the desired outcome. In the book Strategy Synthesis, De Wit and Meyer [223] advance a strategic organisational theory, containing three major components of an organisation: Firstly, Organisational Structures (the firm’s anatomy), for instance the hierarchical reporting lines within a firm or towards regulators or other stakeholders. Secondly, Organisational Processes (the firm’s physiology) i.e. processes and procedures for the most efficient organisation of a firm: escalation and communication processes; knowledge and competences processes. Finally, they distinguished Organisational
Culture (the psychology of the organisation) e.g. awareness, participation and collaboration.
In this research we use the more exhaustive terminology Relational Mechanisms (RM) because it addresses additional soft and intangible factors of an organisation such as perceptions, attitudes, behaviour, leadership, etc.
This SPRM theory, which was successfully applied in several previous studies [105], [111], led to an effective framework for the Enterprise Governance of IT. Due to the research work of Steven De Haes at Antwerp Management School and his involvement in the COBIT5 for Information Security review process, ISACA adopted the integration of SPRM into the COBIT5 model [56]. Hence this management model, which was based on work by De Wit and Meyer, is being successfully applied by boards to enable better dialogue with upper management. This theory-based business approach also shows its practical contribution [187] to the financial sector environment in Belgium as well as Bodies of Knowledge such as ISACA’s COBIT5 for Information Security [56]. Hence this De Wit and Meyer theory,
which enables a decomposition of the strategic elements, increases the awareness of upper management and categorises the numerous interventions and practices to be explored, is therefore considered in this research project.
3.1.9 REQUIREMENTS
There are several forms of requirements. According to the Business International Institute of Business Analysis in their Guide to the Business Analysis Body of Knowledge (BABOK) a classification of several requirements is made. Three major ones are:
− Business requirements relate to the overall statements of the business goals, objectives, or
needs of an organisation.
− Architectural requirements relate to the explanation of identifying the necessary systems
structure and systems behaviour.
− User (stakeholder) requirements relate to mid-level statements of the needs or demand of
a particular stakeholder (regulators, customers, civilians) or group of stakeholders. They
usually describe how someone wants to interact with the intended solution. Often acting as a mid-point between the high-level business requirements and more detailed solution
requirements19.
According to Wieringa [224], “A requirements specification consists of a specification of
product objectives and a specification of required product behavior”. “The generic objective of any product is to answer needs that exist in its environment. Any development process starts with a statement of product objectives and produces behaviour specifications and product decompositions along the way”. Wieringa defines business needs as the initial starting
point for setting requirements. The needs, for example business problems, are translated into product objectives which are defined in terms of the product and specifications about desired behaviour of the product. Each product specification is a statement of objectives for its subsystems. In client-oriented development, “the needs of the client may even change
because of the determination of objectives. This is called requirements uncertainty. The characteristic feature of product evolution is that an evaluation of experience of the product after it is developed, leads to a (re)development of the product. The logical structure of product evolution is the same as the logical structure of feedback control” [224]. We call
the initial process of defining functional and non-functional technical requirements in the first iteration of the artefact an ‘experiment’. It is not necessary to be completely precise and exhaustive when exploring these requirements. The initial aim is to work on establishing initial requirements that cover most of the problem. The objective is to engineer an artefact that can serve numerous stakeholder needs and – due to its experimental stage – accept uncertainty and ‘fuzziness’ during development [225]. In later iterations of the artefact, additional requirements can be built in, based on reflections and feedback from the user community. According to Wieringa in client-oriented development, “the needs of the client may even 19 Source: A Guide to the Business Analysis Body of Knowledge (BABOK) Guide version 3
change because of the determination of objectives. This is called requirements uncertainty. The characteristic feature of product evolution is that an evaluation of experience of the product after it is developed, leads to a (re)development of the product. The logical structure of product evolution is the same as the logical structure of feedback control”
[224]. Thus, in this thesis practical problems and business issues items relate to "business requirements". These items require something from the business in order to bring about the desired outcome or solve a particular problem. This can be achieved by articulating and implementing certain functional or non-functional requirements in an artefact.