Examining Impacts of Organizational Capabilities in Information Security: A Structural Equation Modeling Analysis Open Access
Downloadable ContentDownload PDF
As information technologies, global connectedness, and business requirements continue to evolve at a fast pace, organizations must recognize the importance of implementing an overall information security strategy to protect business information assets from increasingly sophisticated threats. Given the dynamic pace of business environments, the identification and understanding of the required capabilities to deliver an information security strategy becomes a key success factor. At the strategic level, organizations must be able to answer the question, "What are the minimum essential organizational capabilities required to support effective planning and execution of an overall information security strategy that best achieves organizational objectives and gains competitive advantage?" This research identifies a set of essential organizational capabilities in the context of information security and examines the impacts of these organizational capabilities on information security strategy implementation success and organization performance. Organizational capabilities in this study include four factors: sense-making, decision making, asset availability, and operations management. Based on existing literature in strategic management and information security, an original theoretical model was proposed and validated. A self-administered survey instrument was developed to collect empirical data from Certified Information Systems Security Professionals. Structural equation modeling techniques were used to test hypotheses and to fit the hypothesized model. Evidence from this research suggests that organizational capabilities encompassing sense-making, asset availability, and operations management are positively associated with successful implementation of information security strategy, which in turn positively affects organization performance. In addition, this research also demonstrates the indirect effects of the respective organizational capabilities on organization performance. However, significant effects of decision-making on information security strategy implementation success and organization performance respectively are not evidenced. This research provides the first empirical research examining the impacts of organizational capabilities that can be used as the roadmap for further research explorations in information security from an organizational perspective. Additionally, this study contributes to the research community an original survey instrument that can be applied or built upon to collect data that furthers existing knowledge on the impacts of intangible assets in information security.Research findings yield practical values for organizations in the private and public sectors by providing their decision and policy makers a better understanding of the viable predisposition of organizational capabilities in the context of information security, thus enabling firms to focus on acquiring the ones indispensable for improving organization performance. This research also provides insights into the challenges information security professionals continue to face concerning organizational governance. Awareness of these shortcomings allows organizations' leaders opportunities to make necessary changes in direction that enables information security professionals to succeed in their missions of protecting information and information assets.