{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,3]],"date-time":"2025-10-03T22:15:29Z","timestamp":1759529729227,"version":"3.41.2"},"reference-count":37,"publisher":"Emerald","issue":"3","license":[{"start":{"date-parts":[[2008,7,18]],"date-time":"2008-07-18T00:00:00Z","timestamp":1216339200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2008,7,18]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-heading\">Purpose<\/jats:title><jats:p>As part of their continuing efforts to establish effective information security management (ISM) practices, information security researchers and practitioners have proposed and developed many different information security standards and guidelines. Building on these previous efforts, the purpose of this study is to put forth a framework for ISM.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Design\/methodology\/approach<\/jats:title><jats:p>This framework is derived from the development of an a priori set of objectives and practices as suggested by literature, standards, and reports found in academia and practice; the refinement of these objectives and practices based on survey data obtained from 354 certified information security professionals; and the examination of interrelationships between the objectives and practices.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Findings<\/jats:title><jats:p>The empirical analysis suggests: four factors (information integrity, confidentiality, accountability, and availability) serve as critical information security objectives; most of the security areas and items covered under ISO 17799 are valid with one new area \u2013 \u201cexternal\u201d or \u201cinter\u2010organizational information security\u201d; and for moderately information\u2010sensitive organizations, \u201cconfidentiality\u201d has the highest correlation with ISM practices; for highly information\u2010sensitive organizations, \u201cconfidentiality\u201d, \u201caccountability\u201d, and \u201cintegrity\u201d are the major ISM objectives. The most important contributor to information security objectives is \u201caccess control\u201d.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Research limitations\/implications<\/jats:title><jats:p>This study contributes to the domain of information security research by developing a parsimonious set of security objectives and practices grounded in the findings of previous works in academia and practical literature.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Practical implications<\/jats:title><jats:p>These findings provide insights for business managers and information security professionals attempting to implement ISM programs within their respective organizational settings.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Originality\/value<\/jats:title><jats:p>This paper fulfills a need in the information security community for a parsimonious set of objectives and practices based on the many guidelines and standards available in both academia and practice.<\/jats:p><\/jats:sec>","DOI":"10.1108\/09685220810893207","type":"journal-article","created":{"date-parts":[[2008,8,16]],"date-time":"2008-08-16T07:38:32Z","timestamp":1218872312000},"page":"251-270","source":"Crossref","is-referenced-by-count":53,"title":["Information security management objectives and practices: a parsimonious framework"],"prefix":"10.1108","volume":"16","author":[{"given":"Qingxiong","family":"Ma","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Allen C.","family":"Johnston","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"J. Michael","family":"Pearson","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"key":"key2022032120161999200_b1","unstructured":"Avolio, F. (2000), \u201cBest practices in network security\u201d, available at: www.networkcomputing.com\/1105\/1105f2.html?ls\u2009=\u2009NCJS_1105bt (accessed February 2007)."},{"key":"key2022032120161999200_b2","unstructured":"Bachman, D. (2002), \u201cInformation systems security: principles and perspectives\u201d, Sprint E|Solutions White Paper, Overland Park, KS."},{"key":"key2022032120161999200_b3","doi-asserted-by":"crossref","unstructured":"Baskerville, R. and Siponen, M. (2002), \u201cAn information security meta\u2010policy for emergent organizations\u201d, Journal of Logistics Information Management, Vol. 15 Nos 5\/6, pp. 337\u201046.","DOI":"10.1108\/09576050210447019"},{"key":"key2022032120161999200_b4","doi-asserted-by":"crossref","unstructured":"Bell, D. and La Padula, A. (1976), Secure Computer Systems: Unified Exposition and Multics Interpretation, MITRE Corp., Bedford, MA.","DOI":"10.21236\/ADA023588"},{"key":"key2022032120161999200_b5","unstructured":"Boykin, P. (2003), \u201cPractical cryptography and internet applications\u201d, available at: www.ee.ucla.edu\/\u223cboykin\/crypto_course\/crypto_alg.ppt (accessed February 2007)."},{"key":"key2022032120161999200_b6","unstructured":"Briney, A. and Prince, F. (2002), \u201cDoes size matter?\u201d, available at: www.infosecuritymag.com\/2002\/sep\/2002survey.pdf (accessed February 2007)."},{"key":"key2022032120161999200_b7","unstructured":"Browne, P. (1979), Security: Checklist for Computer Center Self Audits, AFIPS Press, Arlington, VA."},{"key":"key2022032120161999200_b8","unstructured":"Bruce, L. (2003), \u201cInformation security \u2013 key issues and developments\u201d, available at: www.pwcglobal.com\/jm\/images\/pdf\/Information%20Security%20Risk.pdf (accessed February 2007)."},{"key":"key2022032120161999200_b9","unstructured":"Byrnes, F. and Proctor, P. (2002), \u201cInformation security must balance business objectives\u201d, available at: http:\/\/informit.com (accessed February 2007)."},{"key":"key2022032120161999200_b10","doi-asserted-by":"crossref","unstructured":"Dhillon, G. and Blackhouse, J. (2001), \u201cCurrent directions in IS security research: towards socio\u2010organizational perspectives\u201d, Information Systems Journal, Vol. 11 No. 2, pp. 127\u201053.","DOI":"10.1046\/j.1365-2575.2001.00099.x"},{"key":"key2022032120161999200_b11","doi-asserted-by":"crossref","unstructured":"Dhillon, G. and Torkzadeh, G. (2006), \u201cValue\u2010focused assessment of information system security in organizations\u201d, Information Systems Journal, Vol. 16 No. 3, pp. 293\u2010314.","DOI":"10.1111\/j.1365-2575.2006.00219.x"},{"key":"key2022032120161999200_b12","unstructured":"EarthWeb (2003), \u201cIT management\u201d, available at: http:\/\/itmanagement.webopedia.com\/TERM\/N\/nonrepudiation.html (accessed February 2007)."},{"key":"key2022032120161999200_b14","unstructured":"Filipek, R. (2007), \u201cInformation security becomes a business priority\u201d, Internal Auditor, Vol. 64 No. 1, p. 18."},{"key":"key2022032120161999200_b15","unstructured":"Hoffer, J. and Straub, D. (1989), \u201cThe 9 to 5 underground: are you policing computer crimes?\u201d, Sloan Management Review, Vol. 30 No. 4, pp. 35\u201043."},{"key":"key2022032120161999200_b16","unstructured":"Host, R. (2001), \u201cNew information security requirements for federal agencies\u201d, available at: www.sans.org\/rr\/policy\/fed.php (accessed February 2007)."},{"key":"key2022032120161999200_b37","unstructured":"Hutt, A., Bosworth, S. and Hoyt, D. (1995), Computer Security Handbook, 3rd ed., Wiley, New York, NY."},{"key":"key2022032120161999200_b17","unstructured":"Johnston, A. and Hale, R. (2007), \u201cImproved security through information security governance\u201d, Communications of the ACM, Fall (in press).."},{"key":"key2022032120161999200_b18","unstructured":"Kauffman, R. and Mohtadi, H. (2003), \u201cAnalyzing interorganizational information sharing strategies in B2B e\u2010commerce supply chains\u201d, Proceedings of INFORMS Conference on Information Systems and Technology, Atlanta, GA."},{"key":"key2022032120161999200_b19","doi-asserted-by":"crossref","unstructured":"Kinsey, J. and Ashman, S. (2000), \u201cInformation technology in the retail food industry\u201d, Technology in Society, Vol. 22 No. 1, pp. 83\u201096.","DOI":"10.1016\/S0160-791X(99)00038-X"},{"key":"key2022032120161999200_b20","unstructured":"Krauss, L. (1980), SAFE: Security Audit and Field Evaluation for Computer Facilities and Information Systems, Amacon, New York, NY."},{"key":"key2022032120161999200_b21","unstructured":"Krauss, M. and Tipton, H. (2002), Handbook of Information Security Management, CRC Press, Boca Raton, FL."},{"key":"key2022032120161999200_b22","doi-asserted-by":"crossref","unstructured":"Leiwo, J., Gamage, C. and Zheng, Y. (1999), \u201cOrganizational modeling for efficient specification of information security requirements\u201d, Advances in Databases and Information Systems: 3rd East European Conference, ADBIS'99, Maribor, pp. 247\u201060.","DOI":"10.1007\/3-540-48252-0_19"},{"key":"key2022032120161999200_b23","unstructured":"Long, C. (1999), \u201cA socio\u2010technical perspective on information security knowledge and attitudes\u201d, unpublished dissertation, The University of Texas at Austin, Austin, TX."},{"key":"key2022032120161999200_b24","doi-asserted-by":"crossref","unstructured":"Mercuri, R. (2003), \u201cStandards insecurity\u201d, Communications of the ACM, Vol. 46 No. 12, pp. 21\u20105.","DOI":"10.1145\/953460.953478"},{"key":"key2022032120161999200_b25","unstructured":"Parker, D. (2002), \u201cToward a new framework for information security\u201d, in Bosworth, S. and Kabay, M.E. (Eds), Computer Security Handbook, Wiley, New York, NY."},{"key":"key2022032120161999200_b26","doi-asserted-by":"crossref","unstructured":"Peltier, T. (2003), \u201cEstablishing business controls for electronic mail communications\u201d, Information Systems Security, Vol. 12, pp. 34\u201043.","DOI":"10.1201\/1086\/43325.12.1.20030301\/41479.6"},{"key":"key2022032120161999200_b27","doi-asserted-by":"crossref","unstructured":"Power, R. (2002), \u201c2002 CSI\/FBI computer crime and security survey\u201d, Computer Security Issues &Trends, Vol. 8 No. 1, pp. 1\u201022.","DOI":"10.1016\/S1361-3723(02)01001-1"},{"key":"key2022032120161999200_b28","unstructured":"Rannenberg, K., Pfitzmann, A. and Muller, G. (1999), \u201cIT security and multilateral security\u201d, in Muller, G. and Rannenberg, K. (Eds), Multilateral Security in Communications \u2013 Technology, Infrastructure, Economy, Addison\u2010Wesley\u2010Longman, Reading, MA."},{"key":"key2022032120161999200_b29","doi-asserted-by":"crossref","unstructured":"Rosenthal, D. (2002), \u201cIntrusion detection technology: leveraging the organization's security posture\u201d, Information Systems Management, Vol. 19 No. 1, pp. 35\u201044.","DOI":"10.1201\/1078\/43199.19.1.20020101\/31474.5"},{"key":"key2022032120161999200_b30","unstructured":"Setty, H. (2003), \u201cSystem administrator \u2013 security best practices\u201d, available at: www.sans.org\/rr\/practice\/sysadmin.php (accessed February 2007)."},{"key":"key2022032120161999200_b31","doi-asserted-by":"crossref","unstructured":"Siponen, M. (2000), \u201cA conceptual foundation for organizational information security awareness\u201d, Information Management & Computer Security, Vol. 8 No. 1, pp. 31\u201041.","DOI":"10.1108\/09685220010371394"},{"key":"key2022032120161999200_b32","doi-asserted-by":"crossref","unstructured":"Siponen, M., Baskerville, R. and Heikka, J. (2006), \u201cA design theory for secure information systems design methods\u201d, Journal of the Association for Information Systems, Vol. 7 No. 11, pp. 725\u201070.","DOI":"10.17705\/1jais.00107"},{"key":"key2022032120161999200_b33","unstructured":"Stefanek, G. (2002), Information Security Best Practices 205 Rules, Butterworth\u2010Heinemann, Boston, MA."},{"key":"key2022032120161999200_b34","doi-asserted-by":"crossref","unstructured":"Straub, D. and Welke, R. (1998), \u201cCoping with systems risk: security planning models for management decision making\u201d, MIS Quarterly, Vol. 22 No. 4, pp. 441\u201069.","DOI":"10.2307\/249551"},{"key":"key2022032120161999200_b35","unstructured":"Summers, R. (2002), Secure Computing: Threats and Safeguards, McGraw\u2010Hill, New York, NY."},{"key":"key2022032120161999200_b36","doi-asserted-by":"crossref","unstructured":"Zviran, M. and Haga, W. (1999), \u201cPassword security: an empirical study\u201d, Journal of Management Information Systems, Vol. 15 No. 4, pp. 161\u201085.","DOI":"10.1080\/07421222.1999.11518226"},{"key":"key2022032120161999200_frd1","unstructured":"Everitt, B., Landau, S. and Leese, M. (2001), Cluster Analysis, 4th ed., Edward Arnold Publishers Ltd, London."}],"container-title":["Information Management &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/09685220810893207","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220810893207\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220810893207\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T00:09:06Z","timestamp":1753402146000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/16\/3\/251-270\/186602"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2008,7,18]]},"references-count":37,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2008,7,18]]}},"alternative-id":["10.1108\/09685220810893207"],"URL":"https:\/\/doi.org\/10.1108\/09685220810893207","relation":{},"ISSN":["0968-5227"],"issn-type":[{"type":"print","value":"0968-5227"}],"subject":[],"published":{"date-parts":[[2008,7,18]]}}}