Top management engagement in information security : multiple-case studies of Malaysian public sector

Abstract

Organisations that rely heavily on ICT face greater challenges in protecting their information assets. Technical solutions alone cannot guarantee the security of an organisation’s information. As human is the weakest link, numerous studies on information security now incorporate human factors as part of the information security solution. As security is integral to corporate governance, top-level commitment and management roles are indispensable to forming good information security governance (ISG). Through this governance, the sustainability of information security activities in organisations could be achieved. However, due to top management’s common perception of information security as a technical and operational concern rather than a business matter, the responsibility for its implementation is often assigned solely to the information security team. This approach has led to challenges in fostering a collaborative, organisation-wide effort towards information security. Therefore, this study aims to gain clarity on the phenomenon of top management driving information security initiatives in the Malaysian government. It will examine the factors that influence their engagement in information security and seek to explore the issues related to ISG. This study employs qualitative research methodology with an inductive approach. The multiple-case study is used as a strategy to investigate the topic under study. Using purposive sampling, interviews were conducted at four (4) public sector organisations involving 27 participants. The results indicate that Regulatory Forces (External Factor), Informal Education (Personal Factor), and On-the-job Exposure (Personal Factor) are the most influential factors on top management engagement in information security. The application of the information security engagement factors led to the establishment of the research model of the study. This study proposes the extension of Malaysia’s cyber security framework (RAKKSSA) and its accompanying guidelines to demonstrate the research model’s viability. The extension focuses on top management competency, an area where the current RAKKSSA is deficient. The extended RAKKSSA improves the overall comprehensiveness of the framework. It guides all levels of government agency personnel with the essential skillsets, from governing information security initiatives to carrying out security activities within their respective organisations.