Article Preview
TopIntroduction
Investigating the topic ‘information security’, it is usually seen as the responsibility of IT departments, since it is a “techy” subject (Solms, 2001; Gordon & Loeb, 2002; ISACA, 2009). Undeservedly so, because the scope of security is broader than just IT (Solms, 2005). It seems hard for certain organizations to cope with rapidly changing threats on one hand and upcoming business demands on the other (ISACA, 2009). Enterprise focused frameworks to operationalize the IT, in order to align with the business goals, seem to fail medium enterprise segments (Kluge & Sambasivam, 2008). This mid market segment with 100-2500 systems are increasingly subject to cyber threats (Day, 2009) and lack sufficient knowledge about attainable interventions in order to become security compliant (Kluge & Sambasivam, 2008) (Figure 1). The problem of insufficient knowledge about security interventions in this segment and the increase in security incidents led to the main research question: What set of interventions, based on a best practice maturity model, can be applied to enhance the maturity level of business security within midmarket organizations?
Figure 1. Research market segmentation
Various studies (Day, 2009; May, 2003; Eloff, 2003; Moorsel, 2009; ITGI, 2008) present many interventions that contribute to an increase of the security maturity levels of an organization. However interventions that are essential to have in place and which are actually effective and easy to implement for midmarket organizations have not been studied yet. This led to a scientific approach of selecting, comparing, validating and presenting effective and easy to implement interventions that increase business information security, i.e. a core set of interventions. The data for this research was collected during the first two quarters of 2010 in the Netherlands.
TopSince the introduction of strict laws and legislation the emphasis on data integrity, confidentiality and availability of information systems has increased (NOREA, 2004). Besides multinationals or large organizations also mid market organizations strive to implement IT governance. Stricter compliancy regulations like Sarbanes Oxley force organizations to comply and use IT governance frameworks like COBIT. Various authors (Solms, 2001) argue that information security, the discipline responsible for protecting a company's information assets against information security risks, has now become such a crucial component of good Corporate Governance, that it should rather be called Business Security instead of Information Security.