Is Information Security Under Control?: Investigating Quality in Information Security Management

Over the past decade, organizations have sought to become more efficient and productive by adopting information and communication technologies. Organizations are consequently more aware of information security risks and the need to take appropriate action. Previous studies of organizations´ use of information security controls have focused on the presence or absence of controls, rather than their quality. We designed and conducted a survey as an initial step toward meeting this challenge. To do this, we benchmarked how organizations manage information security by implementating various controls. Although security surveys are nothing new, our method aims to uncover specific details of control implementation and focus on implementation quality. With a more precise understanding of current practices, information security management can begin to properly pursue effective strategies to improve quality and lower risk