Information Security Risk Management: An Empirical Study on the Difficulties and Practices in ICT Outsourcing

Information Communication Technology (ICT) services become more importance in today business environment. Most of the organizations which were not have enough resources and expertise outsource their ICT project to vendors. Conversely, the strategy could also contribute to some risks especially information security risks that could expose organizational information assets directly involved with ICT services at risks. An appropriate information security risk management (ISRM) in ICT outsourcing should be in place to facilitate efficiency of practices how to manage information security risks in ICT outsourcing. The objective of this research is to conduct an empirical study on the relationship between difficulties and practices of ISRM in ICT Outsourcing. Questionnaires were distributed to 300 private companies from various industry and government agencies in Malaysia for the study. Findings of the study show that difficulty of ISRM process influences its practices in ICT outsourcing. Through the findings, influence strength between difficulties and practices of information security risk management approach in ICT outsourcing project has been discovered. Risk treatment planning task was considered as the most difficult and risk control task was considered the least difficult in ISRM cycle. However most of the organization plans their risk treatment task since an appropriate plan could ensure more effective information security risk management implementation. In conclusion, difficulties of organization current (ISRM) practices for ICT Outsourcing shows that their current practices required for review and improvement appropriately for ICT outsourcing implementation. Hence, it´s would encourage development of more comprehensible and effective approach managing information security risk for ICT outsourcing project.