Abstract
The increasing dependence of businesses over information and the changing ways of information usage with modern IT/ICT tools and mediums, have created an unavoidable need of information security in organizations. Earlier, the technical measures were used to fulfill this need; however, it has been realized that technology alone is unable to address the challenges of information security management (ISM) in organizations. Management and behavioral aspects are pivotal to build an ISM system in organizations. This paper makes an attempt to understand and examine the current ISM practices of two large size, global IT and management services and consulting organizations, one from India and another from Germany. In a case design, the study adopts qualitative research route and semi-structured interviews were conducted across hierarchy in both the organizations. Observations from interviews are portrayed using descriptive analysis methodology. Further, to draw learning from the cases, SAP-LAP method of inquiry was used to understand the present status of ISM practices in both the organizations. Finally, the paper discusses the implications of the findings and scope for the future research.
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs40171-013-0047-4/MediaObjects/40171_2013_47_Fig1_HTML.gif)
Similar content being viewed by others
References
Ahmad, A., Hadgkiss, J., & Ruighaver, A. B. (2012). Incident response teams—Challenges in supporting the organizational security function. Computers & Security, 31(5), 643–652.
Albrechtsen, E., & Hovden, J. (2010). Improving information security awareness and behavior through dialogue, participation and collective reflection: An intervention study. Computers & Security, 29(8), 432–445.
Babbie, E. (2004). The practice of social research. Belmont, CA: Wadsworth/Thomson Inc.
Chang, E. C., & Ho, C. B. (2006). Organizational factors to the effectiveness of implementing information security management. Industrial Management & Data Systems, 106(3), 345–361.
Chaturvedi, M., Gupta, M. P., & Bhattachrya, J. (2011). Information security issues with emerging next generation networks in Indian context. In Proceedings of 8th international conference on E-Governance (pp. 78–90). Institute of Management, Nirma University, Ahmedabad, India.
Creswell, J. W. (1994). Research design—Qualitative and quantitative approaches. London: Sage.
Ernst & Young. (2012). Fighting to close the gap—Global information security survey. http://www.ey.com/Publication/vwLUAssets/Fighting_to_close_the_gap:_2012_Global_Information_Security_Survey/$FILE/2012_Global_Information_Security_Survey___Fighting_to_close_the_gap.pdf.
Gupta, M. P., Kumar, P., & Bhattacharya, J. (2004). Government online: Opportunities and challenges. Meeting security challenges in e-Governance. New Delhi: TMH.
Hagen, J. M., Albrechtsen, E., & Hovden, J. (2008). Implementation and effectiveness of organizational information security measures. Information Management & Computer Security, 16(4), 377–397.
Hone, K., & Eloff, J. H. P. (2002). What makes an effective information security policy? Network Security, 2002(6), 14–16.
Hong, K. S., Chi, Y. P., Chao, L. R., & Tang, J. H. (2003). An integrated system theory of information security management. Information Management & Computer Security, 11(5), 243–248.
Horrocks, I. (2001). Security training: Education for an emerging profession. Computers & Security, 20(3), 219–226.
Hu, Q., Dinev, T., Hart, P., & Cooke, D. (2012). Managing employee compliance with information security policies: The critical role of top management and organizational culture. Decision Sciences, 43(4), 615–659.
Humphreys, E. (2008). Information security management standards: Compliance, governance and risk management. Information Security Technical Report, 13(4), 247–255.
Husain, Z., Sushil, & Pathak, R. D. (2002). A technology management perspective on collaborations in Indian automobiles industry: A case study. Journal of Engineering Technology Management, 19(2), 167–201.
ISO/IEC 27001:2005. (2005). Information Technology—Security techniques—Information security management systems—Requirements.
Kak, A. (2004). Strategic management, core competence and flexibility: Learning issues for select pharmaceutical organizations. Global Journal of Flexible Systems Management, 5(4), 1–16.
Kankanhalli, A., Teo, H. K., Tan, B. C. Y., & Wei, K. K. (2003). An integrative study of information systems security effectiveness. International Journal of Information Management, 23(2), 139–154.
Knapp, K. J., Marshall, T. E., Rainer, R. K., & Morrow, D. W. (2006). The top information security issues facing organizations: What can government do to help? Information Security and Risk Management, 2006, September/October (pp. 51–58).
Ma, Q., Johnston, A. C., & Pearson, J. M. (2008). Information security management objectives and practices: A parsimonious framework. Information Management & Computer Security, 16(3), 251–270.
Puhakainen, P., & Siponen, M. (2010). Improving employees’ compliance through information systems security training: An action research study. MIS Quarterly, 34(4), 757–778.
Sushil, (2000). SAP-LAP models of inquiry. Management Decision, 38(5), 347–353.
Sushil, (2001). SAP-LAP models. Global Journal of Flexible Systems Management, 2(2), 55–61.
Thakkar, J., Kanda, A., & Deshmukh, S. G. (2008a). A conceptual role interaction model for supply chain management in SMEs. Journal of Small Business and Enterprise Development, 15(1), 74–95.
Thakkar, J., Kanda, A., & Deshmukh, S. G. (2008b). Interpretive structural modeling (ISM) of IT-enablers for Indian manufacturing SMEs. Information Management and Computer Security, 16(2), 113–136.
Upfold, C. T., & Sewry, D. A. (2005). An investigation of information security in small and medium enterprises (SMEs) in the EasternCape. In Proceedings of the ISSA-2005 new knowledge today conference, South Africa.
Veiga, A. D., & Eloff, J. H. P. (2010). A framework and assessment instrument for information security culture. Computers & Security, 29(2), 196–207.
Veiga, A. D., Martins, N., & Eloff, J. H. P. (2007). Information security culture—Validation of an assessment instrument. Southern African Business Review, 11(1), 147–166.
von Solms, B., & von Solms, R. (2004). The 10 deadly sins of information security management. Computers & Security, 23(5), 371–376.
Werlinger, R., Hawkey, K., & Beznosov, K. (2009). An integrated view of human, organizational, and technological challenges of IT security management. Information Management & Computer Security, 17(1), 4–19.
Acknowledgments
The authors wish to thank Deutsche Akademischer Austausch Dienst (DAAD) for providing financial assistance to conduct this research study. Also, we are grateful to the interview participants for their valuable time and inputs that made this study possible.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Singh, A.N., Picot, A., Kranz, J. et al. Information Security Management (ISM) Practices: Lessons from Select Cases from India and Germany. Glob J Flex Syst Manag 14, 225–239 (2013). https://doi.org/10.1007/s40171-013-0047-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s40171-013-0047-4