| This study examined factors that influence organizational effectiveness in protecting information resources. Organizations are subject to vulnerabilities in the technologies they rely on to electronically process and store information. A series of models were developed to facilitate the analysis of the information security management activities that are performed with the intent of protecting information. This included an examination of the skills and qualifications of the information security officer, determination of the level of maturity of the information security program, an assessment of organizational perceptions of the importance of information to the business, and an estimation of the effectiveness of information protection as measured by information security incident and loss experience.; A survey was conducted of 127 companies in a variety of industries including Banking, Financial Services, Healthcare, Manufacturing, Pharmaceutical, and IT. Surveys were completed by as many as 3 participants from each company, and a total of 326 individuals participated. A series of case vignettes was performed that provided a more detailed evaluation of the survey responses of 10 of the companies within the sample.; The study demonstrated that organizations with higher qualified (as defined in the study) information security officers tend to have relatively higher levels of maturity of the information security program and, as a result, are more effective in protecting information. Criteria for higher levels of maturity were identify and compared to overall effectiveness with respect to information protection. The results of the study suggest that organizations should ensure that a qualified information security officer is in place and provide sufficient support and resources to enable the development of a sound information security program in order to minimize losses associated with breaches of information. This relationship is explored in detail in this study. |
