The University of Southampton
University of Southampton Institutional Repository

The viable system model for information security governance

The viable system model for information security governance
The viable system model for information security governance
Information security governance (ISG) has emerged as a new information security (IS) discipline and is considered one of the critical areas of research for enhancing the viability of organisations. This research proposes a viable system model (VSM) for ISG (VSMISG) and investigates its effects. The investigation involves studying the effects of the VSMISG in small, medium and large organisations facing low, medium and high security threat intensity over different time scales. This study also analyses the costs and benefits of changing from the baseline ISG model to the VSMISG.

From reviewing the literature, the VSM was identified and redefined for the context of ISG. A preliminary study was conducted to confirm the appropriateness of the VSM for ISG. This employed a questionnaire survey of eleven highly experienced IS experts and the inter-rater agreement among them was analysed. The time taken by the governance level of IS to identify strategic security crises (SSC) that affect organisations’ viability was used for the investigation in the baseline ISG model and the VSMISG. Conceptual models were designed and simulation models developed using the discrete-event simulation approach for representing the baseline ISG model and the VSMISG. The IS incident management guidance embodied in the international standard BS ISO/IEC 27035 was adopted to represent the IS operations part in the baseline ISG model and the VSMISG. The chi-square and autocorrelation tests were used to test the random number generator of the Simul8 simulation software.

This research presents a VSM for ISG whose components are rated as ‘important’ and ‘very important’ and there was fair agreement among the experts on this rating. Using the VSMISG in small, medium, and large organisation leads to swifter identification of SSC than under the baseline ISG model, enhancing organisations’ viability. Small organisations take the longest time to identify SSC, especially when the security threat intensity is high, while large organisations take the least time in all cases. The benefits of changing from the baseline ISG to the VSMISG outweigh the costs, and they are expected to be seen from early in the first year of implementation.

The VSM for ISG proves its vital role in enhancing viability at all organisation sizes. Decision makers in small organisations need to increase the number of IS staff to cut the time taken to identify SSC in order to enhance their viability. Implementing the VSMISG saves organisations a tremendous amount of money.
Alqurashi, Ezzat
33d80752-6d62-4ed3-9185-b50ed2d3a977
Alqurashi, Ezzat
33d80752-6d62-4ed3-9185-b50ed2d3a977
Wills, Gary
3a594558-6921-4e82-8098-38cd8d4e8aa0

Alqurashi, Ezzat (2015) The viable system model for information security governance. University of Southampton, Physical Sciences and Engineering, Doctoral Thesis, 164pp.

Record type: Thesis (Doctoral)

Abstract

Information security governance (ISG) has emerged as a new information security (IS) discipline and is considered one of the critical areas of research for enhancing the viability of organisations. This research proposes a viable system model (VSM) for ISG (VSMISG) and investigates its effects. The investigation involves studying the effects of the VSMISG in small, medium and large organisations facing low, medium and high security threat intensity over different time scales. This study also analyses the costs and benefits of changing from the baseline ISG model to the VSMISG.

From reviewing the literature, the VSM was identified and redefined for the context of ISG. A preliminary study was conducted to confirm the appropriateness of the VSM for ISG. This employed a questionnaire survey of eleven highly experienced IS experts and the inter-rater agreement among them was analysed. The time taken by the governance level of IS to identify strategic security crises (SSC) that affect organisations’ viability was used for the investigation in the baseline ISG model and the VSMISG. Conceptual models were designed and simulation models developed using the discrete-event simulation approach for representing the baseline ISG model and the VSMISG. The IS incident management guidance embodied in the international standard BS ISO/IEC 27035 was adopted to represent the IS operations part in the baseline ISG model and the VSMISG. The chi-square and autocorrelation tests were used to test the random number generator of the Simul8 simulation software.

This research presents a VSM for ISG whose components are rated as ‘important’ and ‘very important’ and there was fair agreement among the experts on this rating. Using the VSMISG in small, medium, and large organisation leads to swifter identification of SSC than under the baseline ISG model, enhancing organisations’ viability. Small organisations take the longest time to identify SSC, especially when the security threat intensity is high, while large organisations take the least time in all cases. The benefits of changing from the baseline ISG to the VSMISG outweigh the costs, and they are expected to be seen from early in the first year of implementation.

The VSM for ISG proves its vital role in enhancing viability at all organisation sizes. Decision makers in small organisations need to increase the number of IS staff to cut the time taken to identify SSC in order to enhance their viability. Implementing the VSMISG saves organisations a tremendous amount of money.

PDF
Thesis after corrections.pdf - Other
Download (11MB)

More information

Published date: June 2015
Organisations: University of Southampton, Electronic & Software Systems

Identifiers

Local EPrints ID: 388392
URI: https://eprints.soton.ac.uk/id/eprint/388392
PURE UUID: 81b57965-02d8-4c18-a3a4-1895ad2349e5
ORCID for Gary Wills: ORCID iD orcid.org/0000-0001-5771-4088

Catalogue record

Date deposited: 01 Mar 2016 12:10
Last modified: 06 Jun 2018 13:03

Export record

Contributors

Author: Ezzat Alqurashi
Thesis advisor: Gary Wills ORCID iD

University divisions

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of https://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×