An information security governance framework for the organisations in the kingdom of Saudi Arabia

Abstract

Due to the ever-changing threats to the confidentiality, integrity and availability of information in an organisation, information security should be addressed from the highest level of the organisation and regarded as a governance challenge that needs effective direction and control. Consequently, information security governance has become essential for organisations to ensure objectives are achieved, risks are managed appropriately, and resources are used responsibly. Although organisations in the Kingdom of Saudi Arabia acknowledge the importance of governing information security for their ability to survive and thrive, there is inadequate implementation of information security governance in the majority of organisations. The absence of the crucial practices for the successful implementation of information security governance addresses the need to investigate the critical success factors for such implementation in the Saudi Arabian organisations. Therefore, this research has developed a framework to support the implementation of information security governance and the Kingdom of Saudi Arabia’s vision of a thriving economy for 2030. The factors in this framework were identified by reviewing the literature as well as industrial best practice frameworks. Based on the review conducted, the proposed framework was developed to understand the practices required to direct and control information security within the governance areas for the organisations to survive and thrive. Once the framework was developed, it was reviewed by interviewing 15 information security governance experts from the Kingdom of Saudi Arabia. After updating the framework according to their recommendations, the framework was confirmed by distributing a questionnaire to 33 practitioners from Saudi organisations. The findings revealed that the factors were statistically significant. Driving from the confirmed framework, an information security governance maturity assessment instrument was developed to measure the maturity level of information security governance implementation in organisations. The instrument was developed by using the Goal Question Metrics approach, after which the instrument content was validated by using the Content Validity Ratio. Subsequently, case studies were conducted in four Saudi organisations in order to evaluate the practicality of the developed instrument. The instrument was used to assess the maturity status of information security governance in Saudi organisations that have started governing their information security as a part of their corporate governance. Afterwards, the practicality of the instrument was evaluated through a questionnaire that was distributed to the committee members who used the instrument and through interviews with the Information Security directors. The findings validate a good level of practicality for the instrument in measuring the maturity of information security governance. This thesis presents a detailed discussion on the development and validation of the information security governance framework and the information security governance maturity assessment instrument.

More information

Identifiers

ORCID for Gary Wills: orcid.org/0000-0001-5771-4088

Catalogue record

Export record