JIS Senior Editors' Blog

Journal of Information Systems

This is a public blog  publicRSS

blog entry

    Overview of JIS paper: SECURQUAL: An Instrument for...
    blog entry posted February 25, 2016 by Roger S Debreceny, last edited February 26, 2016, tagged research 
    148 Views
    title:
    Overview of JIS paper: SECURQUAL: An Instrument for Evaluating the Effectiveness of Enterprise Information Security Programs
    intro text:

    A forthcoming paper from Paul John Steinbart, Robyn L. Raschke, Graham Gal, and William N. Dilla is entitled  SECURQUAL: An Instrument for Evaluating the Effectiveness of Enterprise Information Security Programs. doi: http://dx.doi.org/10.2308/isys-51257

    Paul John Steinbart

    Robyn L. Raschke

    Graham Gal

    William N. Dilla

    body:

    Research on information security has been hampered by the scarcity of objective data concerning the effectiveness of organizations’ information security efforts. This study develops a multi-dimensional instrument based on the COBIT v4.1 Maturity Model rubrics. With the cooperation and support of the IMTA section of the AICPA, we collected four security outcome measures from 71 companies: number of noncompliance with security policy issues serious enough to be brought to the attention of the Board of Directors, number of security-related internal control weaknesses reported to the Board, number of attacks capable of causing serious harm that were detected and stopped before causing harm, and the number of attacks that did cause serious harm. We demonstrate that the instrument, SECURQUAL, is a reliable surrogate for measuring the effectiveness of an organization’s information security program.

    One desirable feature of SECURQUAL is its parsimony. It contains questions about only 18 of COBIT v4.1 Maturity Model rubrics. Further, the instrument uses only one Likert-type question with a five-point response scale to measure each of those topics. Thus, it should be a useful tool for both researchers and practitioners to assess the overall effectiveness of an organization’s information security.