Engagement et pratiques des organisations en matière de gouvernance de la sécurité de l’information
Keywords:
Engagement, governance, pratices, information security, UTAUTAbstract
This article looks at the issue of information security governance. To respond to the shortcomings identified in the literature, it explores (i) the process of organizations’ engagement in the governance of information security, and (ii) the practices of the organizations involved. The statistical and econometric analysis of data from a survey conducted with one hundred and twenty large companies in Luxembourg suggests that the knowledge of organizations involved in the governance of information security or promoting this approach, the expected performance, and the effort undertaken, are potential determinants of the organizations’ engagement in the process. These results may be analyzed under the unified theory of acceptance and use of technology (UTAUT) developed by Venkatesh et al. (2003). The data from organizations also helps to draw a picture of current practices in the matter of information security governance. The major originality of the research lies in the very high participation rate (85.71%) by organizations in the study, which gives the results a strong validity in what is, moreover, an extremely sensitive and confidential field. At the theoretical level, the research improves knowledge of the two issues explored. In practice, it provides managers with feedback on current practices implemented by the organizations in the field of information security governance and draws some recommendations. These contributions may also have an impact on public policies and on institutions promoting information security governance.References
Archibugi, D., Michie, J. (1994), “Technology and Innovation: An Introduction”, Cambridge Journal of Economics, Vol. 19, n° 1, p. 1-4.
Barlette, Y. (2005), « Le facteur humain dans l'amélioration de la sécurité des informations: l'importance des directions d'entreprises », Intelligence Informationnelle (revue en ligne), http://www.revue-r3i.net/.
Barlette, Y. (2008), « Une étude des comportements liés à la sécurité des systèmes d'information en PME », Systèmes d'Information et Management, Vol. 13, n° 4, p. 7-30.
Barlette, Y. (2009), « Vers une implication et une action des dirigeants de PME dans la sécurité de leur SI », 14e Congrès de l’Association Information et Management (AIM 2009), Marrakech, Maroc, 10-12 juin.
Barlette, Y. (2011), « L'implication et l'action des dirigeants de PME dans la sécurité de leur Système d'Information », 16e Congrès de l’Association Information et Management (AIM 2011), La Réunion, 25-27 mai.
Bartlett, C.A., Ghoshal, S. (1991), Le Management sans frontières, Editions d’Organisation, Paris.
Bennasar, M., Champenois, A., Arnould, P., Rivat, T., Ballenghien, Y. (2007), Manager la sécurité du SI: Planifier, déployer, contrôler, améliorer, Dunod, Paris.
Bidan, M., Trinquecoste, J.-F. (2010), « Gouvernance et innovation à l'épreuve des technologies de l'information », Management & Avenir, Vol. 4, n° 34, p. 125-127.
Bodet, C., Lamarche, T. (2007), « La responsabilité sociale des entreprises comme innovation institutionnelle. Une lecture régulationniste », Revue de la régulation, n° 1, juin.
Boulet, P. (2007), Management de la sécurité du SI, Hermès Science Publications, Cachan.
Brotby, K. (2009), Information Security Governance, Wiley-Blackwell, Hoboken, New Jersey.
Bulgurcu, B., Cavusoglu, H., Benbasat, I. (2010), “Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness”, MIS Quarterly, Vol. 34, n° 3, p. 523-556.
Burgert, P. (2004), “Red Alert for Chief Executives: Make Cyber Security a Priority”, American Metal Market, Vol. 112, n° 17, p. 37-39.
Carpentier, J.-F. (2009), La sécurité informatique dans la petite entreprise – Etat de l’art et bonnes pratiques, Editions ENI, Saint-Herblain.
Carpentier, J.-F. (2010), La gouvernance du système d'information dans les PME - Pratiques et évolutions, Editions ENI, Saint-Herblain.
Cazier, J.A., Jensen, A.S., Dave, D.S. (2008), “The Impact of Consumer Perceptions of Information Privacy and Security Risks on the Adoption of Residual RFID Technologies”, Communications of the AIS, n° 23, p. 235-256.
Charndra, A., Calderor, T. (2005), “Challenges and Constraints to the Diffusion of Biometrics in Information Systems”, Communications of the ACM, Vol. 48, n° 12, p. 101-106.
Clusif (2010), « Menaces Informatiques et Pratiques de Sécurité en France », rapport, http://www.clusif.asso.fr/fr/production/sinistralite/docs/CLUSIF-rapport-2010.pdf.
Cohen, F. (2005), The Chief Information Security Officer's Toolkit: Governance Guidebook, Fred Cohen & Associates, Livermore, California.
Cohen, F. (2006), IT Security Governance Guidebook With Security Program Metrics, Auerbach Publishers Inc., Pennsauken, New Jersey.
Curtis, L., Edwards, C., Fraser, K.L., Gudelsky, S., Holmquist, J., Thornton, K., Sweetser, K.D. (2010), “Adoption of Social Media for Public Relations by Nonprofit Organizations”, Public Relations Review, Vol. 36, n° 1, p. 90-92.
Da Veiga, A., Eloff, J.H.P. (2007), “An Information Security Governance Framework”, Information Systems Management, Vol. 24, n° 4, p. 361-372.
Da Veiga, A., Eloff, J.H.P. (2010), “A Framework and Assessment Instrument for Information Security Culture”, Computers & Security, Vol. 29, n° 2, p. 196-207.
Dagorn, N. (2008), « Politiques en matière de sécurité des systèmes d'information inter-organisationnels : une enquête dans dix grandes entreprises », Systèmes d’Information et Management, Vol. 13, n° 2, p. 97-125.
Davenport, T. (2002), « Privilégier l'information sur la technologie », http://www.lesechos.fr/formations/manag_info/articles/article_1_1.htm.
Davidson, R., MacKinnon, J.G. (1984), “Convenient Tests for Logit and Probit Models”, Journal of Econometrics, Vol. 25, p. 241-262.
Davies, S. (1979), The Diffusion of Process Innovation, Cambridge University Press.
De Oliveira Alves, G.A., Da Costa Carmo, L.F.R., De Almeida, A.C.R.D. (2006), “Enterprise Security Governance - A practical guide to implement and control Information Security Governance”, 1st IEEE/IFIP International Workshop on Business-Driven IT Management (BDIM '06), p. 71-80.
Dhillon, G., Backhouse, J. (2001), “Current Directions in IS Security Research: Towards Socio-Organizational Perspectives”, Information Systems Journal, n° 11, p. 127-153.
Dhillon, G., Tejay, G., Hong, W. (2007), “Identifying Governance Dimensions to Evaluate Information Systems Security in Organizations”, 40th Hawaii International Conference on System Sciences.
Dlamini, M.T., Eloff, J.H.P., Eloff, M.M. (2009), “Information Security: The Moving Target”, Computers & Security, n° 28, p. 189-198.
Donaldson, W.H. (2005), “U.S. Capital Markets in the post-Sarbanes-Oxley World: Why our Markets should Matter to Foreign Issuers”, report, U.S. Securities and Exchange Commission, London School of Economics and Political Science.
Dong-Hee, S. (2010), “Ubiquitous Computing Acceptance Model: End User Concern about Security, Privacy and Risk”, International Journal of Mobile Communications, Vol. 8, n° 2, p. 169-186.
Eisenhardt, K.M. (1989), “Building Theories from Case Study Research”, Academy of Management Review, Vol. 14, n° 532, p. 57-74.
Eloff, J.H.P., Eloff, M.M. (2005), “Integrated Information Security Architecture”, Computer Fraud and Security, n° 11, p. 10-16.
Fernandez-Toro, A. (2009), Management de la sécurité de l'information : Implémentation ISO 27001 - Mise en place d'un SMSI et audit de certification, Eyrolles, Paris, 2e édition.
Flowerday, S., Von Solms, R. (2006), “Trust: An Element of Information Security, Security and Privacy in Dynamic Environments”, Information Security Conference (IFIP/SEC 2005), Chiba, Japan, 30 May-1 June 2005; Kluwer Academic Publishers, Boston, 2006, p. 87-97.
Garigue, R., Stefaniu, M. (2003), “Information Security Governance Reporting”, Information Systems Security, Vol. 12, n° 4, p. 36-40.
Gonzalez, G., Sharma, P.N, Galletta, D. (2011), "The Antecedents of Internal Auditors' Adoption of Continuous Auditing Technology: Exploring UTAUT in an Organizational Context", 7th University of Waterloo Research Symposium on Information Integrity and Information Systems Assurance, Toronto, Canada.
Goodhue, D.L., Straub, D.W. (1991), “Security Concerns of Systems Users: A Study of Perceptions of the Adequacy of Security Measures”, Information and Management, Vol. 20, n° 1, p. 13-27.
Gupta, A., Hammond, R. (2005), “Information Systems Security Issues and Decisions for Small Businesses: An Empirical Examination”, Information Management and Computer Security, Vol. 13, n° 4, p. 297-310.
Herath, T., Herath, H., Bremser, W.G. (2010), “Balanced Scorecard Implementation of Security Strategies: A Framework for IT Security Performance Management”, Information Systems Management, Vol. 27, n° 1, p. 72-81.
Herath, T.C, Rao, H.R. (2009), “Encouraging Information Security Behaviors in Organizations: Role of Penalties, Pressures, and Perceived Effectiveness”, Decision Support Systems, Vol. 47, n° 2, p. 154–165.
Hildreth, P., Kimble, C. (2002), “The Duality of Knowledge”, Information Research, Vol. 8, n° 1, p. 1-27, http://informationr.net/ir/8-1/paper142.html.
Humphreys, E. (2008) “Information Security Management Standards: Compliance, Governance and Risk Management”, Information Security Technological Report, Vol. 13, n° 4, p. 247-255.
IT Governance Institute (2006), Information Security Governance: Guidance for Boards of Directors and Executive Management, IT Governance Publishing, Cambridgeshire, 2e édition.
IT Governance Institute, http://www.itgi.org/.
Johnston, A.C., Hale, R. (2009), “Improved Security through Information Security Governance”, Communications of the ACM, Vol. 52, n° 1, p. 126-129.
Karat, J., Karat, C.-M., Bertino, E., Li, N., Ni, Q., Brodie, C., Lobo, J., Calo, S.B., Cranor, L.F., Kumaraguru, P., Reeder, R.W. (2009), “Policy Framework for Security and Privacy Management”, IBM Journal of Research & Development, Vol. 53, n° 2, p. 1-14.
Kesh, S., Ratnasingam, P. (2007), “A Knowledge Architecture for IT Security”, Communications of the ACM, Vol. 50, n° 7, p. 103-108.
Klai, A. (2010), “Overview of the State and Trends in the Contemporary Information Security Policy and Information Security Management Methodologies”, MIPRO 2010, May 24-28, Opatija, Croatia, p. 1203-1208.
Knapp, K.J., Marshall, T.E., Rainer, R.K., Ford, F.N. (2006), “Information Security: Management's Effect on Culture and Policy”, Information Management and Computer Security, Vol. 14, n° 16, p. 24-36.
Knapp, K.J., Morris, R.F., Marshall, T.E., Byrd, T.A. (2009), “Information Security Policy: An Organizational-Level Process Model”, Computers & Security, n° 28, p. 493-508.
Kotulic, A., Clark, J.G. (2004), “Why there aren't more Information Security Research Studies”, Information and Management, Vol. 41, n° 5, p. 597-607.
Kraemer, S., Carayon, P., Clem, J. (2009), “Human and Organizational Factors in Computer and Information Security: Pathways to Vulnerabilities”, Computers & Security, n° 28, p. 509-552.
Krjukovs, D., Strauss, R. (2009), “Information Security Governance as as Key Performance Indicator for Financial Institutions”, Computer Sciences, n° 38, January, p. 161-167.
Markus, M.L. (1983), “Power, Politics, and MIS Implementation”, Communications of the ACM, Vol. 26, n° 6, p. 430-444.
Martin, L., Poussing, N. (2007), « Adoption et usages des Technologies de l'Information et de la Communication dans les entreprises de la branche des activités financières », CEPS/Instead, Economie et Entreprises, n° 08.
Martin, L., Poussing, N. (2008a), « Les déterminants de l'adoption électronique par les entreprises: une analyse empirique sur données luxembourgeoises », CEPS/Instead, Enterprises Working Papers, n° 2008-03.
Martin, L., Poussing, N. (2008b), “The Make-or-Buy Decision in ICT Services: Evidence from Luxembourg”, CEPS/Instead, Enterprises Working Papers, n° 2008-06
Mitchell, R.C., Marcella, R., Baxter, G. (1999), “Corporate Information Security Management”, New Library World, Vol. 100, n° 1150, p. 213-227.
Monnoyer, M.C. (2003), « Le dirigeant confronté à la decision d'investissement en TIC », in TIC et PME : des usages aux stratégies, M. Boutary (Ed), L'Harmattan, Paris.
Morimune, K. (1979), “Comparisons of Normal and Logistic Models in the Bivariate Dichitomous Analysis”, Econometrica, Vol. 47, p. 957-975.
Moulton, R., Coles, R.S. (2003), “Applying Information Security Governance”, Computers & Security, Vol. 22, n° 7, p. 580-584.
Posthumus, S., Von Solms, R. (2004), “A Framework for the Governance of Information Security”, Computers & Security, Vol. 23, n° 8, December, p. 638-646.
Pougnet-Rozan, S. (2005), « Entre mirage conceptuel et réalités managériales : quand des exigences de performance économique conduisent à des pratiques de responsabilité sociale… ou vice versé ? », 16e Congrès de l’Association francophone de Gestion des Ressources Humaines (AGRH 2005), Paris Dauphine, 15-16 septembre.
Reix, R. (2004), Systèmes d'information et management des organizations, Vuibert, Paris, 5e édition.
Rockart, J.F., Crescenzi, A.D. (1984), “Engaging Top Management in Information Technology”, Sloan Management Review, Vol. 25, n° 4, p. 3-16.
Sapir, J. (2005), Quelle économie pour le XXIe siècle?, Odile Jacob, Paris.
Schou, C., Schoemaker, D.P. (2006), Information Assurance for the Enterprise: A Roadmap to Information Security, McGraw Hill, New York.
Shi-Ming, H., Chia-Ling, L., Ai-Chin, K. (2006), “Balancing Performance Measures for Information Security Management”, Industrial Management & Data Systems, Vol. 106, n° 2, p. 242-255.
Shuchih, E.C., Chienta, B.H. (2006), “Organizational Factors to the Effectiveness of Implementing Information Security Management”, Industrial Management & Data Systems, Vol. 106, n° 3, p. 345-361.
Siponen, M.T.A., Willison, R., Baskerville, R. (2008), Power and Practice in Information Systems Security Research, 29th International Conference on Information Systems (ICIS 2008), Paris, p. 13-21.
Storck, J., Hill, P.A. (2000), “Knowledge Diffusion Through Strategic Communities”, in Knowledge and Communities, E.L. Lesser, M.A. Fontaine and J.A. Sulsher (Eds), Butterworth Heinemann, Oxford, p. 63-74.
Straub, D.W., Welke, R.J. (1998), “Coping with Systems Risk: Security Planning Models for Management Decision Making”, MIS Quarterly, Vol. 22, n° 4, p. 441-469.
Teufel, S. (2003), “Information Security Management: State of the Art and Future Trends”, Information Security South Africa Conference (ISSA 2003), Johannesburg, South Africa, July.
Theys, J. (2003), « La Gouvernance, entre innovation et impuissance : le cas de l’environnement », Développement durable et territoires, Dossier n° 2 : Gouvernance locale et développement durable, http://developpementdurable.revues.org/index1523.html.
Thurstone, L. (1927), “A Law of Comparative Judgment”, Psychological Review, Vol. 34, p. 273–286.
Trompeter, C.M., Eloff, J.H.P. (2001), “A Framework for the Implementation of SocioEthical COntrols in Information Security”, Computers & Security, Vol. 20, n° 5, p. 384-391.
Tudor, J.K. (2000), Information Security Architecture : An Integrated Approach to Security in an Organisation, Auerbach Publishers, Pennsauken, New Jersey.
Tudor, J.K. (2006), Information Security Architecture: An Integrated Approach to Security in an Organisation, 2nd edition, Auerbach Publishers, Pennsauken, New Jersey.
Van Arnum, P. (2004), “Information Technology Insights: Cyber Security Ushers IT Into Corporate Governance Practices”, Chemical Market Reporter, Vol. 265, n° 17, p. 17-18.
Van Niekerk, J. F., Von Solms, R. (2010), “Information Security Culture: A Management Perspective”, Computers & Security, Vol. 29, n° 4, p. 476-486.
Venkatesh, V., Morris, G.M, Davis, B.G, Davis, D.F (2003), “User Acceptance of Information Technology: Toward a Unified View”, MIS Quarterly, Vol. 27, n° 3, p. 425-478.
Vermeulen, C., Von Solms, R. (2002), “The Information Security Management Toolbox: Taking the Pain out of Security Management”, Information Management & Computer Security, Vol. 10, n° 3, p. 119-125.
Von Solms, R. (1997), “Driving Safely on the Information Superhighway”, Information Management & Computer Security, Vol. 5, n° 1, p. 20-22.
Von Solms, R., Von Solms, S.H. (2006a), “Information Security Governance: A Model based on the Direct–Control Cycle”, Computers & Security, Vol. 25, n° 6, p. 408-412.
Von Solms, R., Von Solms, S.H. (2006b), “Information Security Governance: Due Care”, Computers & Security, Vol. 25, n° 7, p. 494-497.
Von Solms, S.H. (2000), “Information Security – The Third Wave”, Computers & Security, Vol. 19, n° 7, p. 615-620.
Von Solms, S.H. (2005a), “Information Security Governance: COBIT or ISO 17799 or Both?”, Computers & Security, Vol. 24, n° 2, p. 99-104.
Von Solms, S.H. (2005b), “Information Security Governance: Compliance Management vs Operational Management”, Computers & Security, Vol. 24, n° 6, p. 443-447.
Von Solms, S.H. (2006), “Information Security – The Fourth Wave”, Computers & Security, Vol. 25, n° 3, p. 165-168.
Von Solms, S.H., Von Solms, R. (2004), “The 10 Deadly Sins of Information Security Management”, Computers & Security, Vol. 23, n° 5, p. 371-376.
Von Solms, S.H., Von Solms, R. (2005), “From Information Security to…Business Security?”, Computers & Security, Vol. 24, n° 4, p. 271-273.
Von Solms, S.H., Von Solms, R. (2010), Information Security Governance, Springer-Verlag, New York.
Vroom, C., Von Solms, R. (2004), “Towards Information Security Behavioural Compliance”, Computers & Security, Vol. 23, n° 3, p. 191-198.
Waddock, S.A., Graves, S.B. (1997), “Corporate Social Performance-Financial Performance link”, Strategic Management Journal, Vol. 18, n° 4, p. 303-319.
Warkentin, M., Johnston, A.C. (2006), “IT Governance and Organizational Design for Security Management”, Chapter 3 in Information Security Policies and Practices, R. Baskerville, S. Goodman and D.W. Straub (Eds), M.E. Sharpe, New York.
Williams, P. (2001), “Information Security Governance”, Information Security Technical Report, Vol. 6, n° 3, p. 60-70.
Williams, P. (2007), “Executive and Board Roles in Information Security”, Network Security, n° 8, p. 11-14.
Wu, I.-L., Chuang, C.-H. (2009), “Analyzing Contextual Antecedents for the Stage-Based Diffusion of Electronic Supply Chain Management”, Electronic Commerce Research & Applications, Vol. 8, n° 6, p. 302-314.
Wu, Y.A., Saunders, C.S. (2011), “Governing Information Security: Governance Domains and Decision Rights Allocation Patterns”, Information Resources Management Journal, Vol. 24, n° 1, p. 28-45.
Zhou, T. (2011), “Understanding Mobile Internet Continuance Usage from the Perspectives of UTAUT and Flow”, Information Development, Vol. 27, n° 3, p. 207-218.
Published
How to Cite
Issue
Section
License
The author bears the responsibility for checking whether material submitted is subject to copyright or ownership rights (e.g. figures, tables, photographs, illustrations, trade literature and data). The author will need to obtain permission to reproduce any such items, and include these permissions with their final submission.
It is our policy to ask all contributors to transfer for free the copyright in their contribution to the journal owner. There are two broad reasons for this:
- ownership of copyright by the journal owner facilitates international protection against infringement of copyright, libel or plagiarism;
- it also ensures that requests by third parties to reprint or reproduce a contribution, or part of it, in either print or electronic form, are handled efficiently in accordance with our general policy which encourages dissemination of knowledge within the framework of copyright.
In conformity with the French law, the author keeps the 'moral rights' related to the article:
- The 'authorship right': It is the author's right to have his name associated with each publication and exploitation of the article.
- The 'integrity right': It can be claimed by the author if he finds that during an exploitation, his work has been distorted (cutting, reassembly...).
