CHAPTER 4

FINDINGS AND DISCUSSIONS

4.1 INTRODUCTION
The research study completed using three methodologies in three Phases as presented in the
previous Chapter. This Chapter presents the findings and the discussions based on data analysis,
and results in a Phase wise manner of the research study, presented mainly in the three sections
i.e. findings from Phase I (objectives 1 and 2) in the section 4.2, findings from Phase –II (for
meeting the objective 3) in the section 4.3 and the findings from Phase –III (for objective 4) in
the section 4.4. These three sections are further divided into sub-sections. After a brief
presentation of Introduction in the section 4.1, section 4.2 elaborates the discussions based on
results obtained from SAP-LAP model based study, section 4.3 elaborates discussion based on
results obtained from PLS-based SEM approach and section 4.4 presents discussion based on
case study approach for development of cases on two IT companies. The Conclusions and
Summary of the research findings from each phase of study are presented in the next Chapter 5
and Limitations and Future Scope of Work of the research in the following Chapter 6.

4.1 FINDINGS FROM THE PHASE –I

In the first Phase of the study, subject area of information security at organizations level has been
explored in depth from the various sources in the literature, from its multiple aspects and
dimensions. The in-depth literature review based on a systematic approach has been carried out
to gain the maturity and command on the research area of information security in Indian
organizations. Based on the research gaps and objective 1 of the study, following sub-section
presents issues related to policy implementation in organizations, IS policy and its elements, and
information security based governance issues. Later part of the section presents discussion on
SAP-LAP matrices based model assessment of ISP in Indian organizations to present the
situation, actors, and processes for implementing an effective information security policy. Here,
in this study, based on the SAP components, the Learning, Action required and Performance (i.e.
LAP components) are highlighted and further synthesized.

Rashmi Anand, University of Lucknow 1

4.2 Study of Information Security: Select Issues
During the literature review, relevant research areas and context of information security policy
implementation at organizational levels of studies are studies and summary of the same are
reported in the following sub-sections.

4.2.1 Information Security: Organizational Perspective

Organization should be able to identify business objectives, confidentiality, where data and
information assets must be confined to people authorized to access and not be disclosed to
others, defining Integrity, keeping the data intact, complete and accurate, and IT systems
operational; and then availability as an objective for identifying that information is at disposal of
authorized users when needed. Additionally, they should focus on authority and access control
policy and human training related factors such as security awareness sessions and
responsibilities, rights and duties of personnel. Whereas on infrastructural point of views, virus
protection procedure, intrusion detection procedure, remote work procedure, technical
guidelines, audit, employee requirements, consequences for non-compliance, disciplinary
actions, terminated employees, physical security of IT, references to supporting documents and
so on.

Many studies supported need of study on information security policy, but in a different research
context. These studies found indicating sometimes particular and sometimes general definition of
information security. In general, information security is defined as the protection of data that
owned by an organization or individual from threats and or risk. While on the aspect of quality as
a parameter, according to Merriam-Webster Dictionary, security in general is the quality or state
of being secured, that is, to be free from harm. In one of his study, Schneier (2003) considered
that information security is about preventing adverse consequences from the intentional and
unwarranted actions of others elements. Therefore, the objective of security is to build protection
against the enemies of those who would do damage, intentional or otherwise. However,
according to Whitman and Mattord (2005), information security is the protection of information
and its elements are critical in nature which include, including the systems and hardware that
use, store and transmit that information. Information security is the collection of technologies,
standards, policies and management practices that are applied to information to keep it secure.

Rashmi Anand, University of Lucknow 2

Whereas, on the aspect of safety, information security performs select important functions for an
organization which enables the safe operation of applications implemented on the organization’s
IT systems. This is because to protect the data, the organization installs the appropriate software
that secures the data such as antivirus and others protected applications. Besides protect of the
data, the application installed also need to be protected because it can contribute to information
lost or damages.

Literature review also found many studies, which supported that if the information is left
unprotected, the information can be accessed by anyone. It will major threat to an organization
and can harm to the organization significantly. In addition, literature indicated that various taken
steps are to protect organizations information is a matter of maintaining privacy and will help
prevent identity theft. Therefore, it is believed that information is important business assets and
essential for the business and thus need appropriate protection through following a standard
practice or guidelines in the form of ISP. This is especially important in a business environment
increasingly interconnected, in which information is now exposed to a growing number and a
wider variety of threats and vulnerabilities. Information can cause and damage such as malicious
code, computer hacking, and denial of service attacks have become more common nowadays,
more ambitious, and more sophisticated.

Based on the concerns related to information security, it is revealed that implementing policy is
an important aspect and can protect an organization from information loss and threats. Factors
such as role and responsibilities of top management, its commitment in organizations play vital
roles in maintaining and operating the security to minimize various types of security risks to a
large extent. So, by implementing the information security policy in an organization, it can
protect the technology assets in use at the organization. In term of protecting the functionality of
an organization, both general management and IT management are responsible for implementing
information security policy that protects the organization ability. Thus, policy implementation
plays very important role in this regards.

Rashmi Anand, University of Lucknow 3

4.2.2 Information Security Policy and Its Elements
Many of the studies are found where Information Security Policy (ISP) is seen as a set of rules
enacted by an organization to ensure that all users or networks of the IT structure within the
organization’s domain are properly implemented. Therefore, rule are abide by the prescriptions
regarding the security of data stored digitally within the boundaries the organization stretches its
authority. Such ISP elements include security standards, guidelines, team members, security
architecture repository, which affect organizational security controls and objectives, are shown
here in the Figure 4.1.

Figure 4.1: Information Security Policy Elements

Decision makers and actors like-Chief Information Security Officer (CISO) and Chief
Information Officer (CIO), found having vital role and responsibility in this regard. Additionally,
the elements of information security policy in organization include important aspects where
organization should focus on clear cut identification of policy scope and selection.

4.2.3 Information Policy Issues in Indian Organizations

Information policy is seen as important set of directions, to be followed by an employee from top
management to various levels in organizations. The current era of digital governance is often
referred to as the “information age”..

Rashmi Anand, University of Lucknow 4

The confidentiality, integrity and availability of information, in all its forms, are critical to the
on-going functioning and good governance of Indian organizations. Failure to adequately secure
information increases the risk of financial and reputational losses from which it may be difficult
for organizations to recover. This information security policy outlines organizational approach to
information security management.

Very few studies found related to policy orientation on information policy implementation in the
context of Indian sector organizations and companies. Organizations are found committed to a
follow implementation of security policy using management approach as deigned in the ISMS
framework. Information security aims to ensure the appropriate confidentiality, integrity and
availability of its data. The basic IS principles defined in its policy will be applied to all of the
physical and electronic information assets for which the organizations are responsible.

4.2.4 ISP: Governance Issues

Information management is an essential part of information security based governance in an
organization. IS based governance in turn, is a cornerstone in corporate governance. An integral
part IS governance is information security, in particular pertaining to personal information.
However, many organizations do not have a clear policy for information security management.
This document contains a template of an information security policy. Such issue provides a
policy with information security objectives and strategy and also defines roles and
responsibilities to top management to ensure security in many aspects. Core principles for
information security management, as defined in ISO/IEC 27001, are adapted to the local
situation for the areas which include Risk assessment, Organizing information security, Asset
management, Human resources security, Physical security, Communications and operations
management, Access control, System development and maintenance, Information security
incident management, Business continuity management and Compliance.

Out of all the elements, as defined under Information Security Strategic Framework (as shown in
Figure 4.2), governance is important one and plays a major role where controls are to be inbuilt
in the system to safeguard. It rarely happens may be because of the fact that the field as such is
growing at a phenomenal speed and it is impossible to comprehend all the security issues in the

Rashmi Anand, University of Lucknow 5

beginning and provide for security, because the breach may happen from any side, anywhere and
at anytime.

Therefore, in view of the above, information security governance (ISG) should support various
functions of different alignments which include:
a) Strategic Alignment
a. Security requirement driven by organizational requirements
b. Security solutions fit for enterprise processes
b) Value delivery
a. A standard set of security practices (baseline security following best practices)
b. Complete solutions covering organization and process as well as technology
c. A continuous improvement culture

Figure 4.2: Information Security Strategic Framework

Rashmi Anand, University of Lucknow 6

The foundation for this best practice is ISO/IEC 27001 and ISO/IEC 27002 which have been
condensed to a manageable and applicable level. Information (data) security, cyber security and
IT security all usually refer to the protection of computer systems and information assets by
suitable controls. Such controls may include policies, processes, procedures, organizational
structures and software and hardware functions. The type and extent of controls depends on the
scope and maturity of the business function (usually the security department) applying the
controls, or, depends on the specialization of the team, such as perimeter, firewall or identity
management.

Figure 4.3: Information Security Governance Framework for Organizations

(Source: IT Governance Institute & Official website of ISACA)

While exploring one of the important aspects, legal framework and compliance regime holds top
management responsible for information security. Information security governance in this
reference becomes an important function of board room activity. Figure 4.3 reveals various
actors senior management, steering committee, executive management, CISO who interact
with process of business strategy, risk management to meet the business objectives. The
interaction process involves strategic inputs and the benefits of ISG are most apparent as

Rashmi Anand, University of Lucknow 7

the framework for these business functions that have a valid interest in information
protection.

4.2.5 Development of SAP-LAP Model

This sub-section identifies broad perspective of SAP-LAP components for presenting the
situation on information security and policy related matters in Indian organizations. Based on
these SAP components, LAP components have been synthesized at the later stage case
development. Based on the literature review, a good understanding about the subject of
information security, policy and ISMS practices to support governance is studied. Information
standards for the same purpose are reviewed, simultaneously in-depth understanding of ISO:
27001 is developed. The SAP-LAP model illustrates various interpretive matrices (Sushil, 1997,
2000, 2001, 2009) where qualitative information collected can be converted into the qualitative
in the forms of matrices, which can help in developing programme planning (Warfiled, 1974).
Later a matrices based model is created as a guiding framework to develop linkages between the
SAP-LAP components. The later part of the study highlights the LAP components which
discusses the interaction between SAP and LAP components and try to present various
challenges of information security policy implementation in the Indian organizations.

4.2.5.1 SAP Context

The context of SAP is comprised of three components i.e. Situation, Actor and Process. In the
recent years of development, information and its implementation have been perceived as
sensitive elements to support comprehensive IT policy framing and governance. More
specifically, this is applicable more relevant to the Indian organizations. Almost all types of
organizations- governmental, non-profit private, public utility to small enterprises are influenced
by e-governance related activities, where security is issue. Actors are involved as decision
makers to support the policy implementation in organizations. Since information polices as
directional guidelines and are the parts of ISO and, therefore, situation also includes select
overview of ISO family, which are applicable to Indian organizations.

On one side, ISP implementation assists in securing organizations from threats and breaches that
exist, while on the other side it ensures the smooth implementation of the governance processes.

Rashmi Anand, University of Lucknow 8

These processes are driven by following and implementing security standards. Various security
standards assists the ISP implementation and a series of ISO family of standards are presented in
the Figure 4.4 where ISO:27001 requirements are drawn from various other standards.

Figure 4.4: Interrelations within the ISO 27 K family of standard (Georg Disterer, 2013)

Therefore, complete situation presented in this part of study to meet the objective 1 includes
situation on information security, cyber security issues, threats, breaches incidents, policy,
standards practices, and an approach to manage in the Indian organization.

With the increasing dependence of businesses over a secured information system, it has become
pivotal for organizations to protect their critical information assets against misuse. Over the
years, the technical advancements, on one hand, have enabled organizations to process their
business information in a faster, more effective and efficient way, it has also posed serious
security threats and challenges for them. It has been found in one of global survey that 46 per
cent cases companies have indicated that their annual investment in information security have
increased (Ernst & Young, 2010). The survey also presents that 60 per cent respondents perceive
that use of social networking, cloud computing, smart phones and other personal devices in
enterprises have increased the level of risk faced by them. In such a challenging situation,
organizations need to be prepared with the latest technological solutions. However, technology

Rashmi Anand, University of Lucknow 9

alone is not sufficient to handle such challenges of Indian organizations, where organizations
need to have a balanced mix of technical, management and behavioral aspects to overcome this
challenge (Ashenden, 2008; Werlinger, Hawkey & Beznosov, 2009).

In view of the SAP context, qualitative approach and analysis for the same purpose is used where
critical questions are framed for each of the SAP and LAP components, separately. These
questions are framed based on the author’s intuitive approach and confidence built up through
understanding the study from literature review and feedback received from the various
stakeholders, professionals, trainers, certification bodies and IT sector organizations. Such
components are presented here. Based on following questions, Situation, various Actors and
Processes involved in ISP implementation in organizations are presented.

4.2.5.2 Situation: Information Security Concern in Organizations

This section presents the scope of situation and its selection for the SAP and LAP analysis.
Following points are selected as situation.

An example of the use of an information security policy in an organization might be in a data

storage facility, which stores database records. These records are sensitive and cannot be shared
outside the organization, under penalty of law, with any unauthorized recipient whether a real
person or another device. Organization should be protected this, information security policy
should be enabled within the software that the facility uses to manage the data they are
responsible for. In addition, employees, third part workers-vendors would generally be
contractually bound to comply with such a policy and would have to have sight of it prior to
operating the data management software.

As ISP implementation is influenced by breaches, existence, review mechanism and support

governance, thus in view of these:

 Select situation on Threats and Breaches: Organizational situation on any information

security breach incidents affect the productivity of the organization that ultimately leads
to serious problems such as financial loss, productivity loss, loss of clients and loss of
reputation (S1), is selected as first part of the situation.

Rashmi Anand, University of Lucknow 10

  Select Situation on Policy Implementation: on To avoid such threats there must be some
guidelines in the form of information security policy for organizations which should also
cover roles and responsibilities of employee, vendors and third part contractors (S2).
Coverage on roles and employee’s responsibilities is selected as second part of the
complete situation.
 Select Situation of Policy Review Mechanism: There should be a clause on policy review
mechanism (S3)
 Select Situation on Information Governance: There should exist a governance framework
for the proper implementation of ISP (S4).

The selected organizations under this scope of the study are classified on the basis, their typical
characters of Indian organization, their size and type. In order to synthesize the complete
Situation, following set of critical questions were asked from various experts of Indian
organization.
 CQ1: Does the organization has an IS policy? If yes, specific or as part of IT policy?
 CQ2: Does the IS policy specify roles and responsibility of employees (e.g.
accountability)?
 CQ3: Is the organization’s IS policy been regularly reviewed for effectiveness and
completeness? If yes, by whom, what is the procedure for it?
 CQ4: Does the organization has an IS policy for contractor or third party vendors?

As mentioned above, the situation of ISP implementation and governance, both of sub-set of
situation supports, various actors and decision makes along with the employees engagement
towards policy implementation and also contribute towards performance of organizations, all are
considered in four dimensions of complete situation. Further sub-parts of dimensional situation
considered and represented in the case is as (S1), (S2), (S3) and (S4) of situation, where the
complete set of Situation is represented by the symbol (S) where, S ⊆ (S1, S2, S3, S4). The
subset parts on the Situation are applicable to a typical organization of Indian characteristics and
with the complete Situation (S) as indicated above.

Rashmi Anand, University of Lucknow 11

All four dimensions of the Situation are considered as one single situation and the Situation can
be represented in mathematical notation i.e., represented by the symbol S ⊆ (S1, S2, S3, and
S4). To meet the research objective to study ISP, the complete situation(S), the set of all the sub-
sets of the situation are considered here. Various Actors are found responsible for ensuring
informational risk management, policy framing and governance support. Actor identification and
their role, processes related to the development of ISP with regard to its implementation to
ensure best practices for service delivery, aiming at risk minimizations, governance, and physical
infrastructure development in organization are discussed below.

4.2.5.3 Identification of Actors

With reference to the Situation considered for the synthesis, it has been observed that various
actors are playing important roles in the implementation of ISP and influence governance,
performance of actors from top management to employee working at all hierarchical levels
(deployed due to different needs of handling security due to varied and complex nature of IT
infrastructure), CISO, auditors, vendors in organizations. Such players are categories as follows
actors.
 Top Management (A1): These are highest ranking executives in organization responsible
for ISP implementation and development processes;
 Chief Information Security Officer (A2): Sr. level executives within organization
responsible for establishing and maintaining the strategies and programme to ensure
information asses and technologies are adequately protected;
 Organizational employees (A3): Employees of an organization responsible for ISP
compliance
 Network team (A4): Group of people responsible for protecting IT infrastructure of
organization;
 Auditing body (A5): Member or group responsible for systematic and independent audit
of organization’s information security, such as CERT-IN ,STQC, and ISACA;
 Vendor (A6): Vendors are a part of the supply chain: the network of all the individuals,
external organizations, resources, activities and technology involved in the creation and
sale of a product;
 Clients (A7): A person or organization using the service or the product.

Rashmi Anand, University of Lucknow 12

4.2.5.4 Roles of Actors
A few key actors in the case study are selected, based on their role, responsibility and authority
to support ISP framing and its implementation process. The case study identifies Top
Management of the concerned organization as one of the important actors and the management
involves enhanced responsibilities for the same to minimize the security breach incidents.
CERT-IN designated under Sec 17B of IT Act, 2008, is a government mandated IS organization,
and its purpose is to respond to computer security incidence, report on vulnerability and promote
effective IT security practices though the country. STQC, and ISACA are indentified within
their scope of work for auditing to ISP and are chosen as one of the actors which are involved as
an independent bodies of certification. Due to their important roles as auditing body, these are
selected as one of the external actor.

Therefore, actors should be proactive in their decision-making in the conflicting situations to

deal with the changes required in the development process. It is advisable that there should be
adequate training and awareness programmes, so that employee of the organization must be
trained and well equipped to adopt any of the provisions of information policy.

4.2.5.5 Process
4.2.5.5.1 Policy Development
Referring to the previous sub-sections, where an overview of select situation is provided and
actors were identified in ISP implementation, this sector discusses the process of information
security policy. This is observed that ISP implementation process supplements IS governance
and also assist various factors within as well as outside organizations. Figure 4.7 highlights
comprehensive process of ISP in organization given by Knapp, where six major activities
involved in Information Security are policy development, specification of roles and
responsibilities, design phase developing a security control framework, implementing a solution,
monitoring and finally awareness, training and education.
The information security policy development process starts with analysis of its development as
per organizational goals, approval of policy documents by the top management and influencing
the internal actors such as senior management, business, organization culture, technology

Rashmi Anand, University of Lucknow 13

architecture and internal threats. Later, it should be responsibility of top management that policy
awareness and training are conducted for employees. As a next step of process, policy
implementation is important and its continuous monitoring should be carried out. Further process
should drive enforcement of policy followed by policy review.

The review should be continuous and top management should keep eye on all the policy
implementation activities. The review should be based on risk assessed by the auditor and
auditing bodies such as CERT-IN, STQC, and ISACA. These auditors play important role in the
development of policy, works with network team and vendors. They are also engaged in
providing feedback on non-compliance of standards and any threats from external or internal
factors. Not due to this reason only auditor also works and engaged with clients to get feedback
so as to improve policy review, in policy review phase, as actor who assist has been selected as
one of the decision maker to assess ISP development process.

4.2.5.5.2 Ensuring ISP implementation for Smooth Governance

ISG is an essential element of organizational governance and consists of the leadership,

organizational structures, and processes involved in the protection of informational assets.
Through ISG, firms can address the issues of information security from a corporate governance
perspective, thereby optimizing certain outcomes.

Because ISG brings information security to the attention of Boards and CEOs, organization can
effectively address the issues of information security leading to improved outcomes, including
strategic alignment, risk management, business process assurance, value delivery, resource
management, and performance measurement. In terms of strategic alignment, ISG enables firms
to align security with business strategy to support organizational objectives. Organizations
should also likely to execute appropriate measures to reduce risks and potential impacts to an
acceptable level and integrate all relevant assurance factors to ensure processes operate as
intended from end to end. ISG also supports the optimization of security investments in support
of business objectives and enables the firm to use security knowledge and infrastructure in the
most efficient and effective manner possible. Finally, ISG better enables the monitoring and
reporting of security processes to ensure the achievement of objectives.

Rashmi Anand, University of Lucknow 14

With regards to ISP implementation, IS security is a complex subject. Therefore, one must
understand the environment to protect environment, and must understand difference between
vendor applications and hardware variations and how attacks are preferred. In the present context
of policy challenges, information systems have become an essential part of organizations.
Growing dependence of most organizations on their information systems have provided
problems such as theft of data, attacks using malicious code, denial of service etc, new
opportunities for IT related issues coupled with risks have made IS governance an increasingly
critical facet of overall governance.

Based on the understanding from literature, it was revealed that designing and implementing an
effective IS policy is not just a management problem, it is a business issue. As a result of global
networking and extending the organization beyond its traditional boundaries, it is emerging as a
value creator and opportunity builder. The ISP own right by building trust of among decision
makers, players and actors within and outside a secure organization where ensuring risks as well
as careless mistakes can result in serious financial, reputational and other damages to
organizations. In order to safeguard the organization from loss and reputation, confidentiality,
integrity and availability of data needs to be protected. Thus, ISP has emerged as key aspect of
implementing information security based governance.

4.2.5.5.3 Information Governance

When information security based governance is adopted in organizations, executive management

actions that provide strategic direction to an organization should be considered. These are
involved in the process of achieving business objectives, ameliorating risk, and managing
resources in the most effective and efficient manner possible. At organizational level, planning
leads to strategies which provide direction to an organization and touch on all aspects, including
financial, research and development, marketing, human resource, and information technology
resources. These strategies should reflect in information policies and procedures and therefore,
are ultimately executed as part of the organizational governance process the set of activities that
ensure a firm’s strategies are implemented and policies executed.

Rashmi Anand, University of Lucknow 15

4.2.5.5.4 ISP: Cyber Security Policy Issues
With an aim to monitor, protect information, data and also to combat cyber attacks, the National
Cyber Security Policy 2013 was released on July 2, 2013 by the Government of India. The Cyber
Security Policy aims at protection of information infrastructure in cyberspace, reduce
vulnerabilities, build capabilities to prevent and respond to cyber threats and minimize damage
from cyber incidents through a combination of institutional structures, people, process,
technology and cooperation. The objective of this policy in broad terms is to create a secure
cyberspace ecosystem and strengthen the regulatory framework.
In this context of information security policy implementation, various processes are identified
which support the smooth implementation of IS policies. These processes are related to how top
management identifies the scope of policy and information classification for better use so that
process can support a good policy framing. Moreover, process are related to information asset
management, access control over information, how organizations responses to threats and take
initiatives to minimize them. Since employee actions, their professional and personal life affect
information breach to organization, thus process on their training on ISP is to be included.
Overall, followings are the processes shortlisted briefly on the next page.
o (P1): Scope identification
o (P2): Information classification
o (P3): Asset management
o (P4): Managing access control
o (P5): Identify risks at various level
o (P6): Information security awareness training
o (P7): Conduct of information security audit
o (P8): Security standards compliance
Based on the SAP components, the learning, actions and performance areas are short listed as
follows.
4.2.5.6 Learning
Learning from SAP synthesis components is highlighted to address organizational challenges to
ISP implementation. Referring to SAP synthesis, it can be concluded that ISP implementation
supports organizational requirements and thus, they should establish, implement and maintain

Rashmi Anand, University of Lucknow 16

the IS policies. The salient points on learning are shortlisted on this basis of outcome from the
discussion of process of information security policy, and governance issues involved in various
levels in an organization.

IS Policy document is important to top management of an organization. As a responsible actor, it

has greater role and responsibility to play. Organizational characteristics provides various kind of
IT infrastructure according to their type and size. Both external and internal factors govern the
threats to information. It is observed that employee as the actor also has to play a big role to
secure the information. They must understand and accept the risks that come with using
technology and the Internet in particular. Additionally, to protect and secure the confidential
information well, the organization should hiring the IT experts and employee that have the right
qualification to protect the data. Thus, their proper training and guidance can help organization
to protect from threats. In order to increase the awareness on security issues among the
employees, the organization should take several steps to improve the employees’ awareness and
understanding on the important information security. Overall, Employee should work on ethical
ways and should not taking advantages by used company facilities for their personal. This is
because they can encourage the threat attack and makes the organizations’ information is in risk.
In addition, IS audit requirement should meet and organization should review the policy in
regular basis. In response to these challenges from SAP synthesis, several learning
recommendations are proposed as follows:

o (L1*):Issue related to ISP can be overcome by framing a comprehensive policy

document and the document must be in line with organization goals
o (L2*): Organization’s infrastructure is prone to risk and information security breaches,
thus it need to be addressed while defining ISP for concerned organization
o (L3*):If top management shows concerns about information security, employees also
follow the same;
o (L4*): Organizations should give equal importance to internal threats as well as to
external threats;
o (L5*): No action for IS violation, encourage employees to do the same in future;
o (L6*):Fixing responsibility and accountability can help implementation of ISP;

Rashmi Anand, University of Lucknow 17

 o (L7*): Basic information security awareness training can help to reduce security breaches
incidents to a large extent;

4.2.5.7 Actions
There are several challenges in the organization environment that makes it difficult to adequately
protect the information and implement to ISP. Few of them are very close to actions to be needed
on the areas such as, inconsistence enforcement of policies, employees lacking in awareness on
important of information security, lack of expertise and employees skills to handles attacks. In
this view, an ISMS provide management approach to secure the information using controls
implementation. Thus, many actions are required to implement in an organization.

Based on the synthesis of SAP components, the following actions are felt to be of minimum
prerequisite to support the framing of ISP and governance.

o (A1*): Identify information security risks for organizations and their counter measures;
o (A2*): Development of disaster recovery site to ensure business continuity;
o (A3*): Organization should acquire ISO/IEC: 27001:2005 certification;
o (A4*): Plan for specialized training according to the job requirements;
o (A5*): Non-disclosure agreements for employees and third party;
o (A6*): To provide adequate resource and funds for ISP implementation;
o (A7*): Implementation of a single ID authentication system.

4.2.5.8 Performance Areas

Improving Performance related to the selected situation includes the followings areas.
o (P1*):Compliance enforcement for organizational ISP, in order to build an information
security informed organizations;
o (P2*):Top management needs to give more priority to information security issues for the
organizations;
o (P3*):A define risk assessment and management plan to ensure the protection of
organizational informational assets against internal and external threats;

Rashmi Anand, University of Lucknow 18

 o (P4*) ISP implementation resulted in improved productivity, efficiency and realization of
organizational goals.

The complete framework of research as a SAP-LAP model development in the case is shown in
the appendix where challenges for ISP implementation to organization IS governance are also
shown.

SAP-LAP modeling set out the limitations of both the intuitive and rational choice of decision-
making and ranks of actors with reference to their roles in processes, and actions with respects to
their impact on performance. The steps followed in the SAP-LAP inquiry modeling in this
Chapter is set out as given below.
 Identification of Ranking Variable (defining actors or actions as the case may be for SAP
or LAP component) and Reference Variables (defining process or performance as the
case may be for SAP-LAP component). For SAP modeling, this would mean ranking of
influence of Actor’s decision on Process and for LAP modeling this would mean ranking
of influences of Actions of Performance.
 Developing a cross –interaction matrix between the two set of variables. Converting the
Interpretive matrix by interpreting the interactions, entries in various cells in to Binary
matrix.
 Developing Interpretive Logic of pair wise comparison and dominating interaction matrix
by interpreting the dominance of one interaction over the other. The ‘Interpretive
Ranking Model’ uses pair comparison of interpretations in the matrix resulting into
interpretive logic-knowledge base and a dominance matrix.

Various steps involved in development of cross interaction matrix are explained below.

 The Cross Interaction Metric captures the contextual relationship of the roles of actors in
the identified processes. The interpretive Matrix was formed by assessing an actor’ level
of influence over a process from detailed study of the case situation, decisions taken,
available information with Indian IT sector organizations and companies top
management, wherever necessary.

Rashmi Anand, University of Lucknow 19

  For ease of mapping, the level of influence was categories in five descending steps
staring with “strong influence”, followed by “significant influence”, “moderate
influence”, “limited influence” and ending with “little influence”. Accordingly, based on
the information of the case available in the literature review and with the organizations,
interpretive matrix of actor versus process is summarized in the Table 4.1 (a).
 As per the next steps, the above information on influences was coalesced into A binary
matrix was then derived by assigning score “0” to “little influence” and “1” to all other
categories of influence. Based on the influences in the interpretive matrix given in Table
4.1 (a), the binary matrix was developed as given Table 4.1 (b) which essentially helped
in short listing of the number of interaction that required further study from all possible
combination of interaction.

It is to be noted in this case study that the Self Interaction Matrix (SIM) and Cross Interaction
Matrix (CIM) matrices structures are framed and only one situation is taken into consideration.
However, SIM is not established here and only the CIM of the SAP and LAP components are
selected to demonstrate the case.

Rashmi Anand, University of Lucknow 20

 Table 4.1 (a): Interpretive Matrix (Actors over Process)

To carry out the SAP-LAP synthesis, the five point scale for quantitative assessment using the
influence levels is considered. Later, the information used in the CIM is converted into a binary
matrix assigning ‘0’ to low and very low influences and ‘1’ to all other higher influences. Based
on the severity of influences, interpretive matrices are formed and shown in Table 4.1 (b).

Rashmi Anand, University of Lucknow 21

 Table 4.1 (b): Binary Representation (Actors over Process)

 The rating information in the graded interpretive matrix (Table 4.1 (a)) and the binary
matrix (Table 4.1 (b)) were again put to use to serve as a foundation for developing the
interpretive table of actors with different processes though a method of paired
comparison between actors.

 The descending order of influences between the pair of actors interacting with the process
as obtained from Table 4.1 (a) and (b), is used to assess the dominance of one actor over
the other in dealing with particular process. The interpretive logic of dominance for
Actors over their counterparts in several pairs was obtained. In case both the actors exert
equal influence (say) “strong influence”, then case knowledge base is referred to for
ascertaining dominance of one actor over the other (Refer Appendix for interpretive logic
for knowledge base).

Rashmi Anand, University of Lucknow 22

 Table 4.1 (c): Dominating Interaction Matrix (Actor versus Actor)

Table 4.2: Dominating Interaction Matrix and Ranking Representation (Actors over Process)

Rashmi Anand, University of Lucknow 23

The interpretive logic-knowledge base for ranking of actors with respect to Process and Actions
over Performance are based on the understanding gained from literature review on the subject of
information security policy implementation and also from the scope of situation presented in this
Chapter.
 The dominance matrix is formed by identifying and recording the Process in a square
matrix of various actors showing their dominance and being dominated. Dominance over
each other is also estimated and shown in Table 4.2. Similarly, the dominance and binary
matrices for Actions versus performance showing ranking of actions are tabulated in
Table 4.3 (a), (b), (c) and (d).
It may be noted that interpretive logic (Refer Appendix), was based on facts obtained from
literature review, professionals and various stakeholders working in same area of information
security, and was applied to only those case where both actors has “strong”, significant”,
“moderate”, or “limited” influence interacting with a particular process. This means to both
actor cells interacting with same process has rating of “1”.

Table 4.3 (a): Cross Interaction Matrix (Action versus Performance)

Action Vs P1* P2* P3* P4*
Performance (ISP (Top management (Risk (Improved
compliance) commitment ) assessment organizational
plan) productivity)
Strongly Strongly Strongly Strongly
A1*
influence influence influence influence
Significant Significant Significant Moderate
A2*
influence influence influence influence
Significant Significant Limited Significant
A3*
influence influence influence influence
Strongly Significant Little Significant
A4*
influence influence influence influence
A5* Strongly Significant Significant Strongly
influence influence influence influence
A6* Moderate Strongly Moderate Significant
influence influence influence influence
A7* Strongly Significant Significant Significant
influence influence influence influence

Rashmi Anand, University of Lucknow 24

 Table 4.3 (b): Binary Representation (Action versus Performance)

P4*
P2* P3*
Actions vs. Actions mapped to P1* (Improved
(Top (Risk
Performance process / (ISP
management assessment organizational
knowledge areas compliance)
commitment ) plan) productivity)
Identify risks and SI (1) SI (1) SI (1) SI (1)
A1*
countermeasure
Disaster recovery SGI (1) SGI (1) SGI (1) MI (1)
A2*
plan
ISO/IEC:27001 SGI (1) SGI (1) LMI (0) SG (1)
A3*
certification
A4* Employees training SI (1) SGI (1) LI (1) SG (1)
Non-disclosure SI (1) SGI (1) SI (1) SI (1)
A5*
agreements
Funds for ISP MI (1) SI (1) MI (1) SGI (1)
A6*
implementation
Single ID SI (1) SGI (1) SGI (1) SGI (1)
A7* authentication
system

Table 4.3 (c): Dominating Interaction Matrix (Action versus Action)

Action
Vs A1* A2* A3* A4* A5* A6* A7*
Action
P1*,
P1*,P2*,P3*,P4 P2*,P3*,P4 P2*,P3*,P4 P1*,P3*,P4 P2*,P3*,P4
A1* - P2*,P3*,P4
* * * * *
*
A2* - - P3* P3* - P1*,P3* -
A3* - P4* - P3* - P1* -
A4* - P1*, P4* P1* - - P1* -
P1*,P3*,P4
A5* - P1*,P4* P1*,P3V,P4* P3*,P4* - P4*
*
A6* - P2*,P4* P2*,P3* P2*,P3* P2* - P2*
A7* - P1*,P4* P1*,P3* P3* - P1*,P3* -

Rashmi Anand, University of Lucknow 25

 Table 4.3 (d): Dominating Interaction Matrix (Action versus Action)

Count of
Dominating Net Action
Dominating
Dominance Rank
(D)
A1* A2* A3* A4* A5* A6* A7* (D-B)

A1* - 4 4 3 3 3 3 20 20 I
Being Dominated

A2* - - 1 1 - 2 - 4 -9 VI

A3* - 1 - 1 - 1 - 3 -10 VII

A4* - 2 1 - - 1 - 4 -6 IV
A5* - 2 3 2 - 3 1 11 -7 V

A6* - 2 2 2 1 - 1 8 -4 III

A7* - 2 2 1 - 2 - 7 -2 II
Count of
Being
0 13 13 10 4 12 5 Total Interactions (57)
Dominated
(B)

4.2.6 Discussion
In the previous section, SAP-LAP model on ISP implementation in organization is developed.
The model developed is based on intuitive approach of analyzing ISP within organizational
system boundary. Based on synthesis of SAP-LAP components and matrices based approach, top
management of an organization secured first ranking, followed by CISO and organizational
employees at the third place. The findings are in support to the fact that top management should
be more responsible for implementation of ISP. It should also ensure requirements of
organization as well of the other actors. CISO as a one of the important actor after the top
management plays an active role in an organization for implementing ISP, thus justifies its
ranking in order. Employees as one of the actors to follow and implement policy in organization
found very important roles. Their qualification, skills, knowledge, expertise and also their actions
found sensitive to help in minimizing various type of threats and breaches in the organizations.

Rashmi Anand, University of Lucknow 26

They should follow the instruction from top management and CISO, thus, they are found and
obtained ranking after the two top actors. Actors such network team, auditing bodies are placed
after first three actors. However, vendors who approach for to meet requirements of organization
and clients, both are placed at lower order of ranking. Audit as important activity and
information security requirement is very important to inquire and secure the information. In this
view, ISMS, the comprehensive framework for managing information also provide the audit
requirements. Thus, it also justifies the ranking secured by later actors.

In view of the above ranking obtained using matrices based SAP-LAP model where actors
involved in the process of information security policy implementation are ranked, one can
implement and re-orient many actions required for the requirements of an effective ISP
implementation in originations. Further, it can also be said that SAP-LAP is a good intuitive
approach where a system can be enquired and critical inquiry can be conducted and explored for
further level of study on the subject. Even though the ISP implementation is important
parameters to protect organization, there are several other challenges are found to protect and
manages the information as well. One of challenges faced in an organization is the lack of
understanding on important of information security.

When employees are with lack of skills, awareness and information security knowledge in term
of handling information of the business process, the organization is easy to being attacked by
hackers or other threats. Such attacks try to access organization confidential information. So it is
crucial and important to all staff members, security professionals, members of IT teams in an
organization to have knowledge and understanding about the importance of information security
practice in line with the market scenario in an organization to protect the confidential data.

Information security awareness found as one of the important factor and should be provided by
top or senior level of management to organization’s employees. Generally, users of IT system
working as employees are also equally important dealing having role and responsibilities who
can maintain security and privacy. In this reference, this study can bring out the clear
demonstrations of various elements through modeling SAP and LAP components on information
security, policy and ISMS practices to IS governance.

Rashmi Anand, University of Lucknow 27

Adequate learning from training and effective understating is the challenges to all most all the
actors including employees. Proving training on such IS policy initiatives often face a number of
challenges that impede further take-up of effective participation. This study on SAP-LAP model
assessment of ISP implementation in organization aims to provide a better understanding of the
challenges contributing towards the success of information security policy implementation. It
has been also noticed that awareness programmers often pursue different targets of preserving
security, and privacy, which sometimes results in adding more complexity to the organization.
Therefore, this study using SAP-LAP model is useful for supplementing training activities of
information awareness to all kind of stakeholders in Indian sector organizations and also to
government and academia.

4.3 FINDINGS FROM Phase –II

This section present the findings obtained from the Phase –II part of the research study. The part
of study meets the Objective 3 of the research study. The objective is study information security
standards practice implementation and its influence on policy implementation in the Indian
organizations. For the same purpose, the Partial Least Squares (PLS) based Structural Equation
Modeling (SEM) is used.

The PLS based SEM technique is sometimes known as path modeling technique and the method
is similar to other approaches to SEM. Goodhue et al. (2006) finds that the PLS method is
widely used in the areas of marketing and information systems but used only sparingly in other
disciplines within management. However, a recent review on the methodology is done by
Henseler, et al. (2009) where he finds a growing use of PLS in literature including several
marketing studies published the international journals. The PLS based modeling offers several
potential benefits to authors, researchers and stakeholders such as methodology application
works on smaller sample size for covariance based SEM compared to PLS, and a lack of
distributional assumptions. However, a disadvantage of PLS based SEM is that it does not give a
global fit statistic for models. This is a particular limitation of the PLS based model that multiple
group comparisons become more difficult when an overall fit statistic is not available.

Rashmi Anand, University of Lucknow 28

Based on the literature review it is found that PLS is applied more over covariance based SEM
(CB-SEM) in the recent research and applications. Many studies also discusses multiple group
analysis a technique well suited to this study and also examines the validity of the reasons chosen
for using PLS over SEM. In general, notation and application of the methodology, PLS path
models consist of three components, first one is the structural model, second the measurement
model and third one is the weighting scheme. Whereas structural and measurement model are
components in all kinds of SEMs with latent constructs, the weighting scheme is specific to the
PLS approach (Tenenhaus et al., 2005). In this context, this study select information security
management standards practice and policy based research model where factors affecting ISMS
practices and ISP implementation are selected based on ISO: 27001. This information security
standard is well followed organizations as best practices to protect them from various types of
threats.

The PLS based modeling can be demonstrated in the SmartPLS software. The description of the
measurement instrument is available from the help page help in the SmartPLS package. Based on
the part of studies completed in the Phase –I, variables are identified to model the research
problem in this part of the study. Figure 4.8 (a) and (b) represents a research model and the
relationship to be assessed between latent variables (LVs) and manifest variables (MVs), the
nomological network. These figures are shows the hypothesis notation for each relationship.
Here, nodes are represented as LVs and are coded as ellipses and those are represented as MVs
are coded in the respective boxes. As contrast to the CBSEM method, in the PLS, each MV is
only allowed to be connected to one LV. Further, all arrows indicated connection between a LV
with its block of MVs that must be pointed in the same direction. The connections between LVs
and MVs are referred to as measurement or the outer model. On a research modeling and
assessment point of view, an outer model is a pre-requisite assessment for inner model which
primarily looks at how a research model is fit for the further research analysis. A research model
with all arrows indicating outwards notation is called a Reflective Model, all LVs have reflective
measurements. While a research model with all arrows pointing inwards is called a Formative
Model –where all LVs have formative measurements. On their combination i.e. hybrid model, a
research model containing both, i.e. formative and reflective LVs is referred to as MIMIC model.
It is worthwhile to be noted here that PLS path models only permits recursive relationships and

Rashmi Anand, University of Lucknow 29

can be expressed as simple connected digraphs. A digraph may be simple or complex in nature,
if it is simple if it has no loops and at most one arc between any pair of nodes. Moreover, a
digraph is connected if an undirected path between any two nodes exits; and consequently, no
node is isolated from the rest.

4.3.1 Variable Selection and Hypothesis Development

Manifest variable (MVs) are the items which are used to measure the constructs (LVs) of the
study. LVs are adopted from literature review, are chosen after gaining maturity on the subject of
on information security standards practices in organization, particularly ISO/IEC: 27001:2005
controls and related objectives. This is done after the discussion and findings obtained from the
situational analysis in the SAP-LAP modeling completed in the Phase –I of this research study,
and on the basis of review of literature Following hypotheses were formulated for the research
study in Phase -II
H1: Asset management supports policy implementation in organizations
H2: Top management commitment supports policy implementation in organizations
H3: Access management supports policy implementation in organizations
H4: Communication and operations supports information security implementation in
organizations
H5: Risk management supports policy implementation in organizations
H6: Compliance management policy implementation in organizations
H7: ISMS Practices influences information security policy of the organization in a positive
sense
H8: The asset management is important for ISMS practices
H9: Management commitment is positively related to ISMS practices
H10: Access management is important for ISMS practices
H11: Communication and operations management plays a major and affects ISMS
practices in positive way.
H12: Risk management is important in ISMS practices.
H13: Compliance management is positively related to ISMS practices

Rashmi Anand, University of Lucknow 30

4.3.1.1 Proposed Research Model

Figure 4.5 Research Model: Hypothesis Representation

Figure 4.6 (a): Research Model: Hypothesis Representation

(Direct Relationships)

Rashmi Anand, University of Lucknow 31

LVs are considered in this part of modeling are selected keeping in mind that their selection for
scope under this model covers all the issues in the interest for securing organization from various
aspects of information loss, cyber threats and breaches. Based on the literature review, an ISMS
framework provides approach to handle the loss of information due to many risks and describes
few set of controls- asset and access management, top management commitment, communication
and operation etc. In the current research model, not only these controls of ISO standard are
selected but also factor such as risk management and information compliance management are
also chosen as LVs to provide the robustness of the research model to assess information security
implementation in an effective way.

To ensure a consistent and effective approach for management of information security incidents,
top management responsibilities and policy procedures should be established to ensure a quick,
effective, and orderly response to information security incidents. ISO control objectives in this
context are instructions to follow and are related to parameters such as asset management,
management commitment, information access control, communications and operations
management, and compliance management in organizations. All such influencing factors
(includes controls) to ISMS practice and ISP implementation along with risk management are
considered as unobserved variables in the organization to assess ISMS practice and ISP
implementation where organizations needs to consider implementation of these unobserved
variables to support ISMS practices, which can further influence policy implementation. The
Table 4.4 represents classification of measurement items (Unobserved and Observed Variables)
to assess information security policy and further to suggest a model development for Indian
organizations.
ISO/IEC: 27001:2005 specify few more control objective concerning the need to protect the
confidentiality, integrity and availability of information. In view of the above scope of controls
defined, the international standard provides organizations with guidance on how to manage
information security, by applying a risk management process and give confidence to interested
parties that their information is adequately managed. The research model designed under this
part of the study is intended towards implementing all the practices and policy related factors
successfully. This, through implementation of ISMS practices of standard and policy

Rashmi Anand, University of Lucknow 32

implementation and truly understanding their impacts on an organization, organizations can omit
negative influence, protect them and can also achieve many other benefits and strategic
advantages.

Figure 4.6 (b): Research Model: Hypothesis Representation (H7-Direct and remaining are
Indirect Relationships)

For example, employees or user of IT systems in the originations should know about the practice
they need to follow and one of the ways for achieving the same is certification and compliance of
the standard through skill training and participation in the technical workshops. Certification and
compliance can bring reputational, motivational, and financial benefits to organizations through
customers that have greater confidence that an organization can protect their information at
agreed security levels, along with improvements in organizational supply chain security. In this
view top management is more responsible towards employees of the organization for enable their
working in line with the severity of threats present in the current situation of business in the
market conditions.

Rashmi Anand, University of Lucknow 33

All of these factors so called elements of research model are closely related to organization’s
ability to deliver satisfaction to customers, and fulfill the expectations and wishes of
stakeholders, while protecting the organization’s capacity for doing business in the end. Keeping
all these in mind, it is impossible for an organization not to have ISO 27001:2013 and the
therefore, considering most of the controls in a single model to analyze relationships among
them, seems to be integrated and feasible model of study to further assess and develop an
effective information security policy.

In view of the above selection of all factors (i.e. LVs) which includes security controls),
followings hypotheses made for this study using structural equation modeling where data were
collected from various IT sector stakeholders, through questionnaire development. Accordingly,
responses captured and model validity testing on methodology steps and model fit were
presented in later part of this section. Data analysis for the model development and testing the
hypothesis is carried out in the software SmartPLS (Version 3).

The hypothetical relationships between the constructs chosen for this part of study are indicated
in Figure 4.8 on the next page.

Table 4.4: Description of ISO Controls: Selection from ISO/IEC 27001: 2005
(Latent and Measure Variable Variables)
S.no. Latent Variables Measured Variable (MV)
(LV) & Codes
Identification and classification of information assets by
Asset Management organizations (AM1)
1.
(AM) ISO advocates responsibility for assets (AM2)
(ISO /IEC:27001:2005)
Providing Organizational Structure and Resources for
information security (MC1) (Al-Awadi, 2009)
Roles and Responsibilities of Employees, Contractors and Third
Party Users (MC2)
Management Awareness and Training Related with Information Security
2. Commitment (MC3) (Siponen, 2000)
(MC) Define the action taken Against Employees for Not Following
Information Security Directions (MC4)
Adequacy of budget for Information Security (MC5)
(Bjorck, 2001)

Rashmi Anand, University of Lucknow 34

 Authentication for Accessing IT Services (ACM1)
Access Management
3. Importance of Network Access Control (ACM2)
(ACM)
Confidentiality and non disclosure (ACM3)
Communication & Periodical Backup of Critical Information (COM1)
Operation Network Security Mechanism- (Such as Firewall and VPN etc.)
4.
Management (COM2)
(COM) Service Level Agreement with Third Party (COM3)
Business Continuity Planning and Disaster Recovery (RM1)
Identification and Evaluation of Risks, Threats to avoid Security
Risk Management Breach Incidents (RM2) (Stanton, 2005)
5.
(RM) Management of Information Security Incidents and Improvement
(RM3)
Inscription of critical information (RM4)
Compliance to Legal, Regulatory Provisions related to
Information Security (CM1) ) (Saint-Germain, 2005)
Compliance
Berends (2007)
6. Management
Information Security Audit, Testing & Certification (CM2)
(CM)
Santos and Pereira (2010)
Data Protection and Privacy of Personal Information (CM3)
ISMS Practices Availability of Information (ISMP1)
7. (ISMP) Confidentiality of information (ISMP2)
Integrity of information (ISMP3)
Information Security Secured Organization (ISP1)
8. Policy Trust of Clients (ISP2)
(ISP) Improved performance of Organization (ISP3)

Rashmi Anand, University of Lucknow 35

 Figure 4.7 : Research Nomological Network: Latent variables (LVs) and Manifest Variables (MVs) Relationships

Rashmi Anand, University of Lucknow 36

4.3.2 SEM Implementing Approach
SEM approach is a very popular in research problems across many disciplines. As already
described, the PLS approach to SEM offers an alternative to covariance-based SEM, which is
especially suitable for analyzing the research situations when data is not normally distributed.
Very often, the technique is known as path modeling is also referred to as soft-modeling-
technique with minimum requirements of measurement scales, sample sizes and residual
distributions. In the recent years of development on PLS application, the SmartPLS package
provides the capability to estimate PLS path models. The model application is suited best
where different types of research setups for the estimation of factor scores can be used. In
addition to these features, the software provides provision for using modular methods for
computation of bootstrap confidence intervals, model parameters and several quality indices.
Moreover, the software is supported with various plot functions help to evaluate the model
and to support decision making on ISP implementation.

Figure 4.8: Flow Chart of SEM Methodology Implementation

SEM is by far the best known quantitative technique and widely used as path modeling
technique. But, recently researchers have begun to use application of PLS based SEM
(Shackman, 2013). PLS offers few advantages over other model on SEM such as lower
sample size requirements, easier hypotheses testing of moderating relationships, and built-in
provisions to handle indicators (both formative and reflective). This study examines ISMS
practice and information security policy assessment in Indian organization, and suggests a
policy development framework for them. The study finds mixed support for some of the
commonly cited reasons for using PLS over SEM. Finally, the study also discusses multi-
group analysis which may make it an attractive alternative over PLS for the scope of this
study which used small sample sizes with data from multiple countries.

Rashmi Anand, University of Lucknow 37

The implementing steps of PLS methodology includes assessment of measurement model
(i.e. outer model) and then assessment of structural model (i.e. inner model). These two
models are tested based on few hypotheses or assumption is made on a research model. After
a model is designed based in the selection of LVs and MVs, in the measurement model,
reliability and validity assessment is estimated using statistical parameters such as composite
reliability, manifest variable reliability, convergent validity and discriminant validity. The
reliability and validity is a confirmation of testing the measurement model fit for analyzing
the structural model. While in the structural model, assessment is carried out using path
analysis. The path analysis relates to significance of a relationship between two LVs. The
level of relationship and their significance are tested through interaction effect and
bootstrapping techniques provisions provided in the SmartPLS. While in the structural model,
testing includes significance and relevance of coefficient of determinant (R2), predictive
relevance (Q2), significant of path coefficients and f2 and q2 values to assess effect size. This
part is very important in the PLS base SEM where findings are dependents on testing in the
measurement model. In general aspect, the PLS based SEM modeling assessment includes
mediation, moderation and effect by control variables. Based upon the scope of research and
objectives, sometimes, multi group analysis and higher order models (i.e. second order) are
tested. Importance Performance Map Analysis (IPMA) is one of the unique feature inbuilt in
the SmartPLS which can performed to more elaborated interpretations of PLS-SEM results.
The IPMA analysis provides the better representation of results analysis of PLS–SEM.

4.3.3 Results from SEM model

4.3.3.1 Factor Analysis: Exploratory Factor Analysis and Confirmatory Factor Analysis

A research model is said as complex and complicated model when the study has many
constructs and indicators (Hair et al., 2011). Therefore, complexity of the model needs to be
reduced to the possible extent. In order to reduce the complexity of the research model,
Exploratory Factor Analysis (EFA) was conducted to identify how many factors can be
retained in the model by estimating the loading values of the MVs (items) used to measure
each construct. EFA analysis is done to achieve the best model before the research model was
tested using PLS (Preacher and MacCallum, 2002). In addition to this, EFA was conducted
because some of the relationships among the observed and underlying factors were neither
tested nor investigated beforehand. This is one of the possible reasons for using the EFA.

Rashmi Anand, University of Lucknow 38

Therefore, as this study had initially the quite a large number of MVs, EFA was applied in to
achieve research objective one (RO2), as mentioned in the Chapter 1. Confirmatory factor
analysis (CFA) was also used to test how well the final instrument measured the particular
constructs in the research model (say in this case security factors on LVs). This was ensured
through convergent and discriminant validity. Furthermore, Cronbach’s alpha was used as the
parameter to determine the measurement of reliability for numerical data and its purpose was
to determine how well the items positively correlate to one and another.

It is noted that the most appropriate SEM approach should be adopted by a researcher based
on his or her scope of research objectives (Christmas, 2005). As the aim and objectives of this
part of the research study is to predict or identify the significant factors ISMS practice and
policy implementation in Organization, therefore, PLS-SEM was chosen because PLS-SEM
is an exploratory methodology that relies on the data and it is used to obtain determinate
values for latent variables for predictive purposes and minimize the variance of all dependent
variables.

Other advantages that can be found in PLS-SEM over the covariance-based approach are that
PLS-SEM is able to handle complex models and is insensitive to data size. The research
model is considered complex when it has a large number of variables and indicators (Hair et
al., 2010), such as the research model adapted in this study.

4.3.3.2 Reliability Test in PLS-SEM

Reliability is important to any research model because it can minimize the errors and biases
in research (Hair et al., 2010). While using PLS-SEM, there are two types of reliability test
that need consideration, one is indicator (manifest variable) reliability and another one is the
construct reliability. Indicator reliability is used to determine which part of an indicator’s
variance can be explained by the underlying latent variable while construct reliability is used
to assess how well a construct is measured by its assigned indicators (Götz, Liehr-Gobbers &
Krafft, 2010). Both type of reliability testing is very essential to a research model. In general
procures of SEM, the reliability of the indicators can be assessed by checking their factor
loading (λ) values, whereby, as suggested by many authors of previous studies, values larger
than 0.7 are acceptable (Chin, 1998; Götz et al., 2010; Hair et al., 2010). This value is
important parameter to determine the reliability used in similar kinds of research. However,
many studies found where acceptable value in the rages of 0.6-.07 is acceptable. This study

Rashmi Anand, University of Lucknow 39

employs two methods to assess the reliability of the constructs in the research model: (i)
Cronbach’s alpha and (ii) composite reliability (CR).

In view of the reliability testing, Cronbach’s alpha is the most common method used to assess
construct reliability (Sekaran, 2003). The reliability indicator has been considered as the first
method one should use to assess the reliability of a measurement scale (Lorence & Churchill,
2005). There are difference found on this part and different levels of acceptance have been
suggested by various authors in their past studies. For instance, Hair et al. (2011) suggested
that the alpha value should exceed 0.70 to indicate internal consistency. On the other hand,
Carmines and Zeller (1979) recommended a level of acceptance of 0.80 for internal
consistency. As for new scales, a level of 0.60 is considered acceptable (Hair et al., 2010;
Nunnally & Bernstein, 1994). Despite the different opinion and consideration on the level of
acceptance, an alpha with value of 0.70 is acceptable and over is acceptable to indicate
internal consistency. Therefore, this study uses 0.70 as the minimum level value to indicate
the internal consistency of the construct.

Other construct reliability (CR) test that may also be considered is the composite reliability
(CR). The construct reliability is important to ensure that all the measures used in this study
are reliable, and at the same time, provide greater confidence to the study that i.e observed
variable or manifest variable are consistent in their measurements (Hair, Ringle & Sarstedt,
2013). Sometime CR is defined as it is used to check how well a construct is measured by its
assigned indicators (Götz et al., 2010). There is also difference of opinion found the cutoff
value for the reliability acceptance. The authors of previous studies related to security
policies compliance behavior also suggested that the acceptable recommended value for CR
is equal to or greater than 0.60 (Herath & Rao, 2009b).

4.3.3.3 Validity Test in PLS-SEM

The term Validity is defined as “the degree to which a measure accurately represents what it
is supposed to” (Hair et al., 2010, p. 7). Content validity and construct validity (convergent
and discriminant validity) are two types of validity, namely, measured in this study.

Content validity is the assessment of the extent the content of a scale measures a construct
(Hair et al., 2010). Careful attention is to be given to the process of developing the
questionnaires for obtaining content validity. In this part of the study, the research model is

Rashmi Anand, University of Lucknow 40

constructed the measurement items are selected based on literature and previous studies,
ISMS framework, and control objectives of the Standard to suit the research model set under
this study. Further, the questionnaires went through a back translation process. During this
process, the comments and suggestions from experts (practitioners in IT cell of organization,
academicians, industry experts) regarding the wording of the items in the questionnaires were
obtained. Any ambiguous words or sentences were corrected.

On the other hand, construct validity is the extent to which a set of measured items actually
reflects the latent construct (Hair et al., 2010). Thus, construct validity is examined by
analyzing both convergent and discriminant validity. According to Sekaran (2003), the
convergent validity examines whether the measures of the same construct are highly
correlated, whereas discriminant validity determines whether the measures of a construct are
too highly correlated with other constructs in the research model.

In order to establish convergent validity, Average Variance Extracted (AVE) parameter was
considered. The parameter-AVE includes indicators variance which is confined by the
construct relative to the total amount of variance, including the variance due to measurement
error (Götz et al., 2010). Sometime, the threshold value of AVE suggested by previous
studies is 0.50 or higher, while otherwise it is considered insufficient (Hair et al., 2013; Götz
et al., 2010). On the other hand, discriminant validity is established when the estimated
correlations between the constructs do not to be greater than 0.85 (Awang, 2012; Kline,
2005). Authors Hulland (1999, as cited by Götz et al., 2010) stated that the shared variance
between a construct and its indicators should be larger than the shared variance with other
constructs, so that the discriminant validity will be achieved. As this study used PLS to
conduct SEM analysis, the test of goodness of fit is not necessary, however reports the
statistics of the same.
This part of analysis explains empirical results obtained from hypotheses testing. The
explanation of the evaluation of the response rate, including the non-response bias test and a
general description of the survey respondents are provided.
 Furthermore, the section also reports the exploratory factor analysis (EFA) results
followed by the results of the Common Method Bias (CMB) testing. The results of
Confirmatory Factor Analysis (CFA) that was used to test the measurement model,
which covers the assessment of unidimensionality, reliability and construct validity.

Rashmi Anand, University of Lucknow 41

  The results of the structural model to test the hypotheses developed are shown. The
predictive relevance and power analysis of the research model are also presented.
Finally, discussion of the research findings concludes this chapter in section six.

4.3.3.4 Preliminary Data Analysis

Preliminary data analysis is essential to ensure that the quantitative data used in this study are
error-free and can proceed with PLS-SEM analysis. The preliminary analysis included data
editing and coding, data screening and data normality. In this phase of the PLS-SEM,
exploratory factor analysis (EFA), descriptive analysis and common method biases test were
also carried out.

4.3.3.5 Data Editing and Coding

Once data collection process is over, raw data was edited to ensure the completeness of the
data. Editing of the data process involved checking the data collection forms for omissions,
legibility and consistency in classification (Pallant, 2007). Later, the raw data were manually
entered into a data file in Statistical Package for Social Sciences (SPSS) version 21.0. There
are two major ways to exercise this process, one is pre-coding and another one is post-coding
(De Vaus, 1995). In this reference, this study applied the pre-coding method whereby all the
measurement items were pre-coded with numerical values. Any out of range values were
revisited and corrected where appropriate.

4.3.3.6 Data Screening

Data screening is important to any data. The screening of data was done to ensure that the
data were correctly entered. Moreover, this is to confirm that the distribution of variables was
normal. In this view, Skewness and kurtosis were measured to test the normality of data.
Value of these tests for each item was in the range of -1.96 to +1.96. This range on Skewness
and Kurtosis indicated that the data were normally distributed. However, all observations
were retained for analysis as this study used PLS-SEM, for which data normality is not a
requirement to pursue further analysis.

4.3.3.7 Response Rate

In order to get higher rate of respondents, 350 questionnaires were distributed to select sector
of Indian organizations. However, only 180 out of 350 have responded, which is equivalent

Rashmi Anand, University of Lucknow 42

to a 51.4 % per cent response rate. Another 170 questionnaires were classified as non-
response and after data checking, only 141 questionnaires (40.28%) were validated and
another 39 questionnaires (11.14%) were rejected due to missing values.

The response rate in this study was considered appropriate based on the following reasons.
Firstly, the researcher managed to collect more data than the target of the sample sizes
required for this study (n =350) based on the calculation of the sample size explained in
Chapter Three of Research Methodology.

Secondly, the rate of 51.4 per cent was based on the total of questionnaires distributed, but
not based on the actual sample size required. Thus, this study considered that the actual
response rate was 100 per cent.

Finally, the response rate of 51.4 per cent is still acceptable as compared to the many
previous studies where the response rate was found within the common range of 12 to 60 per
cent (Al-Omari et al., 2013; Brady, 2011; Herath & Rao, 2009b; Ng et al., 2009). Due to
several difficulties in data collection, sometimes a response rate of more than 19% is
considered reasonable (Uffen & Breitner, 2013). Therefore, for these given reasons, the
researcher concluded that the non-response bias is not an issue in this study.

4.3.3.8 Survey Responses and Respondents’ Profile

As described earlier, Indian organizations (both government and private sector), particularly
Indian IT sector, Information Technology Enabled Service (ITES), banking, Telecom and
manufacturing were selected as respondents. Figures 4.10- 4.14 show the descriptive statistics
of the 141 respondents in the sample selected.
As explained in the research methodology Chapter 3, respondents were chosen based on their
knowledge about information security, cyber security, IS standards and policy
implementation in the Indian organizations.

Rashmi Anand, University of Lucknow 43

 i. Respondents’ Position level

Position wise Distribution

Senior Management Middle Management Others

6%

45%

49%

Figure 4.9: Position wise Distribution

Figure 4.10 gives the position wise distribution of the respondents from various
organizations.49 % of the respondents were from senior level, while 45% from middle
management executive cadre and 6 % were from other level (Senior executives etc).

ii. Organization’s sector:

Sector wise Distribution of Responses

3% Information Technology
4%
5% Information Technology
Enabled Services (ITES)
29%
8% Telecommunication

Banking
12%

Financial services
13%
13%
Railways
13%
Education /Training
institute

Figure 4.10: Sector wise Distribution of Responses

Forty nine percent of the respondents were from government organizations and fifty one
(51%) percentage were from private sector organizations as shown in Figure 4.12.

Rashmi Anand, University of Lucknow 44

iii. Type of Organization

Type of Organisation

Others
2%

Government
47%
Private
51%

Figure 4.11: Type of Organization

iv. Team Size of Organization’s IT department

IT department of organization found important to provide the support for data collection.
Team size of employees working in the organizations is shown in Figure 4.13.

Team Size of IT Dept.

Less than 5 5 to 10 10 to 20 More than 20

17%
30%

34%
19%

Figure 4.12: Team Size of IT Dept. in Organizations

It is evident that 34 % of organization had team size between 5-10 employees.

Rashmi Anand, University of Lucknow 45

 v. Types of Certifications Possessed by The Organization (Adherence to IS
Standards and framework):
In terms of adherence to IS Standards and framework, those exist in
organizations approximately, as per IS Standards & Frameworks Figure 4.14
around 27 % were following ISO/IEC: 27001 and approximately 25% were
found not interested to share the data.

IS Standards & Framework - Adherence in Organisations

ISO /IEC 27000 COBIT
ISO 27001: 2005 Capability Maturity Model
Not Aware Don’t want to share

15%
25%
4%

12% 27%

17%

Figure 4.13: IS Standards & Framework - Adherence in Organizations

vi. Types of Information security threat incidents faced by the Organizations

Types of Information security threat incidents

3%
Denial of Service attacks
4%
5% 14% Malware infection
Phishing
11%
Unauthorised system access
20% Malicious code
9%
Network breach

12% Data loss/theft

11%
Website defacement
11%
Not aware

Figure 4.14: Types of Information security threat incidents faced by the Organizations
It is seen that malware infection, Denial of Service attacks, Malicious code and Data
loss/theft are the most prevalent types of information security threat incidents occurring in
Indian organizations.

Rashmi Anand, University of Lucknow 46

4.3.4 Exploratory Factor Analysis (EFA)
In order to address the research objective RQ3, the Exploratory Factor Analysis (EFA) was
conducted to identify how many factors can be retained by exploring the loadings value of
items used to measure each construct before the research model being tested using PLS.

Table 4.5: Item Removed from Independent Variables

Construct Measurement Item Reason
Risk Management R5: Importance of reporting of Low value of factor loading
information security events (0.474)
R6: Security measure taken for securing Low value of factor loading
organization’s area and requirement (0.352)
Top Management MC5: Provision of budge for Low value of factor loading
information security function (0.433)
Communication COM4: Monitoring and review of third Low value of factor loading
and Operations part services (0.536)
Management
Asset AM3: Maintaining inventory of assets Low value of factor loading
Management (0.238)

The EFA was conducted in several stages. Firstly, the suitability of the data for factor
analysis was assessed, whereby all 24 items used to measure the independent variables and
another 6 items used to measure the dependent variables were tested separately. The results
revealed that the Kaiser-Meyer-Olkin (KMO value) was less than 0.6 for the independent
variables, which means that the value was not appropriate for factor analysis (Pallant, 2007).
Therefore, some of the items used to measure the independent variables needed to be deleted.
Secondly, the factor loading for each item was also examined and factor loading values of
less than 0.4 were removed (Hair et al., 2010; Pallant, 2007).

Finally, 5 items for the independent variables were removed, as shown in Table 4.3. Thus, the
final EFA was conducted with 19 items used to measure the independent variables.
KMO specifies that the Kaiser–Meyer–Olkin (KMO) measure of sampling adequacy be
displayed. KMO takes values between 0 and 1, with small values meaning that overall the
variables have too little in common to warrant a factor analysis. Historically, the following
labels are given to values of KMO (Kaiser 1974): 0.00 to 0.49 unacceptable 0.50 to 0.59
miserable 0.60 to 0.69 mediocre 0.70 to 0.79 middling 0.80 to 0.89 meritorious 0.90 to 1.00

Rashmi Anand, University of Lucknow 47

marvelous. In the current study, the KMO of the sampling adequacy for 19 items used to
measure the independent variables was 0.929 and the Bartlett’s test of Sphericity value was
significant (i.e. a significant value should be p = .05 or smaller). The Chi-Square value was
13653.542, suggesting that the data matrix had sufficient correlation to the factor analysis.
The results show that factor analysis can be carried out for further analysis.

The eight constructs were used in Confirmatory Factor Analysis (CFA). Meanwhile, the
KMO for the six items used to the measure dependent variable was 0.716 and the overall
significance of the correlation matrix was p = 0.000 with a Bartlett’s test of Sphericity. The
Chi-Square value was 1125.248. Only one factor was yielded and explained 73% of the
variance in the data with the Eigenvalue greater than 1. Thus, this result indicated that the six
items used to measure the dependent variable should be retained.

4.3.4.1 Common Method Bias

In recent decades, empirical studies have been paying careful attention to the concept of
common method variance (CMV). The empirical analysis relates how it may bias the results
that use respondents as data sources (Jakobsen & Jensen, 2015). CMB is carried out well
before proceeding with CFA, and Harman’s single-factor test was conducted to assess the
CMB. Sometime, the analysis is defined as “variance that is attributable to the measurement
method rather than to the constructs the measure represent” (Podsakoff, MacKenzie, Lee, &
Podsakoff, 2003, p. 289), which could be problematic.
The basic assumption of Harman’s single-factor test is that if a substantial amount of CMV is
present, a factor analysis of all the data will result in a single factor accounting for the
majority of the covariance in the variables. An unrotated single-factor analysis of all study
items explained less than 50% per cent of the variance, as shown in Table 4.6. Given that a
single factor solution did not emerge and a general factor did not account for most of the
variance, CMB was not viewed as a significant threat in this current study (Podsakoff &
Organ, 1986a).

4.3.5 Confirmatory Factor Analysis (CFA): Measurement Model - Stage One

The first step in PLS-SEM analysis is to analyze the measurement model (i.e. outer model) to
determine how well the indicators load on the constructs. In this research study, the
measurement model was developed and tested before proceeding with structural model
testing. As already mentioned, the purpose of measurement model was to measure how the
observed variables depend on the unobserved variables or latent variable (Hair et al., 2010).

Rashmi Anand, University of Lucknow 48

Therefore, CFA testing will ensure that the questionnaire design is reliable. The measurement
model was assessed separately for the full model and each model of the groups for multi-
group analysis. For this purpose, CFA was administered.

The CFA was conducted to test how well the developed instrument measures particular
constructs in the research model. This is ensured by examining the reliability and validity of
the construct. Firstly, respective factor loadings in bold and cross loadings are referred to
assess (Refer Table 4.6) if there were problems with any particular variable indicators in the
full research model. Cross loadings were computed to determine and examine if the items
loaded on other constructs equally as well as on their respective construct. In the research
model under the current study, a cut-off value of 0.7 or higher for loadings are considered
significant (Hair et al., 2010). Results from the Table 4.6 show that most of the indicators
measuring a particular construct had loading values of more than 0.7 on their respective
constructs. The factor loading of item code R1 is found 0.628 as in exploratory research value
of loading factor within range of 0.6 -0.7 is acceptable. Hence, it can be said that item is still
acceptable. Therefore, the results confirmed that the indicators were valid for their respective
constructs. Next, as suggested by Hair et al. (2010), the Composite Reliability (CR) and
Average Variance Extracted (AVE) were examined to assess the convergent validity of the
measurement items. The outputs of the same indicators are shown in Table 4.7. In the full
model, the CR for each construct ranged from 0.842 to 0.924, which exceeded the
recommended value of 0.7 (Hair et al., 2010). Meanwhile, the AVE for each construct in the
full model ranged between 0.606 and 0.802, which is greater than 0.5; thus, the cut-off
values ensure that at least 50% or more of the variances in the construct were explained by
the set of indicators. The collected data were verified for reliability by calculating the
Cronbach’s Alpha (CA). The resulting values ranged from 0.725 to 0.875, which are
acceptable. The results of the measurement in the full model show that all eight constructs
(including target construct Info Sec Policy) are valid measures based on their parameter
estimates and statistical significance.

Rashmi Anand, University of Lucknow 49

 ISMS Info Sec
ACM AM COM CM MC RM
Practices Policy
ACM1 0.87
ACM2 0.801
ACM3 0.746
AM1 0.837
AM2 0.926
CM1 0.837
CM2 0.912
CM3 0.935
COM1 0.848
COM2 0.883
COM3 0.853
ISMP1 0.784
ISMP2 0.899
ISMP3 0.731
ISP1 0.747
ISP2 0.807
ISP3 0.868
MC1 0.728
MC2 0.807
MC3 0.84
MC4 0.746
R1 0.628
R2 0.707
R3 0.854
R4 0.894
Table 4.6: Reliability of Indicator: Factor loadings

Rashmi Anand, University of Lucknow 50

 Table 4.7: Reliability of Construct: Cronbach’s Alpha
Cronbach's Alpha Average Variance Extracted (AVE)
Construct Names/ Composite
(Construct Reliability - rho_A (Convergent Reliability
Statistics Reliability
Loading Factors > 0.7) (Should be acceptable if > 0.50)
ACM 0.733 0.757 0.848 0.652
AM 0.725 0.796 0.876 0.779
COM 0.826 0.826 0.896 0.742
CM 0.875 0.875 0.924 0.802
ISMS Practices 0.729 0.746 0.848 0.652
Info Sec Policy 0.734 0.742 0.85 0.654
MC 0.789 0.812 0.862 0.611
RM 0.801 0.894 0.858 0.606

Table 4.8 (a): Discriminant Validity of Constructs

Info
ISMS
ACM AM COM CM Sec MC RM
Practices
Policy
ACM 0.807
AM 0.564 0.883
COM 0.799 0.489 0.862
CM 0.5 0.324 0.473 0.895
ISMS Practices 0.611 0.632 0.5 0.549 0.808
Info Sec Policy 0.785 0.606 0.821 0.438 0.534 0.809
MC 0.403 0.409 0.359 0.569 0.579 0.319 0.782
RM 0.449 0.357 0.387 0.761 0.501 0.389 0.43 0.779

Then, the research analyses proceeded to test the discriminant validity by examining the squared
correlations between the measures of potentially overlapping constructs for full model. The
results shows that all diagonal values in bold were higher than the values in the row and column,
indicating adequate discriminant validity. These values indicate that no overlapping construct
existed. The collected data were also verified for their reliability by calculating the CA. The

Rashmi Anand, University of Lucknow 51

resulting values in the full model (Table 4.7) ranged from 0.779 to 0.895 The CA results were
acceptable because they all exceeded 0.7 (Hair et al., 2013). Table 4.8 show the summary of an
assessment of reflective measurement model for full model.
Table 4.8 (b): Discriminant Validity: Cross Loadings
MVs- ISMS Info Sec
ACM AM COM CM MC RM
LVs Practices Policy
ACM1 0.87 0.54 0.701 0.512 0.624 0.713 0.461 0.416
ACM2 0.801 0.334 0.599 0.465 0.476 0.458 0.355 0.462
ACM3 0.746 0.459 0.623 0.222 0.353 0.693 0.137 0.216
AM1 0.418 0.837 0.356 0.129 0.424 0.445 0.302 0.213
AM2 0.559 0.926 0.489 0.398 0.658 0.605 0.406 0.39
CM1 0.487 0.339 0.506 0.837 0.431 0.474 0.536 0.602
CM2 0.434 0.261 0.376 0.912 0.512 0.349 0.491 0.685
CM3 0.420 0.269 0.387 0.935 0.530 0.35 0.501 0.756
COM1 0.737 0.445 0.848 0.518 0.518 0.638 0.444 0.443
COM2 0.630 0.445 0.883 0.351 0.448 0.689 0.316 0.305
COM3 0.698 0.374 0.853 0.357 0.329 0.792 0.173 0.256
ISMP1 0.429 0.427 0.362 0.437 0.784 0.373 0.516 0.384
ISMP2 0.549 0.619 0.465 0.488 0.899 0.453 0.553 0.445
ISMP3 0.495 0.468 0.375 0.401 0.731 0.466 0.326 0.38
ISP1 0.640 0.662 0.597 0.476 0.604 0.747 0.414 0.407
ISP2 0.566 0.322 0.618 0.267 0.285 0.807 0.127 0.215
ISP3 0.686 0.470 0.764 0.313 0.395 0.868 0.222 0.311
MC1 0.278 0.331 0.239 0.426 0.435 0.196 0.728 0.261
MC2 0.332 0.334 0.289 0.434 0.383 0.256 0.807 0.400
MC3 0.329 0.344 0.368 0.522 0.558 0.331 0.840 0.389
MC4 0.326 0.262 0.195 0.374 0.400 0.184 0.746 0.28
R1 0.196 0.092 0.095 0.285 0.209 0.105 0.203 0.628
R2 0.255 0.147 0.214 0.438 0.286 0.200 0.288 0.707
R3 0.370 0.419 0.321 0.656 0.441 0.301 0.436 0.854
R4 0.473 0.329 0.434 0.793 0.508 0.457 0.361 0.894

Rashmi Anand, University of Lucknow 52

 Table 4.9 (a): Collinearly Statistics
VIF
ACM1 1.685 ISMP1 1.682
ACM2 1.65 ISMP2 2.048
ACM3 1.273 ISMP3 1.329
AM1 1.478 ISP1 1.256
AM2 1.478 ISP2 1.7
CM1 1.746 ISP3 1.814
CM2 3.836 MC1 1.403
CM3 4.328 MC2 1.774
COM1 1.821 MC3 1.678
COM2 2.13 MC4 1.504
COM3 1.795 R1 2.545
R2 2.74
R3 2.333
R4 2.486

Table 4.9 (b): Model Fit Indicator

Saturated Estimated
Model Model
SRMR 0.104 0.104
d_ULS 3.487 3.487
d_G1 1.746 1.746
d_G2 1.364 1.364
Chi-Square 872.65 872.65
NFI 0.607 0.607

Table 4.9 (a) and Table 4.9 (b) indicate that outer model is validated. Hence, model fit statistics
provide the justification for moving for presenting the research analysis for structural model.

Rashmi Anand, University of Lucknow 53

4.3.6 Structural Model: Stage Two
Composite reliabilities, discriminant and convergent validities as stated in Table 5.1 to 5.4, have
fulfilled the adequacy of psychometric properties within the designed structural model.
Bootstrapping with 500 re-samples was used to calculate the path estimate and robust t-statistics
for the hypothesized relationships.

PLS-SEM does not assume that the data is normally distributed, which implies that parametric
significance tests (e.g., as used in regression analyses) cannot be applied to test whether
coefficients such as outer weights, outer loadings and path coefficients are significant. In
contrast, PLS-SEM relies on a nonparametric bootstrap procedure (Davison and Hinkley, 1997;
Efron and Tibshirani, 1986) to test the significance of estimated path coefficients in PLS-SEM.
The findings are discussed in the next section.

Rashmi Anand, University of Lucknow 54

 Figure 4.15: Full Research Model indicating Direct and Indirect Relationships

Rashmi Anand, University of Lucknow 55

4.3.7 Hypotheses Testing – Direct Effect
The research hypotheses set under this study are tested in a statistically significant way. The
hypotheses testing showed the positive direct effect of Asset Management (β = 0.232), Access
Management (β = 0.256), Communication and Operations Management (β = 0.513) on
information security policy implementation were found significant, while other controls does
have direct significance on information security policy.

Figure 4.16 (a): Full Model: Loading Factors and Path Coefficient (PLS Algorithm)

Meanwhile, Management commitment (β = -0.086), Risk Management (β = 0.001) and

Compliance Management with (β = 0.041) were found no significant on Information Security
Policy, thus rejected. Overall, it was found that Communication and Operations in organization
was the most significant predictor for implementing the Information Security Policy.

Rashmi Anand, University of Lucknow 56

 Figure 4.16 (b): Full Model: T-values (Bootstrapping)

Rashmi Anand, University of Lucknow 57

The values help to use the asterisk rating system as well as quoting the p Table 4.10:
value. In theory, the p value is a continuous measure of evidence, but in Statistical
practice it is typically trichotomized approximately into highly significant, Relationships
marginally significant, and not statistically significant at conventional levels, (Direct Effect:
with cutoffs at p≤0.01, p≤0.05 and p>0.10 (Gelman, 2012). Output from
Bootstrapping)

Rashmi Anand, University of Lucknow 58

 Standard
Original Sample T Statistics p
Deviation
Sample (O) Mean (M) (|O/STDEV|) Val
(STDEV)
Asset Management -> Info Sec
0.231 0.232 0.072 3.21 0.0
Policy
anagement Commitment -> Info
-0.089 -0.086 0.067 1.339 0.1
Sec Policy
Acces Management -> Info Sec
0.258 0.25 0.103 2.503 0.0
Policy
Communication and Operations
0.513 0.513 0.091 5.658 0
Management -> Info Sec Policy
Risk management -> Info Sec
-0.005 0.001 0.079 0.06 0.9
Policy
ompliance management -> Info
0.042 0.041 0.077 0.546 0.5
Sec Policy
MS Practices -> Info Sec Policy 0.005 0.241 0.084 1.980 0.0
Asset Management -> ISMS
0.341 0.339 0.07 4.887 0
Practices
nagement Commitment -> ISMS
0.243 0.241 0.07 3.458 0.0
Practices
Acces Management -> ISMS
0.27 0.273 0.104 2.583 0.0
Practices
Risk management -> ISMS
0.069 0.072 0.083 0.837 0.4
Practices
Communication and Operations
-0.065 -0.061 0.11 0.586 0.5
Management -> ISMS Practices
ompliance management -> ISMS
0.143 0.139 0.093 1.54 0.1
Practices

Hypothesis

Table 4.11: Hypothesis Testing H1 Asse

Rashmi Anand, University of Lucknow 59

 Management Commitment -> Info Sec construct) was
H2 -0.086 0.067 1.339 Rejected
Policy found to have
H3 Access Management -> Info Sec Policy 0.25 0.103 significant
2.503 Accepted
Communication and Operations influence on
H4 0.513 0.091 5.658 Accepted
Management -> Info Sec Policy information
H5 Risk management -> Info Sec Policy 0.001 0.079 security
0.06 policy
Rejected
Compliance management -> Info Sec implementation
H6 0.041 0.077 0.546 Rejected
Policy (β =0.241). Thus,
H7 ISMS Practices -> Info Sec Policy 0.241 0.084 the 1.980
hypothesis
Accepted
H8 Asset Management -> ISMS Practices 0.339 0.07 H7 4.887 was
Accepted
Management Commitment -> ISMS accepted. The
H9 0.241 0.07 3.458 Accepted
Practices overall
H10 Access Management -> ISMS Practices 0.273 0.104 hypotheses
2.583 Accepted
H12 Risk management -> ISMS Practices 0.072 0.083 testing
0.837
are shown
Rejected
Communication and Operations in Table 5.5
H11 -0.061 0.11 0.586 Rejected
Management -> ISMS Practices indicating the
Compliance management -> ISMS direct effect of
H13 0.139 0.093 1.54 Rejected
Practices hypotheses
testing.
Table 4.10 indicates statistical relationships that is the measure of direct effect,
output obtained from Bootstrapping procedure and Table 4.11 indicates the 4.3.8
hypothesis testing indicators which includes beta value, standards error, t- Mediatio
value and hypothesis decision for acceptance and rejection. n Effect
of ISMP
Referring to Tables 4.10 and 4.11, the parametric statistics provide support for Practices
H2, H5, H6, were rejected. It is also found that ISMP practice (the mediating and ISP

Rashmi Anand, University of Lucknow 60

 Policy Implementation
The research model posited one ISMP practices as mediator variable to assess In general if the
information security policy. In this regard, this study applied Preacher and path coefficients
Hayes (2004, 2008) mediation testing procedure, whereby the new method of paths (For
called bootstrapping of the indirect effect was used. Bootstrapping, a non- example there is
parametric re-sampling procedure has been recognized as one of the more path defined
rigorous and powerful methods for testing the mediating effect (Zhao, Lynch from point 1-2,
& Chen, 2010; Hayes, 2009). The application of bootstrapping for mediation then point 2-3
analysis has recently been advocated by Hair et al. (2013) who noted that and point 3-1,
“when testing mediating effects, researchers should rather follow Preacher and with given
Hayes (2004, 2008) and bootstrap the sampling distribution of the indirect values of path
effect, which works for simple and multiple mediator models”. Furthermore, coefficients, and
the bootstrapping method is said to be perfectly suited for PLS-SEM because if direct path is
it makes no assumption about the shape of the variables’ distribution or the significant, next
sampling distribution of the statistic (Hair et al., 2013). step is to include
the mediator
In view of the bootstrapping procedure, mediation effect is carried out to variable in the
examine the casual relationship between an exogenous variable and an PLS path model
endogenous variable by the inclusion of a third explanatory mediator variable and assess the
(Hair et al., 2013). In PLS-SEM, the bootstrapping approach is suitable for significance of
mediation analysis because bootstrapping makes no assumption about the the indirect path
sampling distribution of the statistics and it can be applied to small sample (i.e. p12 * p23)).
sizes (Hair et al., 2013). The first step is to assess the direct effect of the The significance
exogenous variable on the endogenous variable, which should be significant if of each
the mediator is not, included (Zhao, Lynch & Chen, 2010) to carry out the individual path
mediation analysis in PLS-SEM. p12 and p23 is a

Rashmi Anand, University of Lucknow 61

necessary requirement for this condition. The indirect path can be assessed (InfoSec Policy),
after running the bootstrapping procedure and if the indirect effect is found third, the
significant then mediator absorbs some of the direct path (Refer figure 5.11). predictor (all
To assess how much of the direct path is absorbed, variation accounted for factors -
(VAF) is calculated as constructs as
mentioned
VAF = (p12 * p23) / (p13 + p12 * p23) above) have
significant
Based on the value of VAF, following conditions of mediation effect is given influence on the
by Hair et al., (2013, p.224): dependent
variable (Info
i. If 0 < VAF < 0.20, then No Mediation. Sec Policy) in
ii. If 0.20 < VAF < 0.80, then Partial Mediation. the absence of
iii. If VAF > 0.80, then Full Mediation. the mediators’
influence (all
In this study, mediation analysis was carried out to estimate the magnitude of factors –
indirect effect of mediating variable (ISMP) on the relationship between constructs).
exogenous variable (ISM practices) and endogenous variable (Info Sec
Policy). The bootstrapping is run to get the t-value to assess if the direct Now, to establish
relationships are significant before testing the mediating effects. The criteria the mediating
for mediation analysis must adequately meet up as follows. First, the effect, the
predictors (Asset Management, Access Management, Management bootstrapping
Commitment, Communication and Operations Management, Risk with a resample
Management and Compliance Management), all selected factors in the model of 5000 is used
study should have significant influence on the mediator (ISMP practice). and that
Second, the mediator have significant influence on the dependent variable produced 5000

Rashmi Anand, University of Lucknow 62

bootstrapped direct effect. Then, to test the indirect effect of the indicated Prac
constructs, analysis was done manually in Excel to get the t-value. In this Management Comm
regard, the z statistic suggested by Sobel (1982, as cited by Akter et al., Pol
2011a), which is significant at p < 0.05. If the t value exceeds 1.96 (p < 0.05), Risk Management
then, the indirect effect was accepted Risk Management

Table 4.12: Total Indirect Effect: t and p tests However,

Original Sample Standard sometime the t
T Statistics P
Total indirect effect Sample Mean Deviation value exceeds
(|O/STDEV|) Values
(O) (M) (STDEV) 1.65 (p < 0.1) is
Access Management -> ISMS still acceptable
- - - - -
Practices (Hair et al.,
Access Management -> Info sec 2011). The
0.001 0.001 0.024 0.051 0.959
Policy bootstrapping
Asset Management -> ISMS Practices - - - analysis
- showed
-
Asset Management -> Info sec Policy 0.002 0.004 0.029 that
0.053 Asset
0.958
Communications & Operation Management,
- - - - -
Management -> ISMS Practices Access
Communications & Operation Management and
0 -0.001 0.011 0.027 0.978
Management -> Info sec Policy Management
Compliance Management -> ISMS Commitment are
- - - - -
Practices found significant
Compliance Management -> Info sec in the
0.001 0.003 0.015 0.043 0.966
Policy relationship with
ISMS Practices -> Info sec Policy - - - ISM
- Practices.
-
Management Commitment -> ISMS - - - However,
- -

Rashmi Anand, University of Lucknow 63

constructs such as Communication and Operations Management, Compliance Info sec
Management and Risk Management found no indirect effect on Info Sec
Management
Policy.
Risk Man
4.3.9 Predictive Relevance (PR), Effect Size and Power Analysis of Full
Model Small: 0.0 < Q2
The predictive relevance of the research model is tested using the blindfolding effect size < 0.15;
technique. Based on blindfolding procedure, Q2 evaluates the predictive Medium: 0.15 <
validity of a large complex model using PLS. While estimating parameters for Q2 effect size <
0.35; Large: Q2
a model under blindfolding procedure, this technique omits data for a given
effect size > 0.35
block of indicators and then predicts the omitted part based on the calculated
parameters. Thus, Q2 shows how well the data collected empirically can be
According to the
reconstructed with the help of model and the PLS parameters (Akter et al.,
results, as shown
2011b).
in Table 5.10,
using an
Table 4.13: Estimating Predictive validity using Blind Folding Procedure in
omission
smart PLS
distance (D) of 7,
Q Square Matrix SSO SSE Q² (=1-SSE/SSO)
this study obtains
Access Management 360 360 a Q2 of 0.44 for

Asset Management 240 240 Info Sec Policy,

and 0.346 for
Communications & Operation
360 360 ISMS practices,
Management both of which is

Compliance Management 360 360 more than the

cut-off value 0.0
ISMS Practices 360 235.398 0.346
(Hair et al.,
2011, 2013),
Rashmi Anand, University of Lucknow 64
 thereby indicating that the research model Access
in this Management
study has predictive ISP 0
relevance. COM ISP 0
RM ISP 0
Compliance
ISP 0
Management
q2 = (Q²included - Q² excluded) / (1- Q²included)
In addition to
Table 4.14 (a): Effect Size of Endogenous Latent Variable ISMS Practice above, this study
used the Stone-
Effect
Predictor Effect Sixe Endogenous Variable Q²included Q² excluded Geisel approach
Size
(q² Values) to assess whether
Asset Management ISMS Practice 0.346 0.304 a
0.064 predictor
Management variable has a
ISMS Practice 0.346 0.323 0.035
Commitment substantive
Access Management ISMS Practice 0.346 0.337 influence on the
0.014
COM ISMS Practice 0.346 0.353 endogenous
-0.011
RM ISMS Practice 0.346 0.349 construct
-0.005 by
Compliance exploring the
ISMS Practice 0.346 0.346 0.000
Management effect size.
Effect size
Table 4.14 (b): Effect Size of Endogenous Latent Variable Info Sec Policy (amount of
Q² Effect variance of
dogenous Variable Q²included
excluded Size exogenous
ISP 0.44 0.426 0.025 variable to
endogenous
ISP 0.44 0.442 -0.00357
variable),

Rashmi Anand, University of Lucknow 65

generally represented by ƒ2, assess how strongly one exogenous construct Figure 4.17:
contributes to explaining a certain endogenous construct in terms of R2 value. Values of R2
The effect size is calculated by the following formula. Calculated by
ƒ2 = (R2included - R2excluded) / (1- R2included) Running PLS
The values of R2 are calculated by running PLS Algorithm is shown in the Algorithm
Table 5.12 (a). Where, R2included
Table 4.15 (a): Values of R2 Calculated by Running PLS Algorithm and R2excluded are
R Square the R2 values of
R Square
Adjusted the endogenous
ISMS Practices 0.602 0.581 latent variables
Info Sec Policy 0.755 0.74 when a selected
erogenous latent
variable is
included or
excluded from
the model. The
change in the R2
values is
calculated by
estimating the
PLS path model
twice. Once the
exogenous latent
variable is
included,
(yielding

Rashmi Anand, University of Lucknow 66

R2included), and the second time with the exogenous latent variable excluded Chin (1998, p.
(yielding R2excluded). 317) stated that
the higher the f2,
Table: 4.15(b): Effect Size (Values of ƒ2) for Endogenous Variable ISMS the greater the
Practice influence of the
exogenous Effect
Predictor Endogenous Variable R2 included R2 excluded
construct Size (ƒ2)
Asset Management ISMS Practice 0.602 whereby
0.530 values
0.181
Management Commitment ISMS Practice 0.602 of 0.02, 0.150.088
0.567 and
Access Management ISMS Practice 0.602 0.35
0.580 can 0.055
be
COM ISMS Practice 0.602 respectively
0.601 0.003
RM ISMS Practice 0.602 regarded
0.600 as
0.005
Compliance Management ISMS Practice 0.602 small,
0.596 medium
0.015
or large effect
respectively (are
Table: 4.15 (c): Effect Size (Values of f2) for Endogenous Variable Info Sec considered as
Policy thumb rule for
Endogenous estimating the
Predictor R2 included R2 excluded Effect Size
Variable effect size in this
Asset Management ISP 0.755 study).
0.726 The
0.118
Management Commitment ISP 0.755 effect
0.751 size
0.016
Access Management ISP 0.755 showed
0.737 that
0.073
COM ISP 0.755 Compliance 0.339
0.672 and
RM ISP 0.755 Risk
0.755 0.000
Compliance Management ISP 0.755 Management0.000
0.755
have no effect

Rashmi Anand, University of Lucknow 67

size (ƒ2 < 0.0). Meanwhile, COM was found to have a medium effect (ƒ2 > relative
0.15) on InfoSec Policy implementation in organizations, while others had a importance of
small effect (ƒ2 <= 0.2). constructs in the
structural model
by extracting
estimations of
the direct,
Table: 4.15 (d): Effect Size (Values of f2) for Endogenous Variables indirect, and
ISMS Practices Info Sec Policytotal
Predictor (ƒ2 Values)
(Effect Size) (Effect Size) relationships.
The IPMA
Access Management 0.055 (Small) 0.073 (Small)
extends these
Asset Management 0.181(Medium) 0.118 Medium)PLS-SEM results
Communication and Operations
0 .003(Small) 0.339 (Large) with other
Management dimensions,
Compliance Management 0.015 (Small) 0 (Small) which includes
ISMS Practices - 0 (Small) the actual
Info Sec Policy - - performance of
0.016 each construct. It
Management Commitment 0.088 (Small)
(Medium) is a useful tool in
Risk Management 0.005 (Small) 0 (Small) PLS-SEM to
identify the
predecessor
4.3.10 Importance – Performance Map Analysis constructs’
Importance–performance map analysis (IPMA) is also known as importance– relative
performance analysis, importance–performance matrix, impact–performance importance in
map, or priority map analysis. A basic PLS-SEM analysis identifies the
Rashmi Anand, University of Lucknow 68
shaping a certain target construct (Ringle & Sarstedt, 2016). More
specifically, for a targeting construct, the IPMA contrasts the predecessor
constructs’ relative importance (total effects) and the average values of the
latent variable scores (performance) to highlight significant areas of
improvements for managers (Schloderer, Sarstedt, &Ringle, 2014).

As a result, conclusions can be drawn on two dimensions (i.e., both

importance and performance), which is particularly important in order to
prioritize managerial actions. Consequently, it is preferable to primarily focus
on improving the performance of those constructs that exhibit a large
importance regarding their explanation of a certain target construct but, at the
same time, have a relatively low performance. For the research model of this
study, IPMA is carried out to the target construct Info Sec Policy. The
rationale for this analysis is that the managers might need to know which
indicator variables they should focus more.
Figure 4.18:
IMPA Analysis:
The Absolute
values of info
Sec Policy
(Target Variable)
Further
investigation is
carried out to
analyze the
relative priority
of all factors
Rashmi Anand, University of Lucknow 69
influencing information security policy. The IPMA (Hock, Ringle, & Sarstedt,
2010; Rigdon, Ringle, Sarstedt, & Gudergan, 2011) was carried out using
SmartPLS 3 software by taking the performance of each exogenous latent
variable into account. IPMA results in a priority map for management-oriented
presentations.

For assigning priorities to different areas of management activities for their

improvement for a particular endogenous latent variables’ performance level
in the future, actions should have a relatively high impact (i.e. high path
coefficient) and a relatively low performance (Hair et al., 2013).

Table 4.16: IMPA: Info Sec Policy

Construct Performances for Figure 4.19 (a):
Impact Performances
IMPA Analysis
Access Management 0.251 68.351 As shown in
Asset Management 0.193 60.172 Table 4.19, the
Communication and Operations IPMA of Info
0.474 69.680
Management Sec Policy
Compliance management 0.320 63.688 reveals that
ISMS Practices 0.004 62.932 Communication
Management Commitment -0.090 55.703 and Operations
Risk management -0.003 54.773 Management is

Significance levels: *p<0.05; **p<0.01 significant levels of primary

importance for
implementing
information
security policy.

Rashmi Anand, University of Lucknow 70

Its performance is also above the average when compared with other
constructs. Management commitment and Risk management are has no
relevance even though both have low performance also as compared to other
constructs.

Figure 4.19 (c):

IMPA Analysis:
Consequently,
Figure 4.19 (b): IMPA Analysis: managerial
activities to
implement
information
security policy
should focus on
COM construct
(Communication
and Operation
management)
construct on their
Rashmi Anand, University of Lucknow 71
priority list followed by Compliance management.  Ther
e is
4.3.11 Summary PLS-SEM Findings diffe
The research model testing was completed mainly in two steps. Firstly, tested renc
outer model and secondly tested inner model. This study has added up some e in
values to Ng et al. (2009) through the multidimensional extension of the
constructs using multidisciplinary theories on information security, ISM occu
practices and IS policy to explain policy implementation organizations in the rren
Indian context. Moreover, this study may be the first to conduct the mediation ce of
effect of ISMS practices based on the constructs adapted from the model infor
(Asset Management, Access Management, Management Commitment, mati
Communication and Operations Management, Risk Management and on
Compliance Management) in the relationship between ISMS practices and secu
Info Sec Policy implementation in select Indian Organization. Accepted rity
hypothesis are in support for implementing the management practices to brea
support policy implementation in the Indian organization. In brief findings of ch
this phase show: incid
 The existence of information security policy in organizations is ents
significantly influenced by its type of sector, top management amo
commitment, Adequacy of budget and resources available for ng
information security the
 The confidentiality and non-disclosure agreement is important for orga
proper implementation of information security policy nizat
 Identification and classification of information and responsibilities ions
for asset management is crucial for information security policy (sect
ors

Rashmi Anand, University of Lucknow 72

 or organization) importance
 There is difference among the organizations regarding information because they
security awareness and training provided by top management spell out how the
 Communication and operations management plays a major role in organization
implementation of information security policy manages its
 Grant of accessing IT services to various users supports information
information security policy security practices

 Information system acquisition and its maintenance in and details what

organization is important for effective implementation of is most important

information security policy to the

 Organizational focus on business continuing planning and disaster organization.

management to support information security policy Nowadays,

organizations

In addition, this study also found that Risk, Asset Management and top daily face threats
Management Commitment have received scant attention in implementation of to their

information security implementation, especially in the IT sector organization. information

Without proper knowledge of information security, lack of confidence and the assets. At the

necessary skills to practice information security mechanisms, employees will same time, they
not be able to utilize ISPs appropriately. Thus, top management focus on are becoming

employee’s activities, trainings on IS to assist them for practicing directions, increasingly

can help the organizational objectives. dependent on
these assets.

4.4 FINDINGS FROM PHASE –III Most

Information security management practices addresses the identification of the information

organization’s information assets, further introduces some critical documents systems are not
such as IS policies, procedures, and guidelines. These documents are of great inherently

Rashmi Anand, University of Lucknow 73

secure, and technical solutions are only one portion of a holistic approach to asset
information security. Establishing information security requirements is management,
essential, but to do so, organizations must understand their own unique threat management
and risk environment. Top and senior management helps point out the general commitment,
direction, and risk-assessment and risk-analysis activities are used to access
determine where protective mechanisms should be placed to minimize the management,
risks. Threat environments are determined by the execution of a methodical communication
security risk assessment. Once risk areas are identified, appropriate controls and operations
may be selected to mitigate these identified risk factors. management,
and compliance
Referring to above, in a border perspective, IS regulation should be management.
compliance at organization level to manage information security and their
assets. As organization has their regulatory and business requirement, thus In view of the
they need to adopt few standards. International Standards Organization (ISO) above, this
17799 in this context is originally derived from British Standards Institution section focuses
(BSI) BS 7799, with the intention of recommending standard practices. Many on study of
of the organizations follow them so that IS management can be effectively and information
securely implemented (Satti and Nagiral). Such standards are adopted by security
organizations adequately so that set of documents can be followed for management
information security. Moreover, these standards provide concerns of managing practices in
information for organization, which can further influence practices and IS organizations.
policy implementation. ISO 17799 consists of 10 security controls, which are The research is
used as the basis for the security risk assessment so that policy as one of the carried out in
control is considered adequately at the organizational level (Carlson T., 2001) three
(Source: Information Security Management: Understanding ISO 17799: organizations, in
Lucent Technologies Worldwide Services, USA). These controls are related to which two are

Rashmi Anand, University of Lucknow 74

Indian companies of IT sector, and one is case of PSU at State Govt. level.
The various actors, process related to IS, policy standards are identified in all
three organizations. Questions were asked from the top and middle
management. Learning, action and performance (the LAP components) areas
on the information security management practices as situation are presented
for all the three cases. The study analysis can support the basis for ISP Case B
implementation and IS controls to address the various risks.
(Lager scale priv
sector company)
4.4.1 Case Studies Development (Two IT Sector Companies and One
PSU)
Using case study development approach, this study examines the ISM
practices of Indian sector organizations which include two IT companies- one
large scale and another one is of small scale in their sizes and also a state
government PSU which is provides consultancy to rural development and
Case C
implements state government projects.
(State government
owned PSU)

Sources: Based
on Responses
and Complied by
Table 4.17: Respondent’s Profile the author
Name of Organization Profile of Respondent Work Experience
The two selected
Case A Managing director / CEO 12 Years
(Small scale private companies of IT
sector company)
sector, are from
Rashmi Anand, University of Lucknow 75
private sector one deals in web development and consultancy services and Practices, Asset
other provides services for e-procurement solutions. While, the third Management,
organization is the case of public sector undertaking at state level, engaged in Information
various activities of education and training, consultancy services for rural Security Incident
development, implementation of e-governance projects and conceptualization, Management,
design, development and implementation of state government projects. Table Information
4.17 indicates the respondents’ profiles of three organizations selected in the Security
research study. Regulations
Compliance and
The interviews were conducted through questionnaire instrument to ISM
investigate the ISMS practices and status of policy implementation in these Effectiveness.
organizations (two Pvt. Sector companies and one PSU). These questionnaire Total 15
questions were semi structured questions, developed keeping in mind the interviews were
SAP-LAP methodology. Judgmental sampling (where the researcher selects conducted, 5
units to be sampled based on their knowledge and professional judgment), was from each case
used to select interview of respondents across the hierarchies in all three cases of organizations.
to capture multiple viewpoints. Interviews were conducted personally, face-to- Profiles of the
face in the real-life setting of the top and middle management executives as respondents are
the respondents. A semi-structured questionnaire template as given in the given in Table
Annexed (Refer Annexure) was used for the interview purpose. 4.17. Each
interview,
The template consists of ISMS factors derived from literature on IS standards approximately
and policy ISP implementation factors identified by Singh and Gupta (2017). 30–45 minutes
These factors include Information Security Requirements, Top Management long, was audio
Support, Information Security Policy, Information Security Training, recorded and
Information Security Awareness, Information Security Audit, ISM Best transcripts were

Rashmi Anand, University of Lucknow 76

prepared for further analysis. Started in
December 2012,
The study adopts a two-step methodology for data analysis and presentation. Case A is a
At first step, the observations derived from interviews are presented using Lucknow-based
descriptive analysis methodology. Creswell (1994) illustrates the descriptive custom software
research methodology as, ‘it is to gather information about the present solutions
condition of a case to describe its situation, and to investigate the cause (s) of provider
particular phenomena’. The interview responses were assessed in respect to company.
general and distinctive phenomena that reflect upon points of interest to fulfill Company deals
the objectives of the study (Babbie, 2004). That results in a descriptive review in Web
of current practices of organizational ISM of the cases under study. development and
consultancy
At second step, SAP-LAP method of inquiry (Sushil, 2000, 2001) model services for
(qualitative) was used to systematically analyze the organization’s cases based clients on a
on six components - Situation, involved Actors and various Processes for project basis and
organizational ISM functions. As interaction of SAP lead to identification of provides
various LAP components, these LAP components are designed and captured technical and
to develop the three case studies. Based on the Learning derived from this business support
interplay, various Actions are identified. This leads to the improved in an outsourced
Performance of situations, actors and processes. The analysis brings capability. The
additional insights and is helpful in identify the key areas of improvements main business
(Husain, Sushil & Pathak, 2002; Kak, 2004; Singh et al., 2013; Thakkar, and service areas
Kanda & Deshmukh, 2008). of the company
include IT
4.4.2 Overview of Cases consulting, web
4.4.2.1 Case A design and

Rashmi Anand, University of Lucknow 77

development, mobile applications development and software development. Key observations
The company has an employee base of 50 people, and it caters clients from a are presented
wide range of industries including Education, Manufacturing, and Health & based on the
Pharma. interview
responses from
4.4.2.2 Case B employee
The company was established in 2001, empowers clients across industries to working in
automate the manual procurement process through technological expertise, hierarchy in the
deep process knowledge and innovation. Company mainly deals in e- case companies
procurement and e-auction. Governed by CEO, organization has a Managing and as well as in
Director as the top authority. Operating with 250 employees works in multiple the PSU selected
cities. It has a defined and well implemented Information security policy. All for SAP-LAP
security compliance are strictly followed and monitored. analysis.
Questionnaire
used for
conducting
4.4.2.3 Case C interviews is
The selected origination is case of a PSU at state level. The PSU was set up given in
under section 21 of the Companies Act 1956. The PUS is governed by senior Annexure (Refer
level of administrative staffs, sr. management, managers working by job Appendix)
functions, consultants, operating with hundreds of employees. The
government owned company has its own brand value under the Department of 4.4.3.1 Informat
IT & Electronics, Government of Uttar Pradesh. ion
Security
4.4.3 KEY OBSERVATIONS Require
ments

Rashmi Anand, University of Lucknow 78

Since Case A operates in software development, web applications and mobile
applications development business, any information loss (e.g., losing codes, 4.4.3.2 Top
software programs, applications, etc.) is crucial for the company and its Manage
operations. Any information security breach incident affects the productivity ment
of the organization. This may ultimately result into serious outcomes, such as Support
financial losses, loss of productivity, delayed projects, loss of intellectual Although the top
property, losing clients and, above all, loss of reputation. The top management management (of
and software developers acknowledge that information security is the critical Case A) is aware
aspect for business continuity of the organization. of the
importance of
The core function of the Case B is the e-procurement and e-auction and to information
provide IT support toe-services to clients. The survival of the organization is security for the
solely dependent upon the proper functioning of its information systems organization, a
elements. Thus, information security is essential for Case B Company. consistent
Therefore, it governs an information security management practices. Since support for the
customers of the Case B are citizens and the parent government organization, same is missing.
any deviation in data, information and information system will result in large Being small in
public outcry. As described by the chief information security officer (CISO), size, the
‘if an internal application fails, only few users of departments will be affected, company does
but if any of our critical application fails, it will be disastrous’. not invest on
information
Since Case C is a PSU, any security breach incident would result in to loss of security. This is
critical information possessed by the state department and therefore, top primarily
management is very much concerned for maintaining the information secured. because of the
In order to secure information, organization provides regular information budget
security awareness training to its employees. constraints and

Rashmi Anand, University of Lucknow 79

reluctant approach of the senior management towards this issue. There is no 4.3.2.3 Informat
information security officer or any similar authority found in the company. ion
During the interview of top management, ISM activities of the organization Security
found managed by the network team. Team members working in the company Policy
found relatively younger and not known for IS related practices. This leads to There is no
lack of co-ordination and control. documented
information
However, on the other side, the company –with the change in number as well security policy in
as understanding of senior executives, there is a varying change in priority Case A. The
regarding information security in Case B. For some, information security is an information
important aspect, but for others, it is not. However, with activities has started security roles
becoming streamlined. CISO along with his two team members are and
responsible to manage various ISM functions of the organization. Now with a responsibilities
push and policy initiatives (from 2001 to 2008), from CISO office, the middle of employees are
and top senior management started realizing the importance of information not defined.
security and is willing to support its various functions. Still, there is a Simultaneously,
challenge of lack of skilled employees and funds to support various ISM there is no
functions in the organization. classification of
accountabilities
In the case of Case C, top management supports the ISMS practices and even for IS functions
discusses the pros and cons of following information security policy are found in the
directions. Top management and IT professionals are responsible to manage company.
various ISM functions of the organization. However,
employees take
actions on their
own to manage

Rashmi Anand, University of Lucknow 80

information security related to their work. In contrast, Case B has released its that coordinates
information security policy in 2008. Before that, there were some guidelines information
related to information security, but it was limited in sense and not covering all security
the aspects of ISM. Now, after 2008, the company has officially released a activities of the
comprehensive information security policy which covers roles and group. There are
responsibilities of employees, vendors and third-party contractors. There is two kinds of
also found a clause in policy to review it annually. According to CISO, ‘the training- one is
company has identified certain areas of improvement in IS policy and ‘general
company is planning to incorporate them in the annual policy review’. In case awareness
of Case C, IS policy exists but it’s not a standalone policy, rather it’s a part of training’ for
IT policy. every employee,
and second is
4.3.2.4 Information Security Training ‘specific area
There is no formal information security training programmes found running related training’
for employees in the Case A, neither at the time of joining the company nor as per specific
later. Similarly, there is no procedure for identifying information security job requirements.
requirements of employees as per their specific job requirements and There is an
accordingly train them. Employees found taking their own decisions for any internal team to
information security-related concerned. There is no formal procedure found. A coordinate the
need for regular information security training and awareness programmes training
were realized in the course of interviews with employees. programmes.
Experts from IT
The company (Case-B), has a defined process for information security training industry and
of employees. Specific human resource department found running the various other agencies
kinds of trainings and there are various internal as well as external information are invited to
security training programmes for employees. Every group has a representative conduct training

Rashmi Anand, University of Lucknow 81

sessions, workshops and seminars on IS. In addition, there is a 1 hour
workshop conducted internally, where employees from different groups share Case B makes
their experiences related to ISM practices. For the area-specific training, efforts to
employees are nominated from different groups and they have been trained by communicate
expert agencies, such as CERT-In (Computer Emergency Response Team— possible risks,
India) and ISACA (Information Systems Audit and Control Association), etc. threats and
CERT-In conducts such training programmes in every 15 days where countermeasures
generally 2–3 people participate from the Case B. These participants come to employees
back and share their learning within their group and with other groups through through various
internal workshops in the organization. training
programmes
In the Case C organization realizes the importance of both IS based trainings conducted
as well the IS bases certification courses. It provides two types of training to internally as well
the employees; one is awareness based and second is role and responsibility as outside the
based. organization.
Along with this,
4.3.2.5 Information Security Awareness organization has
In the absence of any information security training programmes, employees in a comprehensive
Case A found to be very less aware about various information security threats information
and countermeasures. Although some employees know the possible risks to security policy
the information and information assets that they are dealing with, but in the that is been
absence of any policy or guidelines, they have no idea what to do about it. discussed with
There is no communication on information security roles and responsibilities employees on
of employees. There is a general lack of awareness about penalties or legal time to time.
consequences of any information security breach incident. There is no advisor Organization’s
to consult/discuss ISM concerns and issues in the organization. information

Rashmi Anand, University of Lucknow 82

security policy and guidelines are published on the Intranet and employees are On comparing
asked to refer to it in case of any confusion. There is an internal mailing Case B with
system found working where employees raise and discuss ISM-related Case A, the
issues/concerns. Further, as next step, every employee has to sign a company has
compliance declaration for organization’s information security policy. conducted an
Employees are being educated on their acceptable behavior towards internal
organization’s equipment, network, etc. In this direction, CERT-In acts as a information
government appointed advisor for various ISM activities and functions of the security audit
organization. after defining the
information
The top management of Case C tries to communicate with its employee as security policy of
much as possible about possible risks, threats and techniques used to counter the organization.
measure the threats by organizing various training programmes and Based on
conducting workshops. The organizations provide the details about its prescribed
information security policy guidelines and its compliance to all the employees guidelines, this is
by using the intranet facility. for the first time
that the CISO
4.3.2.6 Information Security Audit along with his
There is no mechanism of information security audit in Case A. Company team has
does not conduct any internal or external information security audits. Network conducted
team has the responsibility to monitor the log records of the servers and take internal audits.
necessary action in case of any deviations. Organization does not have any These guidelines
information security certification. As described by the Managing Director of found in the
the company, ‘we are a small company; we do not require any such ISM form of a
certification. May be in future, as the company grows, we will consider it’. checklist
(generic as well

Rashmi Anand, University of Lucknow 83

as application-specific) derived from multiple agencies, such as CERT-In and found while
ISACA. As per the policy, internal audit is to be conducted once in every year. entering or
It is the responsibility of representatives from various groups to coordinate exiting the
audits with the security team. Company also conducts external information office. Although
security audits by Standardization Testing and Quality Certification (STQC) bringing
or any such CERT-In impaneled agency. These audits are generally network personal data
audits or application-specific audits. Based on the sensitivity of the computing or
applications and systems, different groups are mandated to maintain and storage devices
monitor logs. to the office
found not
The Case organization wishes to conduct Information Security Audit of allowed, there is
various IT services functional within the organization. In order to enhance the no check for the
security of critical infrastructure, in the case of Case C in internal IS audits are same. It was
conducted weekly. These audits are generally network audits or application found in the
specific audits. External IS audits by an independent third party are not course of
conducted in this case just because of critical nature of the data that interview that
organization carries in the forms of information. there no strict
implementation
4.3.2.7 Asset Management found for such
Case A found recording the company’s IT and non-IT assets. However, assets rules. While
not found classified based on risk or criticality. Computer machines and network team
personal laptops are generally used on shared basis, so it is hard to fix the has been
accountability. There is no process found to identify the critical risks for the assigned the task
information and information assets of the organization. The company does not to restrict the
have any physical access control mechanism; employees have free access to access of IT
different functional areas. There is no electronic or manual identity check systems and

Rashmi Anand, University of Lucknow 84

services based on roles, all the systems including central server are generally Company
accessible by all the employees. Everyone had passwords and can log-in to the followed a
server and other systems. immediate
handling
Case B follows a mechanism to categorize information infrastructure of the approach
organization from ‘highly critical’ to ‘not so critical’. The categorization towards
carried out based on the basis of risks, threats and the cost of recovery. information
Company also followed various physical security access control mechanisms, security incident
such as video surveillance at entry gates and data centers, RFID-controlled management.
doors, entry only with proper ID card and restricted access to various areas,
departments within the office. For employees to access the IT systems and Case B has an
services of the organization, there are various roles defined based on the information
privilege levels assigned to them. security incident
management
Case C follows a mechanism of asset classification based on risk and chances plan defined and
of occurrence of risks and cost of recovery. For this purpose, various documented in
monitoring and network logs are maintained to access records of the critical the
systems and applications. organization’s
information
4.3.2.8 Information Security Incident Management security policy
During interviews, it was found that Case A has no defined information document. The
security incident management plan. Employees are not aware of the implementation
consequences of not following information security processes or practices. As and compliance
a business continuity and disaster recovery plan, the company used a of which, found
centralized server for data storage, but the access password found sharing dependent upon
among employees. The company used free online storage spaces for backup. various

Rashmi Anand, University of Lucknow 85

application groups. Few groups which deal with critical and sensitive Case B does not
applications have created and communicated the incident management plan, have any risk
whereas few others are reluctant towards it. As described by a group head, ‘it management
requires a compliance pressure from the top, which is not yet there’. Since the plan for the
whole ISM process has started recently in the company, the management’s company. Based
focus is to first create more awareness and slowly proceed to objectives that on the criticality
are more specific. Company has a Business Continuity (BC) and Disaster of applications,
Recovery (DR) site at a distant geographical location. There is a defined different groups
process to take regular data backups which is stored separately off-site. are required to
identify risks and
Case C has business continuity and disaster recovery plan documented in the define their
information security policy documents. There is defined process to take mitigation plan.
regular data backups as a risk mitigation technique. There is also an incident It depends upon
management plan designed by the experts dealing with critical and sensitive the initiatives
applications. taken by group
head; there is no
4.3.2.9 Information Security Management Best Practices defined process
ISM practices of Case A found temporary and reactive in nature. There was no found for this, as
clear plan found for identifying and managing risks to various business of now.
operations. Some of the gap areas, as highlighted, include the following Company
absence of any risk management plan, sharing of passwords, no filtering of followed layered
Internet downloads, no regular updates of antivirus programmes, employees security
take with them sensitive project data files. This may partially be because of architecture,
poor information security and no thrust from top management. such as logged
routers, Intrusion
Prevention

Rashmi Anand, University of Lucknow 86

System (IPS), Intrusion Detection System (IDS) , layered firewalls, For the
militarized zones, demilitarized zones, antimalware checks, proxy checks and managing IT
antivirus system to protect its network against malicious programmes and servers’ aspects,
cyber attacks. Best-practices guidelines, as part of security policy, included Case B found
the following asset classification, clean desk policy and changing passwords working with full
periodically among others. compliance to its
policy related to
Case C has a risk management plan. This organization has sufficient budget, the ‘use of
manpower and technology to fulfill organization IS policy requirements. The licensed
organization also follows intrusion detection system (IDS), firewall and software’,
antivirus system to protect its network from malicious programmes and whereas for the
intruders. standalone PCs,
there is no strict
4.3.2.10 Information Security Regulation Compliance compliance to
Although Case A used licensed software, downloading freeware software from the ‘use of
the Internet is allowed and it is commonly practiced by employees. There was licensed
no mechanism to check the use of unauthorized software on company systems. software’ policy.
Company did not had any ISM certification (like ISO/IEC 27001etc.) and nor There was no
its planning to have it in near future. Regarding the data privacy issues, on mechanism to
principle, different groups allowed only accessing the data and other relevant check the
information related to their specific work/project, but in practice, all the validity of the
employees have access to all sorts of data. Even software developers take the licenses of
project data and codes with them in their personal devices to home; there was software used on
no check or restriction found on that. PCs; however,
the company was
planning to have

Rashmi Anand, University of Lucknow 87

an automated tool for the same in the next upgrade of its network access and information
control. The company planned to get an ISO/IEC 27001 ISM certification for assets, and
its data centre. For information security certification at organizational level, accordingly
CISO had a view that they are not yet ready for the same. As most of the data define an
of Case B available on its website, the company did not have much privacy information
concerns. Whereas, for the private, internal and sensitive data, organization security policy
uses various access control mechanisms, such as digital signatures and two and
factor authentication. implementation
mechanism. This
Based on the respondent’s data, Case C was found working with working with will certainly
full compliance to its IS policy related to ‘use of license software’. Software help organization
developers were not allowed to take the project data and codes with the in to improve in
their personal device. State Govt. PUS is already is ISO/ IEC: 27001: 2005 terms of
certified and trying for higher level of information security certifications for productivity,
its data center. For the sensitive data, the organization uses various control employees’
mechanism such as two factor authentication, cryptography techniques and satisfaction and
digital signature. clients’ trust.

4.4.4 SAP-LAP ANALYSIS OF CASES

Case A
The ‘Situation, Actor, Process—Learning, Action, Performance’ (SAP-LAP)
analysis of Case A (Table 6.3) shows that ISP practices are not implemented
adequately. In absence of any information security policy and lack of training
and awareness programmes for employees, there is no information security
culture in the organization. Learning derived from the case suggests that
organization needs to identify key risks and vulnerabilities to its information

Rashmi Anand, University of Lucknow 88

 Table 4.18: SAP-LAP Analysis of Case A
SITUATION  No documented information security policy Case B
 No information security training for employees The findings
 No internal or external information security audits
from SAP-LAP
 No awareness, clear division of work, responsibility and accountability
analysis of Case
ACTORS  Managing Director
 Network team & Group (team) leaders B (Table 4)
 Employees and Clients reveal that the
PROCESS  No risk management process organization
 No asset management
started
 Reactive approach towards ISM
 Information security incident management is not clearlystreamlining
defined its
 No documentation, records or logs are maintained ISM practices;
LEARNING  If the top management shows concern about informationhowever,
security, rest
it is
follow and vice versa
still in a nascent
 Fixing responsibilities and accountabilities can create an environment for
good ISM practices stage. A
 Even basic awareness can help to reduce big informationconsistent
security top
incidents management
ACTION  Need for formulation of information security policy
support is
 Identify information security risks for the organization and their counter
measures essential to
 Provide general information security training to employees at the time
gradually take ofit
joining Educate employees for their acceptable and unacceptable
to a mature level.
behavior regarding IS
 Non-disclosure agreements for employees and third parties
PERFOR-  Data losses and information security breach incidents leadMoreover,
to lack of trusta
MANCE and dissatisfaction in clients regular
 Inadequate ISM practices and address major ISP challenges monitoring is
 Breach of data and privacy create legal complications for the
essential to
organization
Source: Prepared by the author. improve the level

Rashmi Anand, University of Lucknow 89

of information security compliance among employees in the organization. 


Table 4.19: SAP-LAP Analysis of Case B
SITUATION  Information security policy exists and reviewed annuallyACTION 
 Top management support the ISMS practices and operations 
 Proactive approach of employees towards IS directions from the
management 
 No major security incidents, however, IS events are reported to CISO and
technical manager who in-turn may escalate to the top management if 
necessary 
 Organizational security measure taken as per ISO/IEC:2005 27001 and 
CMMI (Level 5) 
 Wide spread IS awareness and regular training is also given
PERFORMA 
ACTORS  Top management and CEO NCE 
 Chief information security officer, Network team and technical managers
 Separate team for conducting IS audit and even CISO’s functions are also 
audited by an internal auditor, and Employees all found participating if
ISMS practices 
PROCESS  First internal information security audit conducted recently
 Periodic general and specific area-information security Source:awareness
training
Prepared by the
 Monthly internal workshop for sharing groups’ information security
experience author.
 No risk management process, based on efforts of individuals and SAP-
Table 4.20: group
head LAP Analysis of
 Network logs are generated and monitored on daily basis
Case C
 Asset classification based on risk, chances of occurrence and cost of
recovery SITUATION 
 Technologies, training etc as per the fast changing IS environment 
LEARNING  Internal threats are as challenging as external threats

 Internal information security audit has revealed vulnerabilities in the
system 
Rashmi Anand, University of Lucknow 90
  The
Organization has sufficient budget, manpower and technology findings
to fulfill
organization's security policy requirement from SAP-LAP
ACTORS  Top management
 Chief information security officer analysis of Case
 Network team and technical managers C (Table 4.20)
 IT Professionals
show that the top
 Vendors and contract employees, Clients/customers, Employees
PROCESS  management is
Internal Information security audits are conducted weekly
 Back-up technique is used as risk mitigation technique committeemen
 Organization has an IS risk management plan
 towards
Periodic general information security awareness training and specific
area-related training information
 Asset classification based on risk, chances of occurrence and cost of
recovery security
 Monitoring and logs are maintained to access record of the critical
management. For
systems/applications
this purpose, it
LEARNING  Sometimes security management fails as per internal IS audit
 Training is required at all levels that are based also on theinformation
role and
responsibilities of employees
security audits
 Building an information security culture is must for good ISM practices
in organization weekly. Asset
classification is
ACTION  Specialized training according to the specific job requirement
 Creation of an information security forum for management alsoand
done in this
employees organization.
 External IS audits by an independent third party
 Need to implement higher level of information security Learning
standards derived
from this case is
PERFORMA  Top management needs to give more priority to information security
NCE that in order to
issues of the organization
 Compliance enforcement for organizational informationimprovesecurity process
 Policies and guidelines to build an information security ofinformed
ISMS, there
workforce
Source: Prepared by the author. should be an
audit conducted

Case C
Rashmi Anand, University of Lucknow 91
by independent third party. and
accountabilities
4.4.5 DISCUSSION towards
Fast pacing technological advancements provide new and innovative ways to organizational
businesses to conduct their daily operations, such as collaboration, information and
coordination, product service—design, development and delivery and information
providing alternate ways to connect and communicate with different asset, making
stakeholders. In this pursuit, modern day organizations have become over them prone to
dependent on IT/ICT for their various business functions. In case of some information
businesses, it has become nearly impossible to conduct daily operations security risks and
without proper functioning of their information systems. In such a scenario, threats. It is the
protecting business information and related assets from external as well as responsibility of
internal threats have become a matter of paramount importance for top management
organizations. To deal with this situation, on one hand, companies and India to make
IT sector organizations are relying more and more on the usage of advance employees aware
technological solutions, the management issues are often overlooked (Price of the policies,
Waterhouse Coopers, 2012). guidelines, risks
and
As evident from the cases, it is the responsibility of top and middle countermeasures
management to design and develop information security strategy in through regular
accordance to the business objectives of company. Aligning information training and
security goals to the business objectives of the organization is the key to awareness
success of organizational information security strategy (Kayworth & Whitten, programmes
2010). Having a comprehensive information security policy is the first step (Abouzeedan &
towards this direction. As reflected from Case A, in absence of any Busler, 2006).
information security policy, there are no clearly defined roles, responsibilities Once the policy

Rashmi Anand, University of Lucknow 92

is in place, employees need to be educated on their acceptable behavior with clients and
towards organizational information systems. Monitoring compliance to its repute. Post-
organizational information security policies and guidelines through periodic incident
internal as well as external audits gives confidence to the management and analysis—
also indicates the areas of improvement. Without compliance monitoring, it is identifying
hard to assess the current status of the maturity of organizational ISM vulnerabilities,
practices (Kankanhalli et al., 2003), as also evident in case of Case B. It is fixing
essential to provide a platform to share the good practices within various accountabilities
teams or groups inside the organization. This helps in peer learning and and making
sharing of best practices across organization and helps in building a security suitable changes
culture (Zakaria, 2004). in policies and
processes—plays
In a fast-changing threat scenario, organizations need to be dynamic and up- a vital role for
to-date with the current industry standards and ISM best practices. Again, this future
is the responsibility of board and top executives to draw an organization-wide preparedness
information security and risk management plan that spans across strategic, (Ahmad,
tactical and operational levels. As evident in the Case C, top management Maynard &
support (for budget and man power) is crucial along with regular monitoring Shanks, 2015).
and review of organizational ISM practices (Eloff & Eloff, 2005).
Organizations need a clearly defined disaster recovery and business continuity The present
plan, discussed with all relevant stakeholders, for incident management. In study adopts a
addition to this, employees need to be made aware and educated about the qualitative
action plan in case of any information security breach incident. Mostly, research
organizations are reactive to such cases rather than being proactive, evident approach to
from all the three Cases A, B and C. Such incidents can result into loss of understand and
business information and productivity impacting organization’s relationship examine the ISM

Rashmi Anand, University of Lucknow 93

Practices of two IT development and services companies in India. Semi-
structured interviews and descriptive analysis methodology followed by SAP-
LAP method of inquiry have been used to analyze the cases under study.
Findings of the study are limited to the two case organizations under study and
cannot be generalized. However, this can be useful for organizations like in
domain with similar nature of work or functions. Further, similar studies can
be conducted for organizations from across different industries and sectors. It
would be interesting to see the effect of industry type and organization size on
the varying nature of information security practices. As an extension of this
study, linkages among various ISM factors can be identified to explore their
causal relationships among each other. Further, this may help to develop an
organizational ISP framework which can be useful for practitioners to
prioritize various organizational ISP practices.

Rashmi Anand, University of Lucknow 94