The Institutionalisation of Information Security Management Practices in selected Organisations in Uganda
The study aimed at examining the extent to which information security management practices were institutionalised in corporate organisations. Evidence shows that failure by organisations to entrench the information security management practices (ISMPs) into organisations’ structures opens the gateway for attacks, threat actors and information breaches to cause harm to information assets with ease. The study explored the phenomenon in its social setting hence the adoption of descriptive research design as the research methodology. The institutional theory was adopted as a new dimension in examining information security management in organisations. This theory suggests that control gears like coercive, normative, mimetic and management commitment could be used to effectively entrench security guidelines in organisations. Methodical scrutiny of the institutionalisation process: development, implementation and maintenance, and evaluation were also carried out. The researcher relied on human experience to make sense of the institutionalised processes. Extant literature was reviewed, and survey questionnaires were developed based on the eleven ISMPs and administered to purposively selected respondents from the two organisations. The eleven ISMPs covered include state of information security policy, asset management, secure information sharing, supply chain security, access management, network security controls, portable and removable media security, remote access security, protective monitoring of information systems, implementation of information security back-ups, and security accreditation by professional bodies. Data analysis was done using SPSS. Findings indicate that organisations have not fully incorporated all the eleven ISMPs covered as best practices and standards. Based on the results from the field, answers to the research questions were partly realised. Recommendations like the implementation of ISMPs to check deficiencies identified, customisation of security guidelines to protect information assets and institutionalisation of security practices at all levels were suggested. Overall, the study was a positive step towards the institutionalisation process of ISMPs in organisations
Abercrombie, N., Hill, S, & Turner, B. (1988). Dictionary of Sociology. Second edition. Penguin.
Ahimbisibwe, B., & Nabende, P. (2022). A conceptual framework for assessing information security management practices in selected universities in Uganda. Journal of Digital Science.
Alshaikh, M., Ahmad, A., Maynard, S. B., & Chang, S. (2014). Towards a taxonomy of information security management practices in organisations. ACIS.
Alshaikh, M., Maynard, S. B., Ahmad, A., & Chang, S. (2016, July). Information security management practices in organisations. In 4TH Annual Doctoral Colloquium (p. 52).
Ashenden, D. (2008). Information security management: A human challenge? Information Security Technical Report, 13(4), 195–201
Ashish, U., Mantha, S., & Reddy, N. (2021). Analysis of evolution of information security
management practices in organisations providing IT development & IT
Enabled services, International Journal of Engineering Research and Applications.
ISSN: 2248-9622, Vol. 11, Issue 5, (Series-VI) May 2021, pp. 18-24
Bjorck, F. J. (2004). Institutional theory: a new perspective for research into IS/IT security in organisations. System Sciences Proceedings of the 37th Hawaii
International Conference on, IEEE Computer Society Press http://ieeexplore.ieee.org/servlet/opac?punumber=8934
Carcary, M., Renaud, K., McLaughlin, S., & O’Brien, C. (2016). A framework for information security governance and management. It Professional, 18(2), 22-30.
Crossan, M., & Bedrow, I. (2003). Organisational learning and strategic renewal. Strategic Management Journal, 24, 1087-1105.
Culot, G., Nassimbeni, G., Podrecca, M., & Sartor, M. (2021). The ISO/IEC 27001 information security management standard: literature review and theory-based research agenda. The TQM Journal.
D'Arcy, J., Herath, T., & Shoss, M. K. (2014). Understanding employee responses to stressful information security requirements: A coping perspective. Journal of management information systems, 31(2), 285-318.
Disterer, G. (2013). ISO/IEC 27000, 27001 and 27002 for information security management. Journal of Information Security, 4(2).
Doughty, K. (2003). Implementing enterprise security: A case study. Computers & Security, 22(2), 99–114.
Harnesk, D., & Lindström, J. (2011). Shaping security behaviour through discipline and agility: Implications for information security management. Information Management & Computer Security.
Herath, T.C., Herath, H.S.B. & Cullum, D. (2022). An Information Security Performance Measurement Tool for Senior Managers: Balanced Scorecard Integration for Security Governance and Control Frameworks. Inf Syst Front (2022). https://doi.org/10.1007/s10796-022-10246-9
Mbowe1, J. E., Zlotnikova1, I., Simon, S. M., & George, S. O. (2014). A Conceptual Framework for Threat Assessment Based on Organization’s Information Security Policy.
Khalfan, A. M. (2004). Information security considerations in IS/IT outsourcing projects: A descriptive case study of two sectors. International Journal of Information Management, 24(1), 29–42.
Luesebrink, M. (2011). Institutionalisation of Information Security Governance Structures in Academic Institutions: A Case Study.
Maynard, S., Tan, T., Ahmad, A., & Ruighaver, T. (2018). Towards a framework for strategic security context in information security governance. Pacific Asia Journal of the Association for Information Systems, 10(4), 4.
Copyright (c) 2023 Benjamin K. Ahimbisibwe, Peter Nabende
This work is licensed under a Creative Commons Attribution 4.0 International License.