Use this URL to cite or link to this record in EThOS:
Title: The viable system model for information security governance
Author: Alqurashi, Ezzat
ISNI:       0000 0004 5916 9337
Awarding Body: University of Southampton
Current Institution: University of Southampton
Date of Award: 2015
Availability of Full Text:
Access from EThOS:
Full text unavailable from EThOS. Please try the link below.
Access from Institution:
Information security governance (ISG) has emerged as a new information security (IS) discipline and is considered one of the critical areas of research for enhancing the viability of organisations. This research proposes a viable system model (VSM) for ISG (VSMISG) and investigates its effects. The investigation involves studying the effects of the VSMISG in small, medium and large organisations facing low, medium and high security threat intensity over different time scales. This study also analyses the costs and benefits of changing from the baseline ISG model to the VSMISG. From reviewing the literature, the VSM was identified and redefined for the context of ISG. A preliminary study was conducted to confirm the appropriateness of the VSM for ISG. This employed a questionnaire survey of eleven highly experienced IS experts and the inter-rater agreement among them was analysed. The time taken by the governance level of IS to identify strategic security crises (SSC) that affect organisations’ viability was used for the investigation in the baseline ISG model and the VSMISG. Conceptual models were designed and simulation models developed using the discrete-event simulation approach for representing the baseline ISG model and the VSMISG. The IS incident management guidance embodied in the international standard BS ISO/IEC 27035 was adopted to represent the IS operations part in the baseline ISG model and the VSMISG. The chi-square and autocorrelation tests were used to test the random number generator of the Simul8 simulation software. This research presents a VSM for ISG whose components are rated as ‘important’ and ‘very important’ and there was fair agreement among the experts on this rating. Using the VSMISG in small, medium, and large organisation leads to swifter identification of SSC than under the baseline ISG model, enhancing organisations’ viability. Small organisations take the longest time to identify SSC, especially when the security threat intensity is high, while large organisations take the least time in all cases. The benefits of changing from the baseline ISG to the VSMISG outweigh the costs, and they are expected to be seen from early in the first year of implementation. The VSM for ISG proves its vital role in enhancing viability at all organisation sizes. Decision makers in small organisations need to increase the number of IS staff to cut the time taken to identify SSC in order to enhance their viability. Implementing the VSMISG saves organisations a tremendous amount of money.
Supervisor: Wills, Gary Sponsor: Not available
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
EThOS ID:  DOI: Not available