SECURQUAL: An instrument for evaluating the effectiveness of enterprise information security programs

Paul Steinbart, Robyn L. Raschke, Graham Gal, William N. Dilla

Research output: Contribution to journalArticle

11 Scopus citations

Abstract

The ever-increasing number of security incidents underscores the need to understand the key determinants of an effective information security program. Research that addresses this topic requires objective measures, such as number of incidents, vulnerabilities, and non-compliance issues, as indicators of the effectiveness of an organization’s information security activities. However, these measures are not readily available to researchers. While some research has used subjective assessments as a surrogate for objective security measures, such an approach raises questions about scope and reliability. To remedy these deficiencies, this study uses the COBIT Version 4.1 Maturity Model Rubrics to develop an instrument (SECURQUAL) that obtains an objective measure of the effectiveness of enterprise information security programs. We show that SECURQUAL scores reliably predict objective measures of information security program effectiveness. Future research might use the instrument as a surrogate effectiveness measure that avoids asking respondents to disclose sensitive information about information security incidents and vulnerabilities.

Original languageEnglish (US)
Pages (from-to)71-92
Number of pages22
JournalJournal of Information Systems
Volume30
Issue number1
DOIs
StatePublished - Mar 1 2016

Keywords

  • Information security
  • Information security effectiveness
  • Internal audit
  • Survey instrument development

ASJC Scopus subject areas

  • Information Systems
  • Accounting
  • Management Information Systems
  • Management of Technology and Innovation
  • Human-Computer Interaction
  • Software
  • Information Systems and Management

Fingerprint Dive into the research topics of 'SECURQUAL: An instrument for evaluating the effectiveness of enterprise information security programs'. Together they form a unique fingerprint.

  • Cite this