The first chapter introduces us to Corporate finance is essential .docx

The first chapter introduces us to Corporate finance is essential
to all managers as it provides all the skills managers need to;
Identify corporate strategies and individual projects that add
value to the organization and come up with plans for acquiring
the funds. The types of business forms are; sole proprietorship,
corporation and partnerships. A sole proprietorship form of
business possesses different advantages and disadvantages. A
partnership maintains roughly similar pros and cons of a sole
proprietorship. A corporation is a legal entity that is separate
from its owners and managers. Advantages include a smooth
transfer of ownership, limited liability, ease of raising capital.
The disadvantages include; double taxation, and a high cost of
set-up and report filing. The chapter then deals with Objective
of the firm, which is to maximize wealth. The final topic is an
in-depth look at Financial Securities, which are markets and
institutions.
In the second chapter, we are introduced to financial statements,
Cash flow and taxes. Financial statements include; the Income
statement and the Balance sheet. An income statement is a
financial statement that shows a company’s financial
performance regarding revenues and expenses, over a particular
period, mostly one year. A balance sheet, on the other hand, is a
financial statement that states a company’s assets, liabilities
and capital at a particular point in time. Under the cash flow,
the chapter covers on the Statement of cash flows, indicates
how various changes in balance sheet and income statement
accounts affect cash and analyses financing, investing and
operating activities. A free cash flow shows the cash that an
organization is capable of generating after investment to either
maintain or expand its database. Under taxes, Corporate and
personal taxes are well explained and the scenarios under which
they apply.
Chapter Three analyzes Financial Statements. This analysis is
broken down into; Ratio Analysis, DuPont equation. The effects

of improving ratios, the limitations of ratio analysis and the
Qualitative factors. Ratios help in comparison of; one company
over time and one company versus other companies. Ratios are
used by; Stockholders to estimate future cash flows and risks,
lenders to determine their creditworthiness and managers to
identify areas of weaknesses and strengths. Liquidity ratios
show whether a company can meet its short-term commitments
using the resources it has at that particular time. Asset
management ratios exemplify how well an organization utilize
its assets. Debt management ratios, leverage ratios as well as
profitability ratios are explained.
The DuPont equation focuses on several issues. These are; Debt
Utilization, Asset utilization and the Expense Control.
Consequently, Ratio analysis has various problems and
limitations. These include; Distortion of ratios from seasonal
factors, various operating and accounting practices can distort
comparisons and also it is quite difficult to compare an industry
where a firm operates different divisions. Finally, qualitative
factors ask the following questions; what is a competitive
situation? What products are in the pipeline? And what are the
legal and regulatory issues?
Chapter 4
In this chapter we learn of two different types of compensation
plan; defined benefit (DB) and defined contribution (DC)
pension plans. In DB plan, the company puts funds in your
pension and invests it in bonds, real estates, stocks, etc. they
later use this funds to the promised payments after your
retirements. In DC plan, the company invests in a mutual fund,
and you decides which assets to buy, later you withdraw money
after you retire. According to this chapter, managers should
strive in making their firms more valuable. The primary
objective of financial management is in maximizing the
intrinsic value of a firms stock. Stock values depend on cash
flows investors timing.
The way the timing of cash flows is also discussed and also how
it affects the value of assets plus the rates of returns. The

applications of time value analysis include retirement planning,
loan payment schedules plus the decision to invest in new
equipment. Time value of money (TVM) is the most critical
concept used in finance. It is also known as discounted cash
flow (DCF) analysis. Dollars that are paid or received at
different points in time are different. This difference is dealt
with by application of TVM. Compounding according to this
chapter is defined by the act of determining the future value
(FV) of cash flow or a series of cash flows. Discounting is the
process of finding present value (PV) of future cash flow or a
set of cash flows.
Chapter five
This chapter generally explains bond pricing and the bond risk
that affects the return demanded by a firm’s bondholders. A
bondholder return is a cost from a company point of view.
These costs of debts affect the firms weighted average price of
capital (WACC) that then changes the company’s intrinsic
value. According to this chapter, a bond is a long-term contract
in which the borrower agrees to make payments of interests and
principle, on specific dates, to the bonds holder.
Characteristics of a bond are; par value, coupon interest rate,
and maturity date, provision to call or redeem bonds, which are
discussed in this chapter. Par value is the stated value of the
relationship. It generally represents the amount of money the
firm borrows and promises to repay on the maturity date.
Coupon interest rate is the divisions of coupon payments. The
coupon payment is the set level that will enable the bond to be
issued at or near its par value. Relationships have a maturity
date in which the par value must be repaid. Most corporate
bonds have a call provision which gives the issuing corporations
the right to call the warrants for redemption. This chapter
explains that business is insolvent when it does not have enough
cash to meet its interests and principal payments.
Chapter6. Risk, Return, and the Capital Asset Pricing Model.
Risk is a chance that something unfavorable will happen.The
assets risk is analyzed according to:

1) The asset is considered in isolation. As per the standalone
basis
2) As part of a portfolio, this is a collection of assets.
Taking risk as a discrete distribution, political and economic
uncertainties always affect stock market risk. When the
economy picks up sufficiently, the stimulus is discontinued
while if it does not pick up, the stimulus continues. At the risk
of oversimplification, the outcome represents distinct cases of
the market. In this case, risk is measured in three ways; i)
probability distributions, ii) The expected rate of return and iii)
Measuring stand-Alone Risk: The standard deviation.
In normal economic times, investors use scenario approach
instead of estimating discrete outcomes. The standard deviation
gives a measure of dispersion which provides information about
a range of possible outcomes.
The risk of an asset is defined in capital asset pricing model. It
is the risk that the stocks donate to market collection.
Chapter7. Stock, Stock Valuation and Stock Market
Equilibrium.
Some companies have only one type of stock while others use
classified stocks to meet special needs. Some firms link stocks
together with dividends to specific parts. This helps them to
distinct the cash flows and allows detached valuations. For
managers to make good decisions they estimate the influence
which policies, campaigns and schemes have on company’s
value. Free cash flow valuation model defines the value of a
company’s procedures the current worth of its predictable free
cash flows after cut-rate at the weighted average price of
principal. Stock market equilibrium is achieved when the supply
and demands are balanced hence there is no fluctuation of

prices. Prices go up when there is an oversupply of goods hence
high demand.
Chapter8. Financial Options and Applications in Corporate
Finance.
Option is a indenture that gives the proprietor the right to
purchase or trade an asset at a value within a stated period of
time. A call option springs the proprietor the right to buy a
share of stock at a static price. On the other hand, a put option
springs the proprietor the right to trade a share of stock at a
static price. Each of the two options has its termination date
after which the option cannot be applied. An American option is
the one which can be applied before its termination date while
European option is the one which can only be applied to its
termination date. Investors who write call options against stock
held in their portfolio is said to be selling covered options while
the ones sold without the stock to back them era called naked
options. Options are also available on several stock indexes.
Indexes options documents one to hedge on a rise or fall in the
market.
Cost of capital of a certain project is what most companies
investigate before investing in the project. Additionally,
companies also require capital to create more factories, create
new products and to expand and grow internationally.
Admittedly, the value of a company is determined by the risk of
free cash flow, timing, and size. Apparently, the intrinsic value
of a company is evaluated when the free cash flow is subtracted
from the weighted average cost of the capital
Flotation costs are a cost which a company incurs when it
applies new securities, an example of these costs include, legal
expenses, commission, and fee. Organizations which offers
debts have low flotation costs and hence this makes most
analysts to ignore them especially when evaluating the after-tax
cost of debt. Additionally, most organizations use or intend to
use preferred stock in a section of their financing mix and hence

tax adjustment is not used when evaluating the cost of preferred
stock.
Moreover, most organizations have a tendency of paying
dividends of which it is not a must. The cost utilized in the
calculation of the WACC is the preferred stock cost component.
The rate at which the shareholders need to be compensated for
their risk is the required rate return of the stock and hence the
stock is both the required return and the capital cost of the
project.
Consequently, capital budgeting is also import in evaluating
cash flows. Cash flow of project can be evaluated in many
methods. When doing a valuation for the whole company the
discount is free cash flows for the overall weighted mean cost
of the capital. However, when doing a valuation of a certain
project in the organization the discount is cash flows at the risk
of the project adjusted cost of capital. Managers of the
organization may analyze the company and decide to replace
some facilitates which will facilitate continuity of the profitable
operations, reduce costs, expand existing markets or products,
safeties and mergers.
Before investing in a certain project it is good to analyze and
evaluate some risks which the project might face. The initial
step which all people should focus on when starting a project is
by identifying and evaluating the best cash flows. Assets
acquisition results in a cash flow while the accountants don’t
portray the purchase of assets which are fixed as a deduction
from accounting earning. Apparently, the interest changes are
not part of the cash flows of a project. When doing the capital
budgeting analyses cash flows should be discounted according
to the exact duration when they happen and hence a daily cash
flow is better than the annual flows. Sunk costs are information
associated with a project which was incurred initially, and
which can be recovered irrespective of whether the project is
acceptable or not.
In conclusion, cash flow is very important since lack of a cash
can make a certain project fail. Additionally, cash flows

determine a lot of activities in a project. For instance, a project
with good cash flow is able to grow rapidly and expand since it
is able to manufacture a lot of goods.
Cash Distributions and Capital Structure (Distributions to
Shareholders: Dividends and Repurchases & Capital Structure
Decisions).
Distribution to shareholders which include dividends and share
repurchases is a vital subject in an organization. When setting
target distribution levels, four factors affect the process. These
are capital structure, investor’s preferences for dividends vs.
capital gains and the company’s and the investment
opportunities. Distributions are defined as Net income- (Target
equity ratio * (The total capital budget).
A change in investment opportunities affects dividends in
several ways. First, fewer good investments would lead to
smaller capital budget leading to a higher dividend payout. For
a firm to enjoy low dividend payouts, it has had good
investments. The advantages of the residual model are that it
reduces new cost issues and flotation costs. Disadvantages are
that it leads to conflicting ideas, increases risk and results in
variable dividends
Capital structures are simply described as a combination of
capital. Capital structures are designed to minimize the cost of
capital, reducing risks, and to enable the firm to have adequate
finances. Capital structure decisions are affected by business
and financial risks. Financial leverage is shown by the extent of
a financial risk. The formula is given by % change in EPS/
%change in EBIT. The EBIT/EPS Analysis shows that the cost
of debt is always lower than that of equity. This hence raises
debt, increases the EPS hence benefitting the shareholders. The
theory of optimal capital structure states that we can obtain an
optimum capital structure if when we raise the debt, we can
raise the value of the firm to a particular level.

Managing Global Operations (Working Capital Management &
Multinational Financial Management).
Working capital is referred to as the net current assets that are
available to a firm, for the day-to-day running of the firm.
Working capital is derived from the current assets less current
liabilities. Working capital management is an essential
component of activities in an organization for it to remain in
business. One of the primary objectives of the working capital
management is to ensure the firm’s liquidity. The other key goal
is to ensure that the firm remains profitable. The firm invests
less in working capital to sustain this objective.
Multinational Financial Management
This chapter deals with Globalization and the role of
Multinational Corporations, International financial management
and the international financial considerations. International
finance has two major functions, treasury, and control.
International finance has various distinguishing features which
include, foreign exchange risk, political risk, and market
imperfections. In the recent past, there has been a rapid
emergence of financial markets and Multinational Corporations
since the 1980s. MNCs function their businesses by, licensing,
franchising, joint ventures, management contracts.
Information Systems Management, 28:102–129, 2011
Copyright © Taylor & Francis Group, LLC
ISSN: 1058-0530 print / 1934-8703 online
DOI: 10.1080/10580530.2011.562127
Information Assurance and Corporate Strategy: A Delphi Study
of Choices, Challenges, and Developments for the Future
Elspeth McFadzean1, Jean-Noël Ezingeard2, and David

Birchall1
1Henley Business School, University of Reading, Greenlands,
Henley-on-Thames, Oxfordshire, United Kingdom
2Faculty of Business and Law, Kingston University, Kingston
Hill, Kingston Upon Thames, Surrey, United Kingdom
In this article, we identified processes associated with
strengthening the alignment between information assurance,
infor-
mation systems and corporate strategies so that organizations
could more effectively address legal and regulatory challenges.
Our results are based on data gathered from 43 preliminary
inter-
views and a subsequent Delphi exercise. The Delphi panel rated
these processes in terms of desirability and feasibility. After
three
rounds a consensus of opinion was achieved. The results of the
Delphi together with some practical implications are presented.
Keywords information assurance; IA alignment; strategic
alignment;
Delphi
1. INTRODUCTION
Due to constantly increasing threats to the security, integrity
and availability of organizational information, theorists have
presented a number of studies on information assurance (IA),
or different aspects of IA, in the literature (Baskerville, 1991;
Kankanhalli, Teo, Tan, & Wei, 2003; Miller & Engemann, 1996;
Zviran & Haga, 1999). Indeed, there has been a call from both
government officials and in the academic literature to place
security issues—often the most discussed element of IA—at a
more senior level (Dutta & McCrohan, 2002). The legal envi-
ronment is also changing and continuing concerns regarding
individual privacy, security of sensitive information, account-

ability for financial information and corporate governance are
driving the development of new laws and regulations to ensure
that organizations address potential security problems (Gilbert,
2008; Smedinghoff, 2008). These often include two key legal
obligations:
• A duty to provide sufficient security for corporate data
and information systems; and
Address correspondence to Elspeth McFadzean, Henley
Business
School, University of Reading, Greenlands, Henley-on-Thames,
Oxfordshire RG9 3AU, United Kingdom. E-mail:
[email protected]
henley.reading.ac.uk
• A duty to reveal security breaches to those individuals
or businesses who may be adversely impacted by these
breaches (Smedinghoff, 2005).
Some theorists have suggested that information assurance
should be undertaken as part of the corporate governance pro-
cedures and, as such, should be the responsibility of the board
of directors (Birchall, Ezingeard, & McFadzean, 2003; Von
Solms, 2001a). In fact, organizational compliance regulations
that cover IA are increasingly expanding. In the United States,
the Sarbanes-Oxley Act is seen as a key driver of IA efforts at
senior levels for publically traded companies (Linkous, 2008).
Thus, according to the National Cyber Security Partnership
Governance Task Force (2004, p. 12).
The board of directors should provide strategic oversight
regard-
ing information security, including:
1. Understanding the criticality of information and information

security to the organization.
2. Reviewing investment in information security for alignment
with
the organization strategy and risk profile.
3. Endorsing the development and implementation of a
comprehen-
sive information security program.
4. Requiring regular reports from management on the program’s
adequacy and effectiveness.
IA efforts can, however, be criticized for hampering business
strategy and introducing restrictions to creativity, entrepreneur-
ship and responsiveness. Organizations therefore need strong
alignment between IS, IA and corporate strategies so that they
can more effectively address the above legal and regulatory
challenges (Ezingeard, McFadzean, & Birchall, 2005). In other
words, organizations cannot view information assurance as an
autonomous entity but as part of a holistic enterprise-wide
framework that includes corporate and information strategies.
A key advantage of developing IS, IA and corporate strate-
gies at such a high level is the ability to build alignment
between them. Senior executives are in a better position to gain
a complete overview of the company, its goals and its pro-
cesses (Lohmeyer, McCrory, & Pogreb, 2002). In addition, they
102
INFORMATION ASSURANCE AND CORPORATE
STRATEGY 103
have the authority to ensure that these plans are implemented

effectively (Kankanhalli et al., 2003; McFadzean, Ezingeard, &
Birchall, 2006).
Unfortunately, there has been little research undertaken in
the area of IA alignment. The aim of this article, then, is to
ascertain what specific methods and processes can be utilized
by management in order to strengthen the alignment of IA, IS,
and corporate strategy. To this end, we have used the Delphi
Technique to determine these actions. We have also asked the
expert panel to rank both the desirability and the feasibility of
these variables.
This article is structured as follows. The next section dis-
cusses the importance of information assurance and its align-
ment to IS and business goals. Moreover, a brief review of the
alignment literature is presented. The methodology and research
design are then described. This section discusses the use of
the Delphi Methodology as well as the design of our study.
Subsequent sections present the results of the project and dis-
cuss the methods for strengthening IA and business alignment.
Finally, some implications for managers are considered.
2. INFORMATION ASSURANCE ALIGNMENT
2.1. Information Assurance as a Strategic Necessity
The UK Information Assurance Advisory Council (IAAC)
define IA as “a holistic approach to protect information and
information systems by ensuring their availability, integrity,
authentication, confidentiality, and non-repudiation” (Anhal,
Daman, O’Brien, & Rathmell, 2002, p. 7). In other words, infor-
mation assurance attempts to avoid security problems rather
than fix them (Austin & Darby, 2003). Furthermore, a compre-
hensive conceptualisation of information assurance ensures that
the information systems that are supporting an organization’s
transactional and transformational needs are kept operational

and secure. This requires a complete view of the organization’s
vision as well as its current information needs and systems.
Additionally, IA specialists need to understand how value is
cre-
ated from information and how it can be used to enhance the
organization’s success. As a result, Ezingeard, McFadzean, and
Birchall (2005, p. 23) suggest that IA is a method for “deter-
mining how the reliability, accuracy, security and availability
of a company’s information assets should be managed to pro-
vide maximum benefit to the organization, in alignment with
corporate objectives and strategy.”
McFarlan (1984) and Ward (1988) propose that an issue is
strategic if it has the potential to impact on the business as a
whole. Thus, in this sense, information assurance can be defined
as a strategic issue—and, therefore, should support corporate
strategy—because the consequences of IA policy decisions can
affect the entire business. For example, an ill-considered or
poor
IA strategy could result in
• Damage to a firm’s reputation (Chellappa & Pavlou,
2002; Logan & Logan, 2003).
• Financial loss due to poor controls (Dhillon, 2001;
Ward & Smith, 2002).
• The inability to operate, loss of business and a reduc-
tion in share price on the stock markets (Campbell,
Gordon, Loeb, & Zhou, 2003; Ettredge & Richardson,
2002, 2003).
• A restriction of information flow causing poor cus-
tomer service and loss of business over time (Cerullo &
Cerullo, 2004; Sanderson & Forcht, 1996).

• Prohibitively high costs and the possibility that the
organization may not survive the disruption (Garg,
Curtis, & Halper, 2003; Logan & Logan, 2003).
• The migration of customers to competitors because of
the inconvenience or risk of inadequate security, failing
computer systems, lack of stability and poor reliability
(Cockcroft, 2002; Hazari, 2005).
Information assurance is not just a technical problem. In fact,
Dutta and McCrohan (2002) suggest that it is supported by
three key areas, namely critical infrastructure, organization
and technology—and it is the responsibility of managers to
ensure that these three areas are aligned. Consequently, Dutta
and McCrohan state that if information assurance is left to
the IS function, only one of these issues—technology—will
be strengthened. Furthermore, recent attacks on buildings—the
World Trade Center being a prime example—show that criti-
cal infrastructure and organizational issues are just as important
as the technical side. Thus, information security is not just a
problem for a series of single organizations. Rather, it is a
national—indeed, global—challenge.
Organizational issues—including culture, structure, poli-
tics and the business environment—can also have an impact
on information assurance. For example, certain organizations
won’t see the necessity to promote strict information security;
while others—such as companies which primarily focus on e-
commerce—are likely to perceive information security as a key
factor and will be aware of the potentially significant implica-
tions of a breach. On the other hand, small organizations or
those that do not significantly rely on inter-organization infor-
mation exchange will be less concerned with stringent security
procedures (McFadzean, Ezingeard, & Birchall, 2007). In fact,
a survey undertaken in the UK by BERR (2008), found that
10% of companies that accept payment on their websites do not

encrypt the information. Furthermore, 52% do not carry out any
informal risk assessment, 67% do not prevent confidential data
being downloaded onto memory sticks and 78% of companies
that had computers stolen did not encrypt hard discs.
In addition, the advent in the USA of the Sarbanes-Oxley
Act, which holds executives personally liable for the accuracy
of
financial results—together with equivalent government guide-
lines in other countries—could potentially prepare the way to
similar liabilities for all types of compliance issues. This is
a growing problem particularly due to the increasing anxiety
amongst consumers regarding information privacy (Stewart &
104 E. MCFADZEAN ET AL.
Segars, 2002; Swartz, 2003; Viton, 2003). The latest survey
undertaken by Ernst & Young (2007) suggests that regulation
and compliance are now the leading drivers of information
security investment. Indeed, 82% of managers now believe that
information security positively contributes to the value of orga-
nizations rather than just being seen as an IT overhead. In
fact, under section 302 of the Sarbanes-Oxley Act, the chief
executive and chief financial officers of public companies must
personally certify the existence and effective operation of dis-
closure controls and procedures. Additionally, they must declare
that they have disclosed any substantial control deficiencies
or any significant changes to control systems to their audit
committees and independent auditors (Damianides, 2005).
Sixty percent of the respondents in the Ernst & Young (2007)
survey also indicated that information security is instrumental
in facilitating strategic initiatives. Likewise, the academic liter-
ature emphasizes the need to ensure that information assurance

is seen as a corporate governance issue (Von Solms, 2001b;
Von Solms & Von Solms, 2004). This will provide the orga-
nization with a more holistic view of security and include
the development and implementation of risk planning models,
security awareness programmes, counter measure matrix anal-
ysis and the construction of a security architecture that closely
relates to the requirements of the business (Sherwood, 1996;
Straub & Welke, 1998). Furthermore, this will help to inte-
grate IA policy with multiple functional levels within the firm
and will aid both communication and control and provide a
framework for feedback. It will also link key IA and business
issues such as corporate goals, legal and regulatory processes,
best practices and the IT infrastructure (Cresson Wood, 1991;
Higgins, 1999; Lindup, 1996; Posthumus & Von Solms, 2004).
Moreover, information assurance needs to be aligned to both
corporate and information strategy so that appropriate organiza-
tional assets and processes can be protected effectively without
the need to invest in security procedures in unnecessary areas.
Organizations should also seek to balance IA regulations with
corporate objectives. Too much restriction can reduce business
effectiveness and too little can leave the organization
vulnerable
to data loss or malicious attacks. Finally, information assurance
can only work if stakeholders are aware of the risks and com-
ply with the stated regulations. There is an increasing level of
engagement between IA professionals and other stakeholders
such as external auditors, lawyers, human resource managers
and government agencies. Therefore, it is essential that infor-
mation assurance is seen as a holistic discipline with senior
management support and is championed together with the orga-
nization’s objectives. Stakeholders are more likely to comply to
the regulations if they are aware of the potential consequences
to the business’s objectives—and their own roles—if they are
not followed effectively. Hence, information assurance must
become a concern from a corporate governance and strategic
alignment perspective and should rise to the highest levels of

the
organization (Dutta & McCrohan, 2002; Ezingeard & Birchall,
2004; NACD, 2001; Von Solms, 2001a).
2.2. The Importance of Alignment
The alignment of separate functional strategies—such as
information technology and human resources—to corporate
strategy have consistently been found to be one of the con-
cerns of top management for the past fifteen years (Brancheau,
Janz, & Wetherbe, 1996; Niederman, Brancheau, & Wetherbe,
1991; Youndt, Snell, Dean, & Lepak, 1996). As a result, a great
deal of research has been undertaken in this field especially
on the relationship between IS and business functions and the
antecedents that influence this relationship (Brown & Magill,
1994; Kearns & Lederer, 2003; Luftman & Brier, 1999).
Segars and Grover (1998, p. 143) define alignment as the
“close linkage of IS strategy and business strategy.” This pro-
cess encourages both areas to work together as partners and
not, as Smaczny (2001) suggests, as a leader and a follower; the
IS strategy being developed after the business strategy. Rather,
both strategies are developed together, at the same time.
Reich and Benbasat (2000) argue that alignment is neces-
sary for organizations so that they can take advantage of their
IT opportunities and capabilities. Kearns and Lederer (2003)
also found that sharing knowledge between the two functions,
in order to devise an IT strategy that reflects the business plans,
can create competitive advantage.
Unfortunately, there has been little research undertaken
on the alignment of information assurance to either infor-
mation strategy and/or corporate strategy. There have been
calls for better governance in this field (Dutta & McCrohan,
2002; Entrust, 2004; IAAC, 2003; Von Solms, 2001a) but lit-

tle mention is made about the links between the three areas.
However theorists do recognize that IA is a holistic pro-
cess and involves complex links between technology, exec-
utive governance, human behavior and environmental factors
(Backhouse & Dhillon, 1996; Baskerville & Siponen, 2002;
Ettredge & Richardson, 2003).
Many organizations develop their information security poli-
cies in conjunction with their information systems strategy
(Knapp & Boulton, 2006; Tsohou, Karyda, Kokolakis, &
Kiountouzis, 2006). However, the volume of security-related
incidents, and their associated costs, continues to rise (Chang &
Yeh, 2006), showing that crucial information assurance issues
are being buried in the IS strategy and are not being com-
municated to the board, when necessary. Indeed, van Opstal
(2007, p. 6) found that, “A preponderance of board members
report that boards are under-informed about operational risk”,
which, in turn, can cause catastrophic problems as organiza-
tions such as Barings Bank, TJX, and Société Générale have
found to their cost (see Section 1.3.1). Security is both a human
resource and organizational concern, and includes other—non-
IS factors—such as staff motivation, awareness and training;
ethics; compliance and legal issues; integration; stakeholder
analysis; and information sharing and collaborative mechanisms
(Hinde, 2003). Thus, companies cannot afford to hide security
and compliance issues within IT strategy. Information assurance
must be seen as a separate holistic and transparent component,
STRATEGY 105
which is communicated in its own right to the appropriate
stakeholders.

2.3. Improving IA Alignment
Aligning information assurance strategy with IS strategy
and business strategy is not simply a case of developing all
three strategies together. Rather, it involves gathering relevant
information, developing relationships between functions and
constructing appropriate processes and practices. The litera-
ture presents a variety of methods for improving the links
between specialist functions such as IA and IS and the gen-
eral business functions (Chan, 2002; Luftman & Brier, 1999;
Sabherwal & Chan, 2001). These can be divided into four cate-
gories, which are similar to the strategy process of
development,
planning and implementation, control, and feedback (Cohen &
Cyert, 1973; Frolick & Ariyachandra, 2006; Hansotia, 2002;
Kolokotronis, Margaritis, Papadopoulou, Kanellis, & Martakos,
2002; Montealegre, 2002). These are
• Developing goals and critical success factors—the
initial stage of strategy formulation includes the deter-
mination of the future direction and performance of
the organization (Bryson, Ackermann, & Eden, 2007;
Preble, 1992), as well as the functions—such as IA—
required to fulfil them.
• Constructing or improving strategy alignment—
the next stage of strategy formulation involves the
identification of the processes, management and skills
required for fulfilling the goals and critical success
factors (Barney, 1991; Henderson & Venkatraman,
1993).
• Measuring and reporting practices—after the strate-
gies have been developed and implemented, a review
of performance is generally undertaken and corrective
actions carried out, if necessary (Daft & Macintosh,

1984; Govindarajan, 1988).
• Evaluating and communicating strategic informa-
tion to the board—appropriate feedback pertaining
to strategy implementation and performance is com-
municated to the board (Raghupathi, 2007; Siebens,
2002).
In order to ensure alignment, strong links between business, IT
and IA goals, critical success factors and strategies are
essential.
Furthermore, control and feedback will have an impact on strat-
egy and, as a result, will also influence alignment. Finally, the
organization’s environment—such as its competition, markets
and resources—will help to shape strategy, too.
Improving information assurance alignment is discussed in
more detail below using these four categories (see Figure 1).
2.3.1. Developing IA Goals and Critical Success Factors
(CSFs)
Three predominant IA goals and CSFs are mentioned in the
literature. These are
FIG. 1. IA Strategy alignment model.
• Anticipating threats to the organization and its
goals—a breach in information security can have a
severe impact on the organization (Logan & Logan,
2003; McHugh, 2001). For example, TJX—the owner
of retail discount stores TJ Maxx and Marshalls—
failed to comply with the Payment Card Industry
Security Standard, which was established by the major
credit card companies and sets minimum security
expectations. TJX initially failed nine of the twelve

compliance requirements and over a two year period
avoided responsibility for improving its security. Due
to this lack of diligence, TJX’s credit card data had
been breached by hackers. Over 94 million credit
card records had been compromised and TJX had to
provide a $41 million settlement fund in order to com-
pensate the affected customers and banks (Burnes,
2008; Chickowski, 2008). This example shows that
TJX did not have suitable security controls in place
in order to fulfil their business objectives effec-
tively.
Likewise, Société Générale lost approximately C4.9
billion ($7.2 billion) due to unauthorised derivatives
trading—the result of insufficient risk management
information. PriceWaterhouseCoopers reported that
the Bank had “a heavy reliance on manual processing
and the workload of operating staff meant that certain
of the existing controls in place were not operating
effectively” (Sandman, 2008, p. 4). As a result, the
Bank failed to anticipate the potential threats to the
business from its own staff (Vijayan, 2008). Moreover,
Société Générale is not the only bank to suffer from
the risky behavior exhibited by employees. Barings
Bank, Bear Stearns and Credit Suisse have all suffered
from financial losses attributed to employee miscon-
duct, mismanagement or negligence, which were not
caught in time by appropriate controls (Wailgum &
Sayer, 2008).
Anticipating and preventing informational threats

is, therefore, vital for ensuring continuing working
practices. Thus, an information assurance policy that
is linked to business goals and communicated to the
employees is an important weapon for preventing
potential threats. Whitman (2003, p. 92) states that,
“The security policy is the first and potentially the
most important layer of security available to the orga-
nization.” This policy contains the organization’s basic
security philosophy which dictates subsequent deci-
sions, procedures and guidelines including prevention
measures.
• Communicating IA procedures to the organiza-
tion—Employees expect to gain strategic direction
from their senior executives. They need to under-
stand what changes to expect, the reasons behind
these changes and how they will influence their own
work (Edwards, 2000). As a result senior managers
need to be the champions of employee communica-
tion (Powers, 1996). In its guidelines, the Turnbull
Report (Turnbull, 1999, p. 13), suggests that Boards of
Directors may wish to consider whether the company
“communicates to its employees what is expected of
them and the scope of their freedom to act.” In addition,
line managers must develop strong, on-going relation-
ships with other functional managers. For example,
managers responsible for the IA, IS and business func-
tions must communicate with one another so that IA,
IS and business capabilities are integrated effectively
at all levels of the organization (Rockart, Earl, &
Ross, 1996). IA procedures can also be communicated
to staff through awareness and training programmes,
which can cement the organization’s basic security
philosophy into its culture (Dutta & McCrohan, 2002).
• Responding to the changing environment and orga-

nizational needs—Today’s rapidly transforming busi-
ness environment tends to encourage greater flexibil-
ity and change within organizations. Reengineering
programmes, altering management information flows,
re-designing business processes and developing new
innovative product and services all require substantial
input from information assurance experts (Dhillon &
Backhouse, 2000; Rockart et al., 1996). In addition,
it is important that information assurance issues do
not constrain these changes by increasing bureau-
cracy, rigidity and centralisation of security poli-
cies. Baskerville and Siponen (2002) therefore sug-
gest that organizations should develop a more flex-
ible meta-policy which should provide guidelines
on how security policies are created, implemented
and enforced. This will enable security countermea-
sures to keep pace with the organization’s business
requirements.
2.3.2. Constructing or Improving IA Strategy Alignment
Many studies on alignment have been based upon the sem-
inal work undertaken by Henderson and Venkatraman (1993)
in which they present a model illustrating the link between IT
and business strategy. This was constructed using two concepts,
namely strategic fit and functional integration. The former con-
cept acknowledges the need to address both the internal and
external business domains in order to develop alignment. The
external domain includes the organization’s market place and is
concerned with aspects such as the company’s products, market-
ing and customer information as well as other external factors
such as competitors. The internal domain, on the other hand, is
concerned with factors such as the company’s structure, culture
and processes.

Henderson and Venkatraman suggest that the fit between the
internal and external domains is critical for maximising orga-
nizational and economic performance. They argue that failure
to derive success from IT is frequently due to this lack of
alignment. For instance, IT strategies are often unsuccessful
because of the poor supporting infrastructure and/or poorly
skilled human resources. Thus, strategic fit is a key driver for
success.
This article is based on the premise that information assur-
ance should also be part of the strategic fit (see Figure 1). Like
Henderson and Venkatraman, we suggest that the position of
the company in the IA’s external domain will involve choices in
three areas:
• The extent of the organization’s willingness to ensure
prevention of threats and the security of data—in other
words, what are the specific technologies, processes
and systems required by a company in order to defend
against potential threats so that its business objectives
can be fulfilled?
• Systemic competencies—what attributes of IA strategy
could positively contribute to the development of a new
business strategy or could more effectively support the
STRATEGY 107
current strategy? This could include factors such as
flexibility, reliability and speed.
• IA governance—what actions can be used in order to
acquire the above systemic competencies? This could

include alliances with vendors, joint research projects
and education initiatives.
In addition, the internal IA domain must address three
components:
• Security infrastructure—what technology and software
should be included in the security infrastructure? How
should this be configured?
• Processes—how should the IA processes and systems
be developed, monitored and controlled?
• Skills—how should awareness, knowledge and the
capabilities of employees and other stakeholders be
developed?
The alignment literature also calls for a link between the busi-
ness and IT domains. Henderson and Venkatraman label this
functional integration. This link specifically deals with the
impact that one function has on the other and includes the
relationships of both the internal (operational integration) and
external (strategic integration) domains. We suggest that infor-
mation assurance should also be included in the integration
between the domains.
The literature suggests a number of methods for developing
or improving IA strategy alignment. These are
• Developing a relationship between IA, IT, and
business functions—According to Henderson and
Venkatraman (1993) and Ho (1996), the IT function
should be capable of both influencing and support-
ing the business strategy. This is particularly the case
for organizations which use their information systems
for competitive advantage. However, often organiza-

tions focus too readily on technology rather than busi-
ness, management and organizational issues (Luftman,
Lewis, & Oldach, 1993). Likewise, the information
assurance function needs to be able to shape and rein-
force IT and corporate strategy as well as maintain
a balance between security issues and organizational
goals (Von Solms, 2001a). The relationships between
these functions can be strengthened by encourag-
ing more extensive participation in firm-wide strate-
gic planning (Broadbent & Weill, 1993), improving
resource utilization (Edwards, 2000) and enhancing
communication and understanding between the three
functions (Chan, 2002).
• Linking the formation of IA, IT, and business
strategies—Rapid strategic change and the highly
competitive nature of today’s business environment
requires organizations to gather, interpret and synthe-
size information effectively and securely in order to
remain flexible and to enable them to amend corporate
initiatives, when necessary (Bergeron, Raymond, &
Rivard, 2004). As a result, IA, IT and business strate-
gies need to be strongly linked. Chan (2002) and
Luftman and Brier (1999) suggest that this link is
critical to developing successful alignment. Theorists
have found that the link between these three strate-
gies can be facilitated by (a) specifying who has
authority and responsibility for risk, conflict resolu-
tion and the allocation of resources, (b) having a
longer experience of undertaking organization-wide
strategic planning processes, (c) focusing on critical
and long-term issues, (d) making certain that strategic
plans are well documented and are clear and consis-
tent, (e) guaranteeing that the plans enhance overall
organizational effectiveness, and (f) ensuring that the

reporting level of those responsible for IT and IA are
at board level (Broadbent & Weill, 1993; Chan, 2002;
Luftman, 2003; Sledgianowski & Luftman, 2005;
Tallon, Kraemer, & Gurbaxani, 2000).
2.3.3. Measuring and Reporting Practices
The literature suggests that measuring and reporting infor-
mation assurance procedures and practices can help to instil a
greater commitment to IA from all employees. These include:
Controlling and measuring the effectiveness of IA, IS,
and business strategies—one of the greatest challenges of
information assurance is to be able to communicate its value to
the rest of the organization. In order to achieve this, managers
must be able to assess its worth. All too often, however, both
IA and IS metrics are difficult for the business to understand.
Luftman (2003) therefore suggests a service level agreement
which assesses the IA and IS functions’ level of commitment
to the organization. The agreement should consist of business
related metrics such as information quality, user satisfaction
and
business responsiveness and should be presented in language
that is easy for non-technical people to understand (Peak &
Guynes, 2003; Sledgianowski & Luftman, 2005). The strength
of alignment between the IA, IS, and business functions can
also be measured. This could include evaluating communica-
tion, learning and knowledge sharing, governance, partnerships,
processes and skills (Chan, Huff, Barclay, & Copeland, 1997;
Luftman, 2000).
2.3.4. Evaluating and Communicating Strategic Information to
the Board
According to Von Solms (2001a), the board of directors
should be provided with appropriate strategic information on

IA. This will help to engage senior managers in the alignment
process. This category, therefore, included the following:
Keeping senior management informed—Often, organiza-
tions invest considerable sums of money in developing per-
formance measures but fail to take any action based on these
measures (Luftman, 2003). This could have disastrous conse-
quences for organizations if security is breached and there is
a failure to act. Chan (2002) suggests that constructing formal
reporting relationships and developing evaluation committees
are vital. This will enable more effective monitoring and con-
trol by senior managers. In addition, the evaluation committees
need to define the risk factors—often involving multiple dimen-
sions and meanings—and their impact within the context of
information security (Baker, Rees, & Tippett, 2007; Bodin,
Gordon, & Loeb, 2008). Accurate measurement, communica-
tion and control of potential information security threats and
countermeasures can not only save an organization from disas-
ter but they may also “assist organizations in converting today’s
security threats into tomorrow’s business opportunities” (Da
Veiga & Eloff, 2007, p. 369).
This research will attempt to determine the factors that help
to strengthen the alignment between IA and corporate strategy.
Due to the scarcity of research in this area, we developed quite
a broad research question:
What methods and processes included in the above four areas
can be utilized effectively by organizations in order to align IA
and
corporate strategy?

3. METHODOLOGY AND RESEARCH DESIGN
The data collection for this research was divided into
two stages. The first stage consisted of gathering informa-
tion through interviews and the second stage involved under-
taking the Delphi approach. Anderson, Rungtusanatham, and
Schroeder (1994, p. 478) describe the Delphi approach as a
technique “intended for systematically soliciting, organizing
and structuring judgments and opinions on a particularly com-
plex subject matter from a panel of experts until a consensus
on the topic is reached or until it becomes evident that further
convergence is not possible.” The Delphi technique is typically
employed in circumstances where judgemental information is
essential (Okoli & Pawlowski, 2004). In addition, the approach
ensures that the data collection process is both reliable and
valid because it exposes the investigation to differing, and often
divergent, opinions and seeks convergence through structured
feedback (Schmidt, Lyytinen, Keil, & Cule, 2001).
The objectives of this Delphi study focus on two points: (a)
identifying the factors that can influence information assurance
alignment, and (b) establishing a consensus on the desirability
and the feasibility of implementing each factor.
In order to gather an initial list of statements for our Delphi,
we interviewed a number of executives. Forty-three in-depth
interviews were undertaken. The interviewees were senior man-
agers; most were appointed to the board of their respective
companies. These organizations ranged from SMEs to large
multi-national corporations; the majority of which are listed
on the stock market. The list of interviewees was drawn up
from personal and organizational contacts and aimed to pro-
vide a good cross section of companies. The sampling strategy
we used is that described by Strauss and Corbin (1990) as

‘open sampling’ where participants are selected to maximize
the opportunities for augmenting the pool of relevant data [see
Appendix A for further demographic information]. Interviews
lasted between 60 and 90 minutes. They were open-ended
and discovery oriented (Flint, Woodruff, & Gardial, 2002).
Moreover, we tried to maintain a continuous ‘conversation’
rather than follow a rigid list of questions or themes (see
Appendix C for some examples of the questions that we asked).
Senior executives were engaged with this form of interview-
ing and we felt they were happy to enter into fairly detailed
discussions, perhaps more than they would have been with an
interaction based on questions and answers. Few guidelines
exist on the optimum size of interview data pools. The idea of
theoretical saturation is normally recommended (Locke, 2001)
as a guide to sample size, and we feel this saturation was
reached in our study.
The interviews were transcribed verbatim and transferred
into Atlas-ti (a qualitative analysis software programme)
where they were coded using the processes advocated by
Strauss and Corbin (1998), namely open, axial and selective
coding.
Open coding is “the analytic process through which concepts
are identified and their properties and dimensions are
discovered
in data” (Strauss & Corbin, 1998, p. 101). In general, the data
is examined and coded line-by-line, by sentence or paragraph
or by a holistic analysis of an entire document (Sarker, Lau, &
Sahay, 2001). Although the open coding process is procedu-
rally guided, it is fundamentally interpretive in nature and must
include the perspectives and voices of the people that are
studied
(Strauss & Corbin, 1998). Open coding allows the researcher to
name similar events, occurrences and objects so that they can be
categorized under common headings.

Next, axial coding was undertaken, which involved the pro-
cess of sorting all the relevant open codes on alignment into
varying categories. Whereas open coding breaks up the data so
that it can be analyzed, axial coding reassembles the fractured
data in order to discover relationships between the different
categories and sub-categories. In this case, the codes in each
category were associated with one particular topic on align-
ment. For instance, one family group was entitled, Options for
Evaluating and Communicating Strategic Information to the
Board.
Selective coding involves the identification of the core
category—or the central phenomenon—and the linking of this
core category to other major categories. This integration often
occurs as a process model, which illustrates how the axial codes
are related. In order to choose our principal category, we
needed
to ensure that all our other major categories could be linked to
this central idea. The central idea chosen for this research was
“methods for improving IA-corporate alignment”.
Finally, a number of statements were formed from the inter-
view data for each of the axial categories. These statements
each
suggested one potential method for improving alignment. One
STRATEGY 109
statement from the above category, for example, was “Including
IA metrics in general IT reports”. These statements were then
combined and used for the second stage of the research—the
Delphi study.

The first step in the Delphi procedure is to choose an expert
panel (Brancheau et al., 1996; Larreche & Montgomery, 1977;
Malhotra, Steele, & Grover, 1994). This is a particularly impor-
tant step because it is the panel that lends content validity to
the task (Anderson et al., 1994). Preble’s (1984) research has
found that there is little difference between a panel of members
chosen from a single organization and a panel of experts cho-
sen from multiple organizations. The latter, however, provides
a greater range of views and helps improve the generalizability
of the results (Nambisan, Agarwal, & Tanniru, 1999; Okoli &
Pawlowski, 2004).
We selected the second method and chose two different
types of panelists. The first type included senior managers who
are prominent members of the information security community
(Mitchell & McGoldrick, 1994). Each have at least five years
of practical experience within the IA field and are renowned
for their competence in this area. The second type of pan-
elists are academics who have expertise in information assur-
ance (Guimaraes, Borges-Andrade, Machado, & Vargas, 2001;
Okoli & Pawlowski, 2004). This provided a wider knowledge-
base and a greater range of experience. There were 36 members
in the panel (see Appendix B for more information on the
participants).
The Delphi approach started with two preliminary rounds
(Schmidt et al., 2001). The initial stage involved generating
the concepts that would be evaluated in later rounds. In some
research studies these have been supplied for the panel as a
start-
ing point for idea generation (Anderson et al., 1994; Guimaraes
et al., 2001; Nambisan et al., 1999; Saunders & Jones, 1992)
while in others, the panel commences with a completely blank
sheet of paper (Okoli & Pawlowski, 2004; Schmidt et al., 2001;
Schmidt, 1997). We preferred to follow the example of the for-

mer studies where we used the results from our interviews to
provide a list of factors that influence information assurance
alignment. The panel members were free to amend or com-
ment upon these ideas as well as generate their own concepts.
The comments produced by the panel in each round were
always fed-back to the participants in the next round (Schmidt,
1997). This provided them with qualitative information on the
thoughts, ideas and questions raised by other panel members.
In addition, many panelists developed a rationale for why cer-
tain statements were important—or less important—to them,
and this was presented anonymously to the rest of the panel in
subsequent rounds. This helped the group to better understand
the concepts and encouraged a form of nominal group debate
(Malhotra et al., 1994).
Once the ideas had been collected and consolidated, the
terminology was clarified and exact duplicates were removed.
The resulting list was then sent back to the panel members for
the second preliminary round. The objective here was to reduce
the number of concepts into a manageable list. We achieved this
by asking the panel to rate the concepts in terms of desirability
and feasibility on a scale of one to six. The aggregate mean
for each concept was calculated for the desirability score and
those with a very low mean—that, is, those that were deemed
to be undesirable—were either refined for clarity or removed.
The resulting list—which consisted of 29 statements—was then
sent back to the panel. The members were again asked to rate
the concepts in terms of desirability and feasibility. This was
the first of the consensus rounds. After each round the panel
were assessed for consensus using the standard deviation. A
standard deviation of less than one implied a high consensus
for that statement and it was, therefore, removed from the list
and set aside for later consideration during the theory building
process. If the consensus was low, however, the statement was
left on the list. The amended list was subsequently sent back to

the panel with the aggregated means for each statement and a
record of the comments made by the members so that they were
aware of the reasons for particular scores. This continued for
three rounds until consensus was achieved. The resulting list of
statements was then used to develop our theory (a more detailed
summary of the analysis process is shown in Appendix D). This
was achieved in the following way:
• The final statements were categorized into the four key
groups.
• The statements for each group were plotted on a graph
which showed the relationship between desirability
and feasibility.
• Each graph was divided into four quadrants denot-
ing the levels of desirability and feasibility. This was
achieved by plotting the mean for desirability and
feasibility in each category.
• Finally, we developed a number of models showing the
relationships between the concepts (Anderson et al.,
1994; Strauss & Corbin, 1998).
4. RESULTS
As stated above, the 29 statements were classified using the
four categories from the literature review. These are discussed
in more detail below.
4.1. Options for Developing IA Goals and CSFs
The panel developed a consensus regarding ten desirable
goals and critical success factors pertaining to information
assurance alignment. As for all the options put to the panel,
we asked for the CSFs to be given a feasibility rating, shown

in Figure 2.
The most desirable critical success factor was considered
to be acquiring senior management support for information
assurance (Statement A). According to the panel of experts,
Key
A Gaining senior executive support for information assurance
B Instilling IA values and awareness amongst employees
C Anticipating IA threats
D Developing a security architecture that can rapidly
respond to changes in the business environment
E Clarifying individual IA roles and responsibilities for all
employees in the organization
F Developing IA policy beyond legislation and regulation
G Developing a 3 to 5 year IA strategy
H Working together with members of the same industry to
develop solutions for IA issues
I Responding to changing organizational needs by
providing flexible IA procedures and regulations
J Using the latest security technology, when appropriate

K Improving communication between IA and business
functions
L Aligning IA measures with business objectives
M Prioritising IT/IA projects in line with organizational
goals
N Improving the knowledge of both IA and Corporate goals
and requirements for all relevant personnel
O Involving the IA function in corporate strategy
development
P Developing collaboration between IA and the
organization’s other functions
Q Discussing at board level key strategic dilemmas
e.g. sharing information vs. tight security
pertaining to IA
R Ensuring IA practitioners’ discuss how IA processes
can support or restrict corporate strategy when
undertaking IA changes
S Dedicating resources to making the IA practices
responsive to changes in the environmen t
T Identifying different (internal and external)
stakeholders’ requirements in terms of IA
U Determining information assurance success by
qualitative as well as quantitative measures
V Using metrics to measure information assurance

W Evaluating employees’ IA practices
X Benchmarking IA against external organizations
(best practices/standards)
Y Having IA metrics which focus on time performance
(for example, how long did it take to discover
incidents and how long did it take to recover)
Z Providing non-technical reports to the Board of
Directors so that they can understand and approve
IA policy
(a) Reporting to the board on how IA goals are being
achieved
(b) Frequent auditing of IA policies
(c) Including IA metrics in general IT reports
5.2
Incomplete Options Incomplete OptionsPremier Choices
Incomplete Options Incomplete OptionsPremier Choices
Premier Choices
Premier Choices
N
O
R
Q
S

P
L
M
KF A
B
E
D
C
T (b)
(a) Z
(c)
U
W
X
Y
V
Challenges
G
H
I
J

Not Right Yet ChallengesNot Right Yet
ChallengesNot Right Yet ChallengesNot Right Yet
5.3
5.2
5.1
5.0
4.9
4.8
4.7
4.6
4.5
5.1
5.0
4.9
4.8
4.7
4.6
4.5
4.4
4.3
5.15 5.25 5.35 5.45 5.55 5.65 5.75 5.85
5.0

4.8
4.6
4.4
4.2
4.0
5.2
5.0
4.8
4.6
4.4
4.2
4.0
3.8
4.7 4.8 4.9 5.0 5.1 5.2 5.3 5.4 5.5 5.6 4.7 4.8 4.9 5.0 5.1 5.2 5.3
5.4 5.5 5.6
4.4 4.6
Less Desirable
L
es

s
F
ea
si
bl
e
F
ea
si
bi
li
ty
More Desirable
Desirability
Measuring & Reporting Practices
Developing IA Goals & CSF Improving Strategy Alignment
Evaluating and Communicating Strategic
Information to the Board
Less Desirable More Desirable
Desirability
Desirability

Desirability
M
or
e
F
ea
si
bl
e
L
es
s
F
ea
si
bl
e
F
ea
si
bi
li

ty
M
or
e
F
ea
si
bl
e
L
es
s
F
ea
si
bl
e
F
ea
si
bi
li
ty
M

or
e
F
ea
si
bl
e
L
es
s
F
ea
si
bl
e
F
ea
si
bi
li
ty
M
or
e

F
ea
si
bl
e
4.8 5.0 5.2 5.4 5.6 5.8 6.0
FIG. 2. Options for improving IA alignment.
STRATEGY 111
• This aim is very desirable; it is far easier to implement
this kind of—not inexpensive—change with top down
support. However as always it is getting that support that
is where the difficulty lies.
• I think it’s been proven [that] this is both possible and
[that it] yields far better results—security needs to be
instilled into the culture which requires efforts from the
top down. If senior management won’t take IA seriously,
they can’t expect their employees to do so.
• This is one of the main CSFs for a successful implemen-
tation of an IA plan.
Anticipating IA threats (C) was also seen as highly desirable.
As one expert commented,
Many people try to measure incidents as a way to get insight
into their situation. However, incidents are normally very few

and
far between . . . There is much more insight to be gained from
measuring the threats and anticipating threat trends.
Although the panel did suggest that anticipating IA threats was
feasible, the experts did, however, give it the lowest feasibility
rating. The reasons they gave can be summarized as follows:
It is not always possible to anticipate the unexpected and it
becomes too onerous to keep up to date—the overhead in
gathering
data to allow anticipation can be high.
Statements A, B, and F are all seen as highly desirable and
highly feasible. Consequently, “gaining senior executive sup-
port for information assurance” (A), “instilling IA values and
awareness amongst employees” (B), and “developing IA policy
beyond legislation and regulation” (F) are seen to be essential
and practical for organisations. Statement G – “developing a
3–5 year IA strategy”—was found to be slightly less attractive.
Thus, although creating a medium term strategy is feasible it
is less desirable than other possible approaches. Organisations
may, therefore, want to experiment with this concept in order
to construct an approach that is much more desirable. In fact,
one expert suggested that the development of tactics rather than
strategy was more advantageous.
“Developing a security architecture that can rapidly respond
to changes in the business environment” (Statement D) and
“clarifying individual IA roles and responsibilities for all
employees in the organisation” (E) were both seen as desirable
but their feasibility scores were lower. Many of the panel mem-
bers believed that the implementation of these two approaches
could be difficult. In particular, they perceived that creating
solid and flexible security architecture could be problematical
due to expense and constantly changing threats. In addition, the

clarification of roles and responsibilities can also prove to be
problematical. As one of our experts stated,
There are staff who simply make mistakes through lack of
knowledge and awareness, and staff who knowingly ignore con-
trols or transgress codes of acceptable behaviour through
holding
unacceptable attitudes or behavioural principles.
The last three approaches, “working together with members
of the same industry to develop solutions for IA issues” (H),
“responding to changing organizational needs by providing
flexible IA procedures and regulations” (I) and “using the lat-
est security technology, when appropriate” (J) had much lower
desirability and feasibility scores.
Working with other organizations to resolve IA issues was
seen to be desirable. In fact, one panel member suggested that
Information sharing is a crucial and critical part of each enter-
prise’s IA practice. Others will disagree but this is definitely
feasible
if only enterprises, public and private sector, stop behaving like
mini
silos.
It was this lack of cooperation, which was of greatest concern
to the panel members. Indeed, many respondents were highly
enthusiastic about sharing information with other organizations,
but as one member stated, “there may be many issues of com-
mercial conflicts that affect this . . . [but] it is also a benefit to
get ideas from others outside one’s own industry to see how
they
have addressed these issues. Once can learn a lot from other
industry sectors.”

Responding to changing organizational needs (Statement I)
was also believed to be problematical. This was primarily due
to time and cost issues as well as the need to be both consistent
and compliant.
However, one expert suggested that if inflexible security
policies impeded the organization’s development, it would
project a negative image of IA. In addition, another panel
member stated,
The linkage between security and business requirements is
essential and the ability to deliver procedures and regulations
which
match a changing business environment is a powerful way to
pro-
vide benefit rather than be seen as an obstructive overhead. It is
not
easy to do as frequently it may impose budget or time
constraints on
projects and business initiatives.
In order to reconcile the need to be flexible with the difficul-
ties in changing IA procedures, the panel recommended that IA
should operate, where possible, at the level of general principles
rather than detailed procedures.
Finally, using the latest security technology (Statement J)
was also believed to be less feasible than many of the other
options. Indeed, the experts offered some strong opinions on
this issue:
• The latest technology is expensive and not always the
most robust.
• Technology is only a minor feature of a sound IA

regime. Simple procedures or education may be more
cost-effective.
• It can create a false sense of security and possibly raise
the level of risk.
• Integrating new technology can be difficult especially for
organizations growing by acquisitions.
4.2. Options for Improving IA Strategy Alignment
The nine factors found in this category were ranked in order
of desirability by the expert panel (see Figure 2) and plotted on
a graph using the desirability and feasibility mean scores. The
results show that effective IA strategy alignment is dependent
on the following:
• Raising IA decisions up the organization chart, by
either ensuring that the Board is involved in such
decisions or make certain that IA practitioners are
involved in strategic decision making. As one panel
member commented, “The risk is carried by the busi-
ness function. The purpose of the IA programme is to
quantify and articulate that risk to the business function
who will then judge how to manage it.”
• Better communication between the functions
involved with IA and the rest of the business,
and communication of IA goals widely in the
organization. As pointed out by one of our experts,
“Good IA is the art of communication”. This includes

a mutual understanding of the goals and requirements
for each function which is frequently seen as a barrier
to alignment. In fact, two panel members argued that,
“[communication] has to be in a language the functions
understand, can relate to and place importance on.”
Thus, “We still need to develop suitable terminology
where both the IA and the business functions can have
a shared understanding.”
• The need for clear mechanisms to ensure that the
business impact of IA decisions is checked, at either
project level or policy level.
Whatever their desirability, not all options were deemed as fea-
sible as others by the experts involved in our panel.
Accordingly,
there are five options that can be used to align IA strategy
and business strategy that are not only very desirable but also
very feasible. Three of these options are concerned with raising
the profile of information assurance in the organization. These
are
• Involving the IA function in corporate strategy devel-
opment (Statement O).
• Improving communication between IA and business
functions (K).
• Improving the knowledge of both IA and Corporate
goals and requirements for all relevant personnel (N).
If the involvement of IA managers in strategic decisions is
not possible, then better communication is the key to ensuring
alignment. The objective of such communications, according to
our expert panelists, is to ensure that ‘the business’ knows the
reasons behind IA decisions.

Examples of how this can be achieved vary, but in our
research we have come across an interesting example of an
organization running some form of security intranet:
We have a corporate security website which is frequently
referred to in corporate communications which is to do with the
softer issues around security and the development of an
appropriate
culture.
The other two desirable options that were found are con-
cerned with ensuring that there is an element of cross checking
between business projects and their IA impact and vice-versa.
These are
• Aligning IA measures with business objectives (L).
• Prioritizing IT/IA projects in line with organizational
goals (M).
These two statements generated much debate amongst our pan-
elists. In the words of one expert, “If this is not done the IT/IA
is out of control and the boss should be fired.” However, many
other panelists suggested that, sadly, only a few organizations
ensured that the ideas contained in the above two statements
were adhered to. The answer to why this may be the case is,
perhaps, referred to by one panelist who suggested that there
were ‘many people’ involved in ensuring alignment at project
level and this made it a complex exercise. Interestingly, we had
come across a strategy of how this could be achieved in one
of our earlier interviews in a multi-national bank with head-
quarters in central Europe. Here, the bank runs a forum where
different parts of the business can exchange ideas with IA staff.
This has been very beneficial for the participants because the
forum facilitates communication. At the same time, control is

used to guarantee alignment within the bank by ensuring that
the IA function scrutinizes all IT projects at a detailed level.
The bank leaves no room for basic technical flaws that could
have a negative security impact.
“Developing collaboration between IA and the organiza-
tion’s other functions” (P) was perceived as desirable by our
panel members but it was also seen as potentially hazardous to
implement. The importance of this collaboration was empha-
sized by our respondents. As one member stated, “The business
drives the requirements and IA requirements needs to be incor-
porated at source, otherwise there will be conflict between
business and IA objectives.” However, the ease in which this
collaboration takes place depends on a number of factors
includ-
ing the way in which security is organised within the company,
the culture of the organization, and the level of understanding
between IA officials and the rest of the staff. According to one
panel member, collaboration “has to be in the language of the
manager” so that they can relate to it.
There were three options that were seen to be less desir-
able and feasible in this category. These are “discussing at
board level key strategic dilemmas e.g. sharing information vs.
tight security pertaining to IA” (Statement Q), “ensuring IA
practitioners’ discuss how IA processes can support or restrict
corporate strategy when undertaking IA changes” (R), and
“dedicating resources to making the IA practices responsive
to changes in the environment” (S). Statement Q, discussing
key strategic dilemmas was seen as important, but the major-
ity of our panel members thought this should not be undertaken
at board level. According to one respondent, “Board agendas
can make it difficult to achieve the correct level of interest but
audit committee, risk committee etc may provide opportunities

STRATEGY 113
to raise [these issues] with executive management and [provide]
a vehicle for placing [them] before the board.” The opportunity
to place relevant issues before the board was seen as impor-
tant. As one panel member said, “The accountability is at board
level so this is where it should be resolved.” However, if was
felt that the detailed discussions on these dilemmas should be
undertaken at the audit or risk committee level.
The lower desirability and feasibility scores for “ensuring IA
practitioners’ discuss how IA processes can support or restrict
corporate strategy when undertaking IA changes” (Statement R)
indicates that there was a lack of confidence in communicating
possible problems. According to one respondent, “That would
take a good understanding of the impacts [of IA on corporate
strategy] which most of us don’t have. It could also be seen as a
red flag by managers.” However, many in our panel stressed
that
IA should not just be seen in terms of risk but also as a business
enabler.
Finally, Statement S, “dedicating resources to making the
IA practices responsive to changes in the environment” also
had a lower desirability and feasibility score. The idea of flex-
ibility was generally seen as advantageous but there was some
concern about the impression that this may give to employees,
namely that IA was a collection of moveable goalposts when in
reality there is a large number of immutable rules. Moreover,
calculating the cost and the amount of resources required to
provide this flexibility was seen as highly problematical.
4.3. Options for Measuring and Reporting
Practices

This category contains six statements. “Identifying dif-
ferent (internal and external) stakeholders’ requirements”
(Statement T) was deemed to be very desirable by the panel
of experts. This is because
• Every organization has to interact with others and share
information. Interoperability requires a reconciliation
of different policy stances.
• Those selling via the Internet need to ensure cus-
tomers’ personal and credit card details are secure as
well as protecting their “own” information.
• It is a BS7799/ISO 17799 requirement.
• It helps to encourage a security-focused culture for all
organizations involved in the value chain.
• The information is useful to feed into strategies, aware-
ness initiatives, etc.
“Benchmarking IA against external organizations (best
practices/standards)” (X) was also perceived as a desirable
method of measuring and reporting information assurance
issues. However, although it was seen as an attractive option,
the panel of experts were less enthusiastic about its feasibility.
Two of the major disadvantages of benchmarking with external
companies are the lack of willingness to share information
between organizations and the fact that other firms may be
located in different business environments and therefore they
are difficult to compare. Thus, “Identifying different (internal
and external) stakeholders’ requirements” (T) was perceived to
be a more feasible approach for measuring and reporting IA
practices. However, the experts suggested a number of potential

problems with ascertaining stakeholder requirements:
• We may not know who the stakeholders are or, if we do,
they may not be able to communicate their requirements
in any meaningful way.
• Often the stakeholders are not sure of their requirements.
The experts, therefore, suggested that a stakeholder analysis
should be undertaken by management followed by the devel-
opment of a framework mapping out the stakeholders and their
information assurance requirements. Once this map had been
completed it should be evaluated and updated regularly.
Moreover, the panel strongly felt that using metrics to mea-
sure information assurance (V) was desirable. In particular, the
respondents considered that IA should be measured using both
quantitative and qualitative methods (U). As one respondent
stated, traditional quantitative metrics do not provide a
thorough
evaluation of IA processes:
I feel that both quantitative and qualitative measures can more
accurately show the contribution of information security.
Another metric that was deemed desirable was the focus on
speed of responsiveness (Y). In fact, one respondent suggested
that the only metric that mattered in determining the effective-
ness of internal control was time—how long it took to discover
an incident and to recover. However, evaluating incidents is
not always easy. As one panel member stated, “It is difficult
to estimate how many unsuccessful attempts to access a sys-
tem have been made but it is possible to determine those that
succeed—sometimes. Metrics can cause a lot of problems if
used incorrectly.”

Assessing employees’ IA practices (W) provided a lot of
comments from the panel of experts. They suggested that
this was an important issue and should be part of the annual
appraisal process. However, it was proposed that this assess-
ment should only occur after the employee has been on an
appropriate awareness and training programme. This assess-
ment of employees was deemed to be desirable for the following
reasons:
• Assessment is one method of identifying and reporting
on the state of security awareness in the company.
• Regular audits are essential to ensure that the docu-
mented processes and procedures are being followed
and to ascertain the reasons they are not being fol-
lowed, if this is the case.
• IA is about culture and the cultural values can only be
reinforced by reference to current behavior.
• Regular assessment can exert pressure on employees to
comply with information assurance standards.
The respondents were also asked to look at the feasibility of
each statement. Although some options were seen as desir-
able to the panel of experts, they can be difficult to implement
effectively. For example, two panel members pointed out that
measuring and evaluating the employees’ IA practices (W) can
be expensive. In addition, these practices need to be defined
and communicated to the employees and the employees, them-
selves, are required to recognize and accept the need for IA
controls.

From Figure 2, it can be seen that statements T (Identifying
different (internal and external) stakeholders’ requirements in
terms of IA) and W (Evaluating employees’ IA practices)
are shown to be both highly desirable and highly feasible.
Organizations can, therefore, implement these processes with
relative ease. Consequently, these actions may be two of the
organization’s initial IA processes to be implemented. However,
statements U (Determining information assurance success by
qualitative as well as quantitative measures) and V (Using met-
rics to measure information assurance) are seen to be desirable
by the experts but their feasibility scores are lower. Statement U
is, in fact, seen as a very desirable option but finding the most
appropriate and accurate qualitative and quantitative measures
could be challenging for managers.
4.4. Options for Evaluating and Communicating Strategic
This category consists of four factors which are listed in
terms of desirability and plotted against feasibility in Figure 2.
“Providing non-technical reports to the board” (Statement Z)
was seen as the most desirable reporting practice. The panel
of experts suggested that the report could consist of the
following:
• Clear cost/benefit statements
• An evaluation of the organization’s risk environment
• The organization’s IA performance measured against
industry peers
• A forecast of potential threats and their impact on
current policy
• Clear recommendations on future strategy and focus

• A list of business benefits that have accrued with the
help of the current IA strategy
• A statement of commitment and compliance for the
organization.
Similarly, “Reporting to the board on how IA goals are being
achieved” (Statement (a)) was also seen to be highly desirable
and feasible. Indeed, many in the panel thought that this was
“critical in most businesses today” and is essential for good
gov-
ernance and control. As one panel member suggested effective
communication is a key part of information assurance.
Two further evaluating and reporting practices were also
mentioned by the panel, “Frequent auditing of IA policies”
[Statement (b)] and “Including IA metrics in general IT
reports”[Statement (c)]. According to one panel expert, the for-
mer “will clearly have a role in helping to ensure compliance,
but the frequency must be such that it does not become overly
burdensome for all concerned.” There was general agreement
amongst the panel that IA policy auditing should occur no more
frequently than once a year although organizations which are
not so dependent on technology should audit, “every two to
three years given legislation and changing market
expectations.”
Including IA metrics in general IT reports (c) was seen as
“a good awareness tool” by the panel. However, many of the
experts suggested that developing the IA metrics in the first
instance could be problematical. Indeed, one panel member
went so far as to suggest that, “Metrics are not fully devel-
oped enough for this to be effective” although others indicated
that developing effective measures was possible as long as they

are acceptable to all the appropriate stakeholders. Furthermore,
our experts felt that the IT/IS function was not the only area
that should include these metrics. As one Delphi participant
stated, this “implies that IA is just part of IT. This is a very
bad concept as it increases the extant communications gap
with all non-IT people. The metrics should be in all the line
managers’ reports starting with finance and sales/marketing.”
Nonetheless, one expert suggested that auditing is only useful
if supported by enforcement methods and if it actively helps
to resolve breaches—in other words, the audit should also ask
‘why’ questions. In general, a large number of the panel agreed
that auditing should not be used to develop a “blame culture”.
5. DISCUSSION: STRENGTHENING IA AND
CORPORATE ALIGNMENT
In total, the expert panel agreed on twenty-nine factors
that influenced IA and corporate alignment. However, although
most of these actions were recognized as desirable, the panel
thought that a number of them were not easily implemented.
Consequently, we plotted desirability against feasibility on a
scatter graph for each of the four categories. We then calcu-
lated the midpoint for each scale in order to produce the 2×2
matrices (see Figure 2).
5.1. Premier Choices
The top right hand box in the matrices were seen by the
panel as both highly desirable and highly feasible. We, there-
fore, named this segment “Premier Choices”. Twelve of the
factors were positioned in this sector.
According to Bergeron, Raymond, and Rivard (2001),
Miller (1981), and Venkatraman (1989), strategic alignment
can be viewed as a series of frequently recurring clusters of
attributes—or gestalts—which are predictive in nature. This

perspective of alignment seeks “to look simultaneously at a
large number of variables that collectively define a meaning-
ful and coherent slice of organizational reality” (Miller, 1981,
p. 8). Thus, the twelve factors were placed into six predictive
clusters for enhancing alignment, namely Intra-Organizational
STRATEGY 115
Improving communications between IA & business
functions
Improving the knowledge of
both IA & corporate goals &
requirements for all relevant
personnel
•
•
•
•
•
•
•
•
•

•
•
•
•
•
•
•
Training & Awareness
Evaluating Practices
IA – IS – Business Unity
Identifying Requirements
Senior Management
Involvement & Support
Alignment
Premier Choices
for Enhancing
Aligment
Instilling IA values and
awareness amongst employees
Evaluating employees’IA
practies

Aligning IA measures with business objectives
Developing IA policy beyond
legislation & regulation
Identifying different (internal
and external) stakeholders’
requirements in terms of IA
Gaining senior executive support
for information assurance
Improving Strategic
Alignment
Evaluating &
Communicating Strategic
Developing IA Goals & CSF
Measuring & Reporting
Practices
Prioritising IA/IT projects in line with organizational goals
Involving the IA function in corporate strategy development
Intra-Organizational Communication
Providing non-technical reports to the Board of Directors so
that they can understand and approve IA policy
Reporting to the board on how IA goals are being achieved
FIG. 3. Methods for enhancing alignment—premier choices.
Communication, Training and Awareness, Evaluating Practices,
IA—IS—Business Unity, Identifying Requirements and Senior
Management Involvement and Support (see Figure 3).

5.1.1. Intra-Organizational Communication
The research found three premier choices for develop-
ing alignment through intra-organizational communication.
These are
• Improving communication between IA and business
functions.
• Providing non-technical reports to the board of direc-
tors so that they can understand and approve IA policy.
• Reporting to the board on how IA goals are being
achieved.
Improving communication between functions as well as
throughout the hierarchy was therefore seen as an essential ele-
ment for enhancing information assurance alignment. Similar
ideas can also be found in the work of Broadbent and Weill
(1993), Chan (2002), and Willcoxson and Chatham (2004).
Brown and Ross (1996) suggest that enhanced cooperation and
communication will improve mutual understanding, apprecia-
tion and trust between functions. However, this crucial commu-
nication is often left to a few individuals who tend to converse
regularly with other departments (Huang & Hu, 2007).
Research has found that alignment can be enhanced when
the senior managers of each function share and communicate
domain knowledge with one another (Reich & Benbasat, 2000).
Lack of understanding and poor job security both contribute
to inadequate communication between technologists and busi-
ness leaders (Jeffery & Leliveld, 2004) According to Ward and
Peppard (1996), the different functions within organizations
must recognize that there is a problem with communication
and trust before these challenges can be solved. In an effort to

reduce these problems, structural overlays such as top manage-
ment advisory groups, audit and IA steering committees, matrix
reporting, cross-functional job rotations, physical co-location
and inter-departmental events could be implemented (Brown,
1999; Brown & Ross, 1996). This would provide oppor-
tunities for developing partnerships and undertaking mutual
education and training. In addition, ensuring a greater under-
standing of information assurance and providing feedback on
how IA goals are being achieved would help to convey the
value of IA to both board members and employees alike. They
could encourage greater commitment from staff for maintaining
and/or improving information security procedures and policies
throughout the organization. This is particularly the case for
board members. As one of our experts stated, “Corporate strate-
gists are not so interested in IA unless there is an obvious need
and reason.” It is therefore important to provide board mem-
bers with a greater understanding of the value and goals of
information assurance. Furthermore, developing a forum where
ideas—and potential disagreements—can be discussed between
functions acts as an additional enabler for alignment. This can
encourage mutual respect and a greater sense of teamwork.
5.1.2. Training and Awareness
The panel suggested two premier choices for enhancing
alignment through training and awareness. These are
• Instilling IA values and awareness amongst employ-
ees.
• Improving the knowledge of both IA and Corporate
goals and requirements for all relevant personnel.

Instilling IA awareness and values amongst employees was seen
as a crucial factor for enhancing alignment. In fact, one expert
stated that
An essential element in providing security is that it needs to be
implemented. Failure to engage employees means that it is
unlikely
to be implemented. The trick is to make it meaningful to
employees
both in business terms and in terms of their own day-to-day
work.
In addition, employees need to feel personally responsible for
the security of their organization and they need to be able
to learn and react quickly when the need arises (Kesh &
Ratnasingam, 2007). This is especially the case during a secu-
rity crisis where contingency plans need to be implemented
promptly. It is therefore essential that all employees are pro-
vided with the necessary training and given adequate infor-
mation on the latest security threats (D’Arcy & Hovav, 2007;
Whitman, 2003).
The panelists also suggested that engagement was equally
necessary for senior managers. To achieve this, it was recom-
mended that IA personnel should emphasize the relationship
between business goals and security when communicating with
business managers:
The senior executives, particularly in the current climate, are
sen-
sitised to ensuring internal control is effective. IA is part of
internal
control and assists in addressing business risks. If senior
executive
are approached on a business risk basis (not a technical risk

basis)
then getting buy-in (or better transfer of ownership) is much
easier
to accomplish.
Along a similar vein, Broadbent and Weill (1993) advocate that
rotating middle and senior managers between functions may
serve as an effective method for improving both understanding
and relationships between the different departments.
5.1.3. Evaluating Practices
According to Vroom and Von Solms (2004, p. 193), “The
role of the employees is vital to the success of any company, yet
unfortunately they are also the weakest link when it comes to
information security.” Employees can pose a significant IA risk
to organizations due to the number of security breaches under-
taken by staff each year (Schultz, 2002). These include both
malicious attacks and accidental breaches, which can be caused
by negligence or ignorance of IA policies. Mitnick (2003)
demonstrates how easily it is for employees to be deceived into
giving out personal information to potential hackers.
One of the premier choices for enhancing alignment advo-
cated by our panel—evaluating employee IA practices—would
help to reduce security breaches undertaken by staff as well as
helping to instil IA awareness into the business culture. This
evaluation should include basic technical “good practice” such
as monitoring the installation of unauthorized software (Da
Veiga & Eloff, 2007) and assessing employee security aware-
ness (Kruger & Kearney, 2006) as well as monitoring any
changes in behavior or the exacerbation of excessive personal
or group conflicts (D’Arcy & Hovav, 2007; Dhillon, 2001).
Moreover, it is essential that any carelessness, lack of knowl-
edge or disregard of procedures is dealt with quickly in order to

ensure compliance.
5.1.4. IA—IS—Business Unity
The panel suggested that there are three premier choices for
ensuring unity between functions. These are
• Aligning IA measures with business objectives.
• Prioritising IA/IT projects in line with organizational
goals.
• Involving the IA function in corporate strategy devel-
opment.
Previous alignment research has shown that developing strong
links between functions helps organizational performance
(Bergeron et al., 2004). Luftman (2000), for example, found
that prioritising projects was a key enabler of alignment. In this
instance, prioritising IA/IT projects implies that managers are
able to incorporate security policies and measures into their
IT and business strategies in order to keep abreast of com-
petitors (Luftman, Papp, & Brier, 1999). For example, e-Bay
emphasizes peace of mind to its customers by providing infor-
mation on safety and security protocols in its safety Center.
This
information has been built into e-Bay’s key service, namely its
internet site.
The above three premier choices are designed to develop
a sense of collaboration, unity and understanding between the
functions (Kearns & Lederer, 2003). This should enhance com-
munication and provide greater commitment towards fulfilling
both IA and organizational goals (Brown & Magill, 1994).
5.1.5. Identifying Requirements

Identifying the IA requirements of internal and external
stakeholders and developing IA policies, procedures and guide-
lines to help support these requirements were both seen by the
panel as essential enablers of information assurance alignment.
Post and Kagan (2007) and McFadzean, Ezingeard, and
Birchall (2007) suggest that excessively tight information secu-
rity can hinder both employees and customers alike. Systems
can become inaccessible due to tight controls, which can reduce
staff productivity, or access controls—such as passwords—can
be too complex thereby forcing stakeholders to write them down
in order to aid memory. Moreover, stakeholders can have dif-
ferent perceptions of risk. For example, employees’ views of
potential threats may not correspond to that of information
secu-
rity professionals (Tsohou et al., 2006). It is for these reasons,
that some theorists believe that a more holistic view of IA
is required (Backhouse, Hsu, & Silva, 2006; Zuccato, 2004).
Understanding the needs of stakeholders, therefore, is essential
STRATEGY 117
for developing this holistic view and encouraging greater align-
ment and compliance. This information can also be used to
develop more effective IA policies.
IA policies should present the company’s overall purpose
and direction of information assurance as directed by senior
managers and should be in accordance with the organization’s
vision (Da Veiga & Eloff, 2007). These should include Internet
and e-mail policies, access control policies, physical and envi-
ronmental policies as well as policies dealing with specific

threats such as social engineering (Mitnick, 2003). In addition,
these policies need to be audited to ensure that they are in the
best interests of the company, that they guarantee compliance
and that they help to fulfil the organization’s goals (Vroom &
Von Solms, 2004).
5.1.6. Senior Management Involvement and Support
The alignment literature has acknowledged the need for
senior management involvement and support in order to
enhance the link between functions (Brown & Magill, 1994;
Chan, 2002; Kearns & Lederer, 2003). According to Edwards
(2000, p. 49), “Individuals and groups within the organization
will look for direct and indirect signs [from senior managers]
in order to understand what strategic changes to expect, the
rationale behind the changes and the direct connections to their
individual work.” In addition, Reich and Benbasat (2000) found
that the social dimensions of alignment were influenced by
the sharing and communication of domain knowledge by the
senior managers of each function. In fact, Luftman, Papp, and
Brier (1999) identified senior management support as the most
important enabler of alignment. Likewise, the panel of experts
also found that this is an essential ingredient of effective IA
alignment. Senior managers must recognize and communicate
the importance and value of information assurance to the rest
of the organization. Furthermore they need to define and con-
vey a clear IA vision and strategy to all internal and external
stakeholders as well as providing the appropriate resources for
IA projects.
5.2. Challenges
The bottom right hand box of the matrices includes those
factors that are desirable but are not easily implemented. In
other words, there are still barriers to be overcome before

these issues can be put into action. We have called this seg-
ment “Challenges.” Six factors were placed in this category (see
Figure 4).
Further
Options
Challenges
Incomplete
Options
Improving
Strategic
Alignment
Evaluating &
Communicating
Strategic Information
to the Board
Developing IA Goals
& CSF
Measuring &
Reporting Practices
Not Right Yet
Information Assurance Alignment
Premier Choices
Require further work

May require change in
managerial
philosophy/business
environment
Developing collaboration
between IA and the
organization’s other
functions
Discussing at board level
key strategic dilemmas
pertaining to IA
Ensuring IA practitioners
discuss how IA processes
can support or restrict
corporate strategy when
undertaking IA changes
Dedicating resources to
making the IA practices
responsive to changes in
the environment
Frequent auditing of
IA policies
Including IA metrics
in general IT reports
Anticipating IA threats
Developing a security
architecture that can rapidly
respond to changes in the
business environment

The first chapter introduces us to Corporate finance is essential .docx

The first chapter introduces us to Corporate finance is essential .docx

Recommended

Recommended

More Related Content

Similar to The first chapter introduces us to Corporate finance is essential .docx

Similar to The first chapter introduces us to Corporate finance is essential .docx (20)

More from oreo10

More from oreo10 (20)

Recently uploaded

Recently uploaded (20)

The first chapter introduces us to Corporate finance is essential .docx