Assessment of information
security maturity
An exploration study of Malaysian public
service organizations
Suhazimah Dzazali
National Institute of Public Administration, Cyberjaya, Malaysia, and
Ali Hussein Zolait
Department of Information Systems, College of Information Technology,
University of Bahrain, Sakhir, Bahrain
Abstract
Purpose – The purpose of this paper is to examine the basis factors involved in the information
security management systems of Malaysian public service (MPS) organizations. Therefore, it proposes
an empirical analysis which was conducted to identify the antecedents of the information security
maturity (ISM) of an organization; and to clarify the relationship between ISM and the social and
technical factors identified.
Design/methodology/approach – This study uses quantitative approach, convenience sampling
and the required data collected from 970 key players’ managers in information security, in a total of
722 government agencies, through a self-administrated survey. Research adopted the Wallace et al.
process to develop and validate the study’s instrument.
Findings – The paper provides empirical insights and reveals a number of underlying dimensions of
social factors and one technical factor. The risk management was found to be the formal coping
mechanism adopted in the MPS organizations and is the leading factor towards ISM. The social factors
have the most influence on MPS organizations’ ISM. Findings demonstrate that two independent
variables, risk management and individual perception, discriminate between those organizations that
have high and low ISM.
Research limitations/implications – The research results may lack generalization; therefore,
researchers are encouraged to test the proposed propositions further in a different context.
Practical implications – The paper includes implications for the development of a powerful
instrument in explaining the ISM. Moreover, it helps internal stakeholders of an organization to
formulate a more appropriate policy or give a more effective focus on issues that are really relevant to
MPS information security management.
Originality/value – This paper fulfils the identified need to explore determinants of information
security maturity.
Keywords Malaysia, Data management, Risk management, Data security, Information security,
Public service organizations, Security management, Security assessment, Security maturity,
Security awareness
Paper type Research paper
1. Introduction
It has been established that information is one of the most important assets which an
organization may possess. Since most organizations have made the move from the
physical world into cyberspace this asset has been under attack from a multitude of new
sources (Jessup and Valacich, 2008). Consequently, information security has propelled
The current issue and full text archive of this journal is available at
www.emeraldinsight.com/1328-7265.htm
Information
security maturity
23
Received 23 April 2011
Revised 8 November 2011
Accepted 25 January 2012
Journal of Systems and Information
Technology
Vol. 14 No. 1, 2012
pp. 23-57
q Emerald Group Publishing Limited
1328-7265
DOI 10.1108/13287261211221128