Dynamic Information Security Management Capability: Strategising for Organisational Performance
This addresses a strategic concern for organizational boards and management regarding cybersecurity, but it appears incremental as it builds on existing theories without introducing a new paradigm.
The paper tackles the lack of conceptualization of dynamic Information Security Management (ISM) capability and its link to organizational performance by defining this capability, developing a strategic model based on Resource-Based Theory and Dynamic Capabilities View, and planning empirical tests to demonstrate causality.
The increasing frequency, impact, consequence and sophistication of cybersecurity attacks is becoming a strategic concern for boards and executive management of organisations. Consequently, in addition to focusing on productivity and performance, organisations are prioritizing Information Security Management (ISM). However, research has revealed little or no conceptualisation of a dynamic ISM capability and its link to organisational performance. In this research, we set out to 1) define and describe an organisational level dynamic ISM capability, 2) to develop a strategic model that links resources with this dynamic capability, and then 3) empirically demonstrate how dynamic ISM capability contributes to firm performance. By drawing on Resource-Based Theory (RBT) and Dynamic Capabilities View (DCV), we have developed the Dynamic ISM Capability model to address the identified gap. As we develop this research, we will empirically test this model to demonstrate causality between ISM capability and organisational performance.