Dynamic Information Security Management Capability: Strategising for Organisational Performance

TL;DR

This paper defines and models a dynamic Information Security Management capability at the organizational level, linking it to firm performance through empirical testing based on Resource-Based Theory and Dynamic Capabilities View.

Contribution

It introduces a novel conceptual model of dynamic ISM capability and empirically demonstrates its positive impact on organizational performance.

Findings

Dynamic ISM capability positively influences firm performance.

The proposed model links resources with strategic ISM capabilities.

Empirical evidence supports the causality between ISM capability and performance.

Abstract

The increasing frequency, impact, consequence and sophistication of cybersecurity attacks is becoming a strategic concern for boards and executive management of organisations. Consequently, in addition to focusing on productivity and performance, organisations are prioritizing Information Security Management (ISM). However, research has revealed little or no conceptualisation of a dynamic ISM capability and its link to organisational performance. In this research, we set out to 1) define and describe an organisational level dynamic ISM capability, 2) to develop a strategic model that links resources with this dynamic capability, and then 3) empirically demonstrate how dynamic ISM capability contributes to firm performance. By drawing on Resource-Based Theory (RBT) and Dynamic Capabilities View (DCV), we have developed the Dynamic ISM Capability model to address the identified gap. As we develop this research, we will empirically test this model to demonstrate causality between ISM capability and organisational performance.