Abstract
Information security is a naturally intrusive topic that has not been researched to its full extent in IS. Taking note of a previous information security study that failed and lessons learned from it, we successfully carry out a study of our own with some modifications. The purpose of the study was to successfully identify critical success factors for an effective security risk management program at a Fortune 500 firm. In this paper we detail the modified critical success factor method that was used, which we hope will prove beneficial for academic researchers. The study has practical implications in regard to being able to provide a method that corporations may find suitable when a sensitive subject is being investigated.
Additional information
Notes on contributors
Humayun Zafar
Dr. Humayun Zafar is an Assistant Professor of Information Security and Assurance at Kennesaw State University, Kennesaw, GA. He received his doctorate from the University of Texas at San Antonio. His research interests include organizational security risk management, network security, and organizational performance. Some of his previous work has appeared in journals and conferences such as the Communications of the AIS, Information Resources Management Journal, Hawaii International Conference on System Sciences, and Americas Conference on Information Systems.