Identifying Governance Dimensions to Evaluate Information Systems Security in Organizations Gurpreet Dhillon 1 , Gurvirender Tejay 2 , and Weiyin Hong 3 Virginia Commonwealth University 1, 2 ; University of Nevada, Las Vegas 3 gdhillon@vcu.edu 1 , tejaygp@vcu.edu 2 , whong@unlv.nevada.edu 3 Abstract Prior studies in information systems security have a limited emphasis on empirically identifying security dimensions. This research paper presents the results of an empirical study to understand governance dimensions of information systems security. The research study was conducted in three phases involving interviews, an exploratory phase and a confirmatory phase. The exploratory phase generated a 4-factor, 16-item model for behavioral security of an organization. The confirmatory phase involving structural equation modeling validated the impact of governance dimensions on the overall information systems security of an organization. Data was collected from two different samples of 163 and 175 respondents for each phase respectively. The results suggest that the governance dimensions impact information system security of an organization through behavioral security. 1. Introduction In today’s interconnected world organizations are increasingly becoming dependent on information systems. The security risks to information systems have also steadily increased. Organizational members become extremely important in the role as frontline defense of an organization. We have seen way too often employees fall prey to social engineering ploys of hackers. This is but only one aspect of the problem. Any type of control would ultimately be implemented by an individual. As such, it becomes pertinent to understand the behavior of people in an organization as it would assist in propagating an information security consciousness [1]. In spite of increased incidents of information system security breaches and the ever-increasing reliance of organizations on information technologies, there is limited understanding of various dimensions that result in information systems security problems [2]. There is very little empirical research that has investigated various aspects of information systems security, in particular the nature and scope of its dimensions. There is also a limited understanding of how organizations manage the various information systems security dimensions and what potential problems there might be [3]. As a consequence there is a clear need to identify and establish mechanisms that would be required to successfully manage information systems security. In this study, we address these important concerns and evaluate the related information systems security issues. The overall objective of this research is to investigate various behavioral dimensions of information systems security. The argument of the research paper is that the knowledge of information systems security dimensions would allow organizations to expend effort in an efficient and effective manner, subsequently leading to a secure organization. It is imperative to develop methods that would allow some manner of assessment of security in an organizational context. 2. Theoretical development Concerns for security are not new [4]. Given our increased reliance on information technologies, worries about security breaches have compounded [5]. Information systems security literature has emphasized the importance of “softer” behavioral issues associated with people in ensuring security in an organization. As [2] argue, there is too much emphasis on technological solutions as compared to that on people in addressing the issues of information systems security. A body of literature in the field of information systems security has highlighted the criticality of establishing responsibility structures for the success of information systems security management ([6], [7]). Responsibility Proceedings of the 40th Hawaii International Conference on System Sciences - 2007 1 © 1530-1605/07 $20.00 2007 IEEE Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 © 2007