Impacts of organizational capabilities in information security Jacqueline H. Hall, Shahram Sarkani and Thomas A. Mazzuchi Department of Engineering Management and Systems Engineering, The George Washington University, Washington, DC, USA Abstract Purpose – This research aims to examine the relationship between information security strategy and organization performance, with organizational capabilities as important factors influencing successful implementation of information security strategy and organization performance. Design/methodology/approach – Based on existing literature in strategic management and information security, a theoretical model was proposed and validated. A self-administered survey instrument was developed to collect empirical data. Structural equation modeling was used to test hypotheses and to fit the theoretical model. Findings – Evidence suggests that organizational capabilities, encompassing the ability to develop high-quality situational awareness of the current and future threat environment, the ability to possess appropriate means, and the ability to orchestrate the means to respond to information security threats, are positively associated with effective implementation of information security strategy, which in turn positively affects organization performance. However, there is no significant relationship between decision making and information security strategy implementation success. Research limitations/implications – The study provides a starting point for further research on the role of decision-making in information security. Practical implications – Findings are expected to yield practical value for business leaders in understanding the viable predisposition of organizational capabilities in the context of information security, thus enabling firms to focus on acquiring the ones indispensable for improving organization performance. Originality/value – This study provides the body of knowledge with an empirical analysis of organization’s information security capabilities as an aggregation of sense making, decision-making, asset availability, and operations management constructs. Keywords Information security, Organizational performance, Organizational capabilities, Strategy implementation success, Structural equation modeling, Strategic management Paper type Research paper 1. Introduction Despite increasing investment in information security and its strategic role in today’s business success, effective implementation of information security strategy still remains one of the top challenges facing global organizations (Ernst & Young, 2007, 2008; Fratto, 2009; TechAmerica, 2009; PricewaterhouseCoopers, 2008). Business has been urged to make information security, a strategic issue for organizations to compete The current issue and full text archive of this journal is available at www.emeraldinsight.com/0968-5227.htm This work was based on a conference paper titled “Moderating roles of organizational capabilities in information security”, which was presented by the authors at the 5th International Conference on i-Warfare and Security (ICIW 2010), 8-9 April 2010, Dayton, Ohio. Impacts of organizational capabilities 155 Received 8 November 2010 Revised 7 January 2011 Accepted 14 February 2011 Information Management & Computer Security Vol. 19 No. 3, 2011 pp. 155-176 q Emerald Group Publishing Limited 0968-5227 DOI 10.1108/09685221111153546