Information security management objectives and practices: a parsimonious framework Qingxiong Ma Department of Computer Information Systems, University of Central Missouri, Warrensburg, Missouri, USA Allen C. Johnston Department of Accounting and Information Systems, University of Alabama Birmingham, Birmingham, Alabama, USA, and J. Michael Pearson Department of Management, Southern Illinois University, Carbondale, Illinois, USA Abstract Purpose – As part of their continuing efforts to establish effective information security management (ISM) practices, information security researchers and practitioners have proposed and developed many different information security standards and guidelines. Building on these previous efforts, the purpose of this study is to put forth a framework for ISM. Design/methodology/approach – This framework is derived from the development of an a priori set of objectives and practices as suggested by literature, standards, and reports found in academia and practice; the refinement of these objectives and practices based on survey data obtained from 354 certified information security professionals; and the examination of interrelationships between the objectives and practices. Findings – The empirical analysis suggests: four factors (information integrity, confidentiality, accountability, and availability) serve as critical information security objectives; most of the security areas and items covered under ISO 17799 are valid with one new area – “external” or “inter-organizational information security”; and for moderately information-sensitive organizations, “confidentiality” has the highest correlation with ISM practices; for highly information-sensitive organizations, “confidentiality”, “accountability”, and “integrity” are the major ISM objectives. The most important contributor to information security objectives is “access control”. Research limitations/implications – This study contributes to the domain of information security research by developing a parsimonious set of security objectives and practices grounded in the findings of previous works in academia and practical literature. Practical implications – These findings provide insights for business managers and information security professionals attempting to implement ISM programs within their respective organizational settings. Originality/value – This paper fulfills a need in the information security community for a parsimonious set of objectives and practices based on the many guidelines and standards available in both academia and practice. Keywords Data security, Communication technology Paper type Research paper The current issue and full text archive of this journal is available at www.emeraldinsight.com/0968-5227.htm ISM objectives and practices 251 Received 14 October 2007 Revised 14 January 2008 Accepted 14 January 2008 Information Management & Computer Security Vol. 16 No. 3, 2008 pp. 251-270 q Emerald Group Publishing Limited 0968-5227 DOI 10.1108/09685220810893207