THE FACTORS AFFECTING INFORMATION TECHNOLOGIES RISK MANAGEMENT AT TURKEY’S STATE UNIVERSITIES

Year 2018, Volume: 10 Issue: 2, 46 - 62, 01.06.2018

Vildan Ateş Bilal Güneş

Abstract

The aim of this study is to identify factors affecting IT risk management in universities, to explore patterns among these factors and to reveal an IT risk management model. The research universe consists of 548 IT employees in Turkey’s state universities’ IT centers.
The factors effecting IT risk management success were determined based upon related literature, expert views and a theoretical model has been proposed to successful IT risk management. A quantitative research model was used and an instrument named IT Risk Management Scale (ITRM-S) was developed and used for data collection. The data analyses of this study were done by using SPSS and LISREL programs.
It is found that IT risk management process was affected by human factor, institutional, environmental and technological factors and the model for successful IT risk management have been verified. Results show that institutional, environmental and technological factors directly affect the success of IT risk management. Furthermore, it is seen that human factor affects IT risk management success through environmental factors. Results were compared with literature results and recommendations are presented to researchers and practitioners.

Keywords

Information technology, IT risk ·management, human factor, structured equation model, Turkey

References

• Ahlan, Abd Rahman and Arshad, Yusri (2012), “Information Technology Risk Management: The Case Of The International Islamic University Malaysia”, Journal Of Research And Innovation In Information Systems, No: 1, pp. 58-67.
• Aktaş, F.Özden and Soğukpınar, İbrahim (2010), “Bilgi Güvenliğinde Uygun Risk Analizi ve Yönetimi Yönteminin Seçimi İçin Bir Yaklaşım”, TBV Bilgisayar Bilimleri ve Mühendisliği Dergisi, Vol. 3, pp. 53-62.
• Al-Awadi, Maryam and Renaud, Karen (2009), “Success factors in information security implementation in organizations”, IADIS International Conference e-Society.
• Ang, Wee Horng; Lee Yang W; Madnick Stuart E.; Mistress Dinsha and And Siegel, M. (2006, August). “House of security: Locale, roles and resources for ensuring information security”. Conference on Information Systems, Acapulco, Mexico.
• Büyüköztürk, Şener (2002), “Faktör Analizi: Temel Kavramlar ve Ölçek Geliştirmede Kullanımı”, Kuram ve Uygulamada Eğitim Yönetimi, Vol. 32, pp. 470-483.
• Chang Shuchih. E. and Ho Chienta B. (2006), “Organizational factors to the effectiveness of implementing information security management”, Industrial Management & Data Systems, Vol. 106, pp.345-61.
• Çokluk Ömer, Şekercioğlu Güçlü and Büyüköztürk Şener (2010), Sosyal bilimler için çok değişkenli istatistik SPSS ve LISREL uygulamaları (First Edition). Ankara: Pegem Publishing.
• Ekelhart, Andreas; Stefan, Fenz and Neubauer, Thomas (2009, January), “AURUM: A Framework for Information Security Risk Management” 42nd International Conference on System Sciences, Hawaii, pp.1-10.
• Giles, David C. (2002), “Qualitative research in psychology”, Advanced research methods in psychology. London: Routledge.
• Goel, Sanjay and Chen, Vicki. (2010), “Information Security Risk Analysis–A Matrix-Based Approach”. Information Resources Management Journal, Vol.23, No.2, pp.33-52.
• Jahner, Stefanie and Krcmar, Helmut (2005), “Beyond Technical Aspects of Information Security: Risk Culture as a Success Factor for IT Risk Management”, The Americas Conference on Information Systems, pp. 462.
• Kairab, Sudhanshu (2005), A practical guide to security assessments (First Edition). Boca Raton, FL: Auerbach Publications, pp. 23.
• Kankanhalli, Atreyi; Teo, Hack-Hoi; Tan, Bernard C. Y.and Wei, K-K. (2003), “An Integrative Study of Information Systems Security Effectiveness”, International Journal of Information Management, Vol. 23, No: 2, pp.139-154.
• Knapp, Kenneth. J. and Marshall, Thomas E. (2007), “Top Management Support Essential for Effective Information Security” In Tipton, H. F. & Krause, M. (Eds.), Information security management handbook (6th edition), Boca Raton, FL: Auerbach Publications, pp. 51-58.
• Kotulic, Andrew G. (2001), The Security Of The IT Resource And Management Support: Security Risk Management Program Effectiveness, Unpublished Doctora Thesis, The University Of Texas At Arlington, USA.
• Kraemer, Sara; Carayon, Pascale and Clem, John. (2009), “Human and organizational factors in computer and information security: Pathways to vulnerabilities”, Computers & Security, Vol. 28, pp. 509–520.
• Kvavik, Robert B and John Voloudakis (2006), “Safeguarding the Tower: IT Security in Higher Education”, Educase Center For Applied Research (ECAR), Vol. 6, pp. 21-43.
• Lacey, David (2009), Managing the Human Factor in information security: How to win over staff and influence business managers (First Edition). England: Wiley & Sons, pp.134-137.
• Norman, Anir A. and Yasin, Mord N. (2013), “Information systems security management (ISSM) success factor: Retrospection from the scholars”. African Journal of Business Management, Vol: 7, No. 27, pp. 2646-2656.
• Park, Sangseo; Ahmad, Atif and Ruighaver, Anthonie B. (2010, April), “Factors Influencing the Implementation of Information Systems Security Strategies in Organizations”, International Information Science and Applications Conference, Seoul, Korea, pp. 1-6.
• Rezgui, Yacine and Marks, Adam (2008), “Information security awareness in higher education: An exploratory study”, Computers&Security, Vol. 27, No. 7-8, pp. 241-253.
• Saleh, Mohamed.S and Alfantookh, Abdulkader (2011), “A new comprehensive framework for enterprise information security risk management”, Applied Computing and Informatics, Vol. 9, No. 2, pp. 107–118.
• Savic, Ana (2008), “Managing It-Related Operational Risks”, Ekonomski Annals, Vol. 53, No. 176, pp. 88-109.
• Shields, Tyler; Balaouras, Stephanie; Johnson, David K. and Frechette, Thayer (2014), “Raise The Security Bar With Human-Factor-Friendly Design Concepts”, Forrester Research Report.
• Taney, Francis. X. Jr and Costello, Thomas (2006), “Securing the whole enterprise: Business and legal issues”, IT Professional, Vol. 8, No. 1, pp. 37-42.
• Teneyuca, David (2001), “Organizational Leader’s Use of Risk Management for İnformation Technology”, Information Security Technical Report, Vol. 6, No. 3, pp. 54-59.
• Tohidi, Hamid (2011), “The Role of Risk Management in IT systems of organizations”, Computer Science, Vol. 3, pp. 881–887.
• Vellani, Karim H. and Robert E. Owles (2007),“Vulnerability and Risk Assessments in the Environment of Care”, Journal of Healthcare Protection Management, Vol. 23, No. 2, pp. 67-77.
• Werlinger, Rodrigo; Hawkey, Kirstie and Beznosov, Konstantin (2009), “An integrated view of human, organizational, and technological challenges of IT security management”, Information Management & Computer Security, Vol. 17, No. 1, pp. 4-19.
• Yaraghi, Niam and Langhe, Roland G. (2011), “Critical success factors for risk management systems”, Journal of Risk Research, Vol.14, No:5, pp. 551-581.
• Yeo, Ai. C; Rahim, Mahbubur. M. And Miri, Leon (2007, April), “Understanding factors affecting success of information security risk assessment: The case of an Australian higher education institution”, 11th Pacific Asia Conference on Information Systems, University of Auckland, Auckland New Zealand, pp.1-12.
• Yıldırım, Ebru Y; Akalp, Gizem; Aytaç, Serpil and Bayram, Nuran (2011), “Factors influencing information security management in small- and medium-sized enterprises: A case study from Turkey”. International Journal of Information Management, Vol.31, No. 4, pp. 360-365.
• Yılmaz, Veysel and Çelik, Eray H. (2009), LISREL ile Yapısal Eşitlik Modellemesi–1 (First Edition). Ankara: Pegem Academy, pp.29.