- Informatizacija poslovnih procesov spreminja koncepte zagotavljanja organizacijske varnosti. V doktorski disertaciji pojasnimo, kako v sodobnem poslovnem svetu pristopiti k upravljanju informacijske varnosti, kakšen je njen vpliv na poslovni uspeh in kako presoditi njeno zrelost. V situaciji, ko se evolucija informacijskih groženj odvija ob boku težkih gospodarskih razmer, je namreč veliko organizacij nesposobnih obvladovanja informacijskih tveganj in hkrati slediti tehnološkim trendom. Ugotovitve doktorske disertacije predstavljajo pristop k zagotavljanju tega ravnovesja, uporabne pa so za lastnike podjetij, managerje, strokovni kader in ostalo zainteresirano javnost. Ugotavljamo, da je upravljanje informacijske varnosti omejeno predvsem zaradi slabe informacijske podpore pri načrtovanju. Tiste organizacije, ki ne ugotavljajo izhodiščne situacije in presojajo uspešnosti ter učinkovitosti varnosti, ne morejo doseči skladnosti med operativnimi ukrepi, varnostnimi potrebami ter organizacijsko strategijo. V ospredje razprave zato postavljamo presojanje kakovosti informacijske varnosti. To področje proučujemo skozi prizmo poslovne funkcije, izhodišče pa predstavljajo priporočila iz področja varovanja informacijskih tehnologij, sledijo teorije sistemov, preprečevanja groženj/kriminalitete, managementa ter organizacije. Glavni rezultat je interdisciplinarni model ocenjevanja informacijsko varnostne kompetentnosti organizacij. V procesu razvijanja celovitega pristopa k presoji stanja informacijske varnosti, smo identificirali ukrepe, ki v stroki veljajo za uspešne in učinkovite. Z raziskavo izvedeno med strokovnjaki v Sloveniji, smo analizirali veljavnost izbranih ukrepov in njihov vpliv na kakovost informacijske varnosti. Glede na priporočila je v začetnih fazah treba najprej poskrbeti za represivno-nadzorne in logične kontrole, v nadaljevanju pa za strateške, socialne, organizacijske, normativne in okoljske vidike. Rezultat raziskave je odločitveno orodje, sestavljeno iz desetih faktorjev in 100 unikatno uteženih indikatorjev merjenja. Z uporabo modela se organizacije razvrstijo v enega izmed šestih razredov učinkovitosti, kjer so podana priporočila za izboljšanje stanja. Z namenom evalvacije uporabnosti predlagane rešitve smo z dodatno raziskavo model praktično testirali. Implementirali smo ga v majhen vzorec srednje-velikih organizacij in ugotovili, da je v teh organizacijah informacijska varnost v začetnih razvojnih fazah. Z izjemo fizičnih, tehničnih in logičnih kontrol, so najvplivnejši kriteriji najmanj razviti, izmed vseh področij pa se največje težave kažejo pri izvajanju analiz informacijskih tveganj. Ob upoštevanju tehnološkega konteksta organizacij, s katerim smo normirali indeksirane rezultate, se je pokazalo, da 25 % organizacij skrbi samo za osnovne vidike, 40 % sodi v srednji nivo, 35 % pa lahko ocenimo kot dobre prakse. Glede na razvitost ukrepov je 60 % proučevanih organizacij v reaktivni drži, generalno pa večina razvija približno polovico ukrepov v modelu. S primerjavo enot smo ugotovili, kateri faktorji ločujejo učinkovite organizacije od neučinkovitih, z analizo korelacij pa razvili priporočila za nadaljnje ukrepe. Evalvacija je pokazala tudi, da je model uporaben za sprejemanje odločitev pri internih evalvacijah – študije primerov ali analize splošnega stanja na večjih vzorcih. In the course of this thesis, we aim to resolve three questions: how to approach information security management effectively and efficiently what is the impact of this security function on overall business success and how to prove security maturity through performance measurements. In today’s corporate world, many organisations are challenged by their inability to successfully manage information security risks while trying to keep up with the trends of technological development. The findings of this doctoral dissertation deliver an answer that is intended for those who are interested in how to systematically advance information security in a manner that contributes to functional balance. We hypothesise and prove that information security management currently lacks proper information support. Organisations that are not capable to perform analytics of security performance, cannot achieve compliance between the operational measures, security needs, and organisational strategy. Since the area has been studied through the lens of business functions, the starting points for developing a solution were based on the recommendations of IT professionals, followed by the system, threat prevention, and organisational theories. Observations made within security literature and research, legislation, and standards suggest that there are ten key areas that should be addressed when trying to manage the information security risks. We identified numerous preventive and reactive technical and management oriented security measures that should be incorporated to a security system. In the scope of initial research conducted among security experts, we analysed the validity and significance of those security measures for information security performance. The obtained data made it possible to weigh the variables in terms of their impact. The final outcome is a decision-making tool (10×10 information security performance model) which consists of ten critical success factors and 100 unique, weighted key performance indicators. In applying this model, the organisation is categorised through six levels of maturity that determine which measures should be developed for improvement. We also aimed to validate the utility of the proposed approach, so the second research applied the 10×10 model to a small sample of organisations. We learned that information security in those organisations remains in its initial development stages. With the exception of physical, technical and logical controls, the most influential criteria are the least developed. In fact, the biggest problems are reflected in the management and analysis of information risks. These controls include a variety of approaches to measurement of information security, which confirms the significance of the study undertaken. Taking account of the technological context of the organisations, the graph of the situation shows that 25% of the units only catered to their most basic security needs, 40% made it to the intermediate level, and 35% were recognised as good practices. The results showed that most of these organisations develop only half of recommended security measures in the model. By benchmarking the organisations, we identified which factors separate efficient organisations from inefficient ones and by analysing correlations between factors, we developed recommendations for further development. The most important impact of this study is that the presented model makes an original contribution to social science as well as to the field of IT security. It reaches beyond the limitations of previous studies that merely focused on isolated information security dimensions which are, in fact, interconnected. The added value of this study is seen in the development process, as the model also considers the opinion of experts, while proving its practicality and validity. It is useful for decision-making in the context of internal evaluations or analyses of the overall situation in larger samples.
