A capability approach to managing organisational information security

M. Carcary, E. Doherty, G. Conway

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review


Information security is becoming increasingly important for most organisations, as it can add real value by facilitating interaction with trading partners, enabling closer customer relationships, and enabling new and easier ways to process electronic transactions that result in a competitive advantage. However, this enhanced business performance comes with increased risk, for example in 2018, information security breaches totalled 1,244 and affected more than 446 million records (Identity Theft Resource Centre (ITRC), 2018). Due to the sensitive nature of customer data, the recent legislative changes around how data is handled (e.g. GDPR) and the mounting information security risks, it is critical for organisations to have a robust and reliable information security system in place. The information security system and its associated strategies should not just react to information security incidents, but protect the data, and anticipate and seek to prevent attacks from cyber criminals. A robust information security system should incorporate the inventory and monitoring of information, and manage how the data is captured, stored, used, handled, and transmitted internally, in data centres, in the cloud, and across the network. This paper proposes a capability approach for the management of information security that encapsulates the management and control of the integrity, confidentiality, accountability, usability, and availability of information. The paper presents a conceptual model and assessment tool, developed via an open innovation and collaborative research approach that an organization can use to understand and assess the maturity of their information security. The conceptual model uses a holistic and systematic approach and is designed to provide real value to organizations by enabling them to drive improvements in the management of their information security, to maximise the potential benefits and to minimise or alleviate any risks. © 2019, Curran Associates Inc. All rights reserved.
Original languageUndefined
Title of host publicationEuropean Conference on Information Warfare and Security, ECCWS
Number of pages8
ISBN (Electronic)978-191276428-0
Publication statusPublished (in print/issue) - 31 Jul 2019
EventEuropean Conference on Information Warfare and Security - Coimbra
Duration: 4 Jul 20195 Jul 2019


ConferenceEuropean Conference on Information Warfare and Security
Abbreviated titleECCWS 2019


  • Information security (InfoSec)
  • Information security management
  • Information security management system (ISMS)

Cite this