INFORMATION ASSURANCE AND CORPORATE STRATEGY 107

current strategy? This could include factors such as flexibility, reliability and speed.

• IA governance—what actions can be used in order to acquire the above systemic competencies? This could include alliances with vendors, joint research projects and education initiatives.

In addition, the internal IA domain must address three components:

• Security infrastructure—what technology and software should be included in the security infrastructure? How should this be configured?

• Processes—how should the IA processes and systems be developed, monitored and controlled?

• Skills—how should awareness, knowledge and the capabilities of employees and other stakeholders be developed?

The alignment literature also calls for a link between the busi- ness and IT domains. Henderson and Venkatraman label this functional integration. This link specifically deals with the impact that one function has on the other and includes the relationships of both the internal (operational integration) and external (strategic integration) domains. We suggest that infor- mation assurance should also be included in the integration between the domains.

The literature suggests a number of methods for developing or improving IA strategy alignment. These are

• Developing a relationship between IA, IT, and business functions—According to Henderson and Venkatraman (1993) and Ho (1996), the IT function should be capable of both influencing and support- ing the business strategy. This is particularly the case for organizations which use their information systems for competitive advantage. However, often organiza- tions focus too readily on technology rather than busi- ness, management and organizational issues (Luftman, Lewis, & Oldach, 1993). Likewise, the information assurance function needs to be able to shape and rein- force IT and corporate strategy as well as maintain a balance between security issues and organizational goals (Von Solms, 2001a). The relationships between these functions can be strengthened by encourag- ing more extensive participation in firm-wide strate- gic planning (Broadbent & Weill, 1993), improving resource utilization (Edwards, 2000) and enhancing communication and understanding between the three functions (Chan, 2002).

• Linking the formation of IA, IT, and business strategies—Rapid strategic change and the highly competitive nature of today’s business environment requires organizations to gather, interpret and synthe- size information effectively and securely in order to remain flexible and to enable them to amend corporate

initiatives, when necessary (Bergeron, Raymond, & Rivard, 2004). As a result, IA, IT and business strate- gies need to be strongly linked. Chan (2002) and Luftman and Brier (1999) suggest that this link is critical to developing successful alignment. Theorists have found that the link between these three strate- gies can be facilitated by (a) specifying who has authority and responsibility for risk, conflict resolu- tion and the allocation of resources, (b) having a longer experience of undertaking organization-wide strategic planning processes, (c) focusing on critical and long-term issues, (d) making certain that strategic plans are well documented and are clear and consis- tent, (e) guaranteeing that the plans enhance overall organizational effectiveness, and (f) ensuring that the reporting level of those responsible for IT and IA are at board level (Broadbent & Weill, 1993; Chan, 2002; Luftman, 2003; Sledgianowski & Luftman, 2005; Tallon, Kraemer, & Gurbaxani, 2000).

2.3.3. Measuring and Reporting Practices The literature suggests that measuring and reporting infor-

mation assurance procedures and practices can help to instil a greater commitment to IA from all employees. These include:

Controlling and measuring the effectiveness of IA, IS, and business strategies—one of the greatest challenges of information assurance is to be able to communicate its value to the rest of the organization. In order to achieve this, managers must be able to assess its worth. All too often, however, both IA and IS metrics are difficult for the business to understand. Luftman (2003) therefore suggests a service level agreement which assesses the IA and IS functions’ level of commitment to the organization. The agreement should consist of business related metrics such as information quality, user satisfaction and business responsiveness and should be presented in language that is easy for non-technical people to understand (Peak & Guynes, 2003; Sledgianowski & Luftman, 2005). The strength of alignment between the IA, IS, and business functions can also be measured. This could include evaluating communica- tion, learning and knowledge sharing, governance, partnerships, processes and skills (Chan, Huff, Barclay, & Copeland, 1997; Luftman, 2000).

2.3.4. Evaluating and Communicating Strategic Information to the Board

According to Von Solms (2001a), the board of directors should be provided with appropriate strategic information on IA. This will help to engage senior managers in the alignment process. This category, therefore, included the following:

Keeping senior management informed—Often, organiza- tions invest considerable sums of money in developing per- formance measures but fail to take any action based on these

108 E. MCFADZEAN ET AL.

measures (Luftman, 2003). This could have disastrous conse- quences for organizations if security is breached and there is a failure to act. Chan (2002) suggests that constructing formal reporting relationships and developing evaluation committees are vital. This will enable more effective monitoring and con- trol by senior managers. In addition, the evaluation committees need to define the risk factors—often involving multiple dimen- sions and meanings—and their impact within the context of information security (Baker, Rees, & Tippett, 2007; Bodin, Gordon, & Loeb, 2008). Accurate measurement, communica- tion and control of potential information security threats and countermeasures can not only save an organization from disas- ter but they may also “assist organizations in converting today’s security threats into tomorrow’s business opportunities” (Da Veiga & Eloff, 2007, p. 369).

This research will attempt to determine the factors that help to strengthen the alignment between IA and corporate strategy. Due to the scarcity of research in this area, we developed quite a broad research question:

What methods and processes included in the above four areas can be utilized effectively by organizations in order to align IA and corporate strategy?

3. METHODOLOGY AND RESEARCH DESIGN The data collection for this research was divided into

two stages. The first stage consisted of gathering informa- tion through interviews and the second stage involved under- taking the Delphi approach. Anderson, Rungtusanatham, and Schroeder (1994, p. 478) describe the Delphi approach as a technique “intended for systematically soliciting, organizing and structuring judgments and opinions on a particularly com- plex subject matter from a panel of experts until a consensus on the topic is reached or until it becomes evident that further convergence is not possible.” The Delphi technique is typically employed in circumstances where judgemental information is essential (Okoli & Pawlowski, 2004). In addition, the approach ensures that the data collection process is both reliable and valid because it exposes the investigation to differing, and often divergent, opinions and seeks convergence through structured feedback (Schmidt, Lyytinen, Keil, & Cule, 2001).

The objectives of this Delphi study focus on two points: (a) identifying the factors that can influence information assurance alignment, and (b) establishing a consensus on the desirability and the feasibility of implementing each factor.

In order to gather an initial list of statements for our Delphi, we interviewed a number of executives. Forty-three in-depth interviews were undertaken. The interviewees were senior man- agers; most were appointed to the board of their respective companies. These organizations ranged from SMEs to large multi-national corporations; the majority of which are listed on the stock market. The list of interviewees was drawn up from personal and organizational contacts and aimed to pro- vide a good cross section of companies. The sampling strategy

we used is that described by Strauss and Corbin (1990) as ‘open sampling’ where participants are selected to maximize the opportunities for augmenting the pool of relevant data [see Appendix A for further demographic information]. Interviews lasted between 60 and 90 minutes. They were open-ended and discovery oriented (Flint, Woodruff, & Gardial, 2002). Moreover, we tried to maintain a continuous ‘conversation’ rather than follow a rigid list of questions or themes (see Appendix C for some examples of the questions that we asked). Senior executives were engaged with this form of interview- ing and we felt they were happy to enter into fairly detailed discussions, perhaps more than they would have been with an interaction based on questions and answers. Few guidelines exist on the optimum size of interview data pools. The idea of theoretical saturation is normally recommended (Locke, 2001) as a guide to sample size, and we feel this saturation was reached in our study.

The interviews were transcribed verbatim and transferred into Atlas-ti (a qualitative analysis software programme) where they were coded using the processes advocated by Strauss and Corbin (1998), namely open, axial and selective coding.

Open coding is “the analytic process through which concepts are identified and their properties and dimensions are discovered in data” (Strauss & Corbin, 1998, p. 101). In general, the data is examined and coded line-by-line, by sentence or paragraph or by a holistic analysis of an entire document (Sarker, Lau, & Sahay, 2001). Although the open coding process is procedu- rally guided, it is fundamentally interpretive in nature and must include the perspectives and voices of the people that are studied (Strauss & Corbin, 1998). Open coding allows the researcher to name similar events, occurrences and objects so that they can be categorized under common headings.

Next, axial coding was undertaken, which involved the pro- cess of sorting all the relevant open codes on alignment into varying categories. Whereas open coding breaks up the data so that it can be analyzed, axial coding reassembles the fractured data in order to discover relationships between the different categories and sub-categories. In this case, the codes in each category were associated with one particular topic on align- ment. For instance, one family group was entitled, Options for Evaluating and Communicating Strategic Information to the Board.

Selective coding involves the identification of the core category—or the central phenomenon—and the linking of this core category to other major categories. This integration often occurs as a process model, which illustrates how the axial codes are related. In order to choose our principal category, we needed to ensure that all our other major categories could be linked to this central idea. The central idea chosen for this research was “methods for improving IA-corporate alignment”.

Finally, a number of statements were formed from the inter- view data for each of the axial categories. These statements each suggested one potential method for improving alignment. One