Role of the boards and senior management within formal, technical and informal components: IS/IT security governance in the Malaysian publicly listed companies

In IT governance, there are two types of responsibilities, first is IT value governance and second is IT risk governance. The primary objective of this study is to examine the second type of responsibility, IT risk governance and specifically looking into the involvement of the board, senior management and all management levels in IS/IT security. Prior research has shown a lack of involvement by the board and senior management in understanding IS/IT security problems, unbalanced implementation of IS/IT security within the formal, technical and informal components and lack of internal controls application over IS/IT security. The gap found in this study has lead to the development of two major research questions, Research Question 1-In what way does the involvement of Boards and senior management impact on the implementation of IS/IT security governance? and Research Question 2-How can directing and monitoring actions in the technical, formal and informal components of IS/IT security governance in corporations be implemented effectively and efficiently? The two research questions have steered the development of the conceptual framework, the model of IS/IT security governance and the research methods. The IS/IT security governance model is an extension of the conceptual framework, the model prescribes several areas relating to the elements of the three components, formal, technical and informal and component interactions (Relationship Type 1-Formal/Informal, Relationship Type 2-Formal/Technical and Relationship Type 3-Technical/Informal) within Malaysian Publicly Listed Corporations. The model suggests IS/IT security ought to be included within risk management and internal controls practices, through 'directing' and 'monitoring' actions and exclusively emphasises the supervision role and the relationship between the supervisor (giver) and the holder of responsibility. Because the nature of study is sensitive and confidential; the study has adopted a triangulation method. Data were collected using interviews and a mail survey as primary sources and website analysis as a secondary source. 12 interviews were conducted with CEOs, CIOs, other senior managers and IT manager from eight companies of Group A (Top) and Group B (Middle) across different industries. Despite a low response rate for the mail survey, the data have high validity as interviews and responses involved appropriate people in leading organisations in Malaysia from Group A(Top) and Group B(Middle)- high profit and large market capitalisation organisations and experienced senior managers. Content analysis over 210 annual reports of website data from Group A, Group B and Group C was conducted. The data from interviews, survey and website analysis have supported the model of IS/IT security governance. The findings from the interview data are consistent with the elements of formal, technical and informal components and component interactions; risk management and internal controls over IS/IT security and 'directing' and 'monitoring' actions over IS/IT security are supported. The results of the survey have shown that the respondents had similar perspectives as the model. The website analysis revealed that two factors may determine IS/IT security governance, the group type and industry type.