This paper contains a proposal for a study that will investigate Information Security Governance (ISG) in the Federal Government Entities (FGEs) of the United Arab Emirates (UAE). Specifically, the project will construct a framework for ISG and its improvement in FGEs based on primary data from an FGE-focused survey. This specific topic has not been investigated in recent peer-reviewed articles, and with the fast development of cyberspaces and ISG, current data are required for the continued advancement of the area.
Still, recent research covers certain ISG-related topics, including ISG in public administration and businesses in many countries. Some of the countries include Malaysia (Perumal et al., 2018), India (Anand, Medhavi, Soni, Malhotra, & Banwet, 2018), Saudi Arabia (Abu‐Musa, 2010), and Taiwan (Huang & Farn, 2016). Therefore, some literature that can be used to frame the current project exists. Certain studies of ISG in the UAE took the form of dissertations, but they are not peer-reviewed publications, and they were not included in the preliminary literature review.
Background of the Study
ISG is a term that has many definitions, and such inconsistencies can become a problem. However, for this project, ISG will be broadly defined as the employment of different types of controls (policies, procedures, audits, and other methods) over information security (Abu-Musa, 2010; Nicho, 2018; Perumal et al., 2018). ISG’s primary function is ensuring the control of security-related processes, which is supposed to result in improved alignment and quality (Abu-Musa, 2010; Nicho, 2018). In turn, information security is a crucial aspect of information system management that is necessary for their safe use (Perumal et al., 2018; Safa, Solms, & Furnell, 2016). Therefore, the investigation of ISG and its best practices is an important research objective.
Modern governments have been increasingly using cyberspaces. This development prompts them to look into and adopt ISG (Huang & Farn, 2016; Perumal et al., 2018; Ramtohul & Soyjaudah, 2016). Indeed, information security is a concern for the UAE government (Government.ae, 2019b). However, the latest guideline that included ISG was published by the Abu Dhabi Systems and Information Centre (2014) in 2014, which makes it slightly outdated. As a result, more recent data for ISG in FGEs would be very helpful.
No peer-reviewed sources discuss ISG in FGEs in the UAE. However, the government of the UAE has been working on a maturity model for its digital services. This model may incorporate ISG, but it is not focused on ISG (Government.ae, 2019b). In addition, the effort is not finished yet, which is why the research on the chosen topic is still required. Similarly, an article by Nicho (2018) consisted of the development of a process model for ISG implementation, and it employed five UAE specialists. Still, the study was not focused on best ISG practices or FGE. As a result, the proposed project remains unique and can be very useful for FGEs.
Purpose of the Study
The literature that covers ISG demonstrates certain tendencies. Thus, a common approach to ISG investigation consists of proposing frameworks for its implementation and effective use, which are typically based on expert views, existing literature, and case studies (Abu-Musa, 2010; Anand et al., 2018; Nicho, 2018; Perumal et al., 2018). In addition, reviews of existing frameworks, practices, and practical issues can be found (Ramtohul & Soyjaudah, 2016). This project will follow these tendencies while focusing on the area of ISG that has not been investigated by recent research.
Thus, the purpose of the study is to provide the UAE government entities with information that would assist them in employing ISG efficiently. The eventual goal of the project is to develop an ISG framework for FGEs in the UAE. The framework will incorporate a description of the current elements of ISG in the UAE (inputs, processes, practices, outcomes) and relevant opportunities for improvement. Based on this goal, seven objectives have been set.
Multiple objectives have been established with the help of a preliminary literature review related to important ISG factors. The first objective is to determine the attitudes of the sampled FGEs toward ISG. The second one is to establish the value of ISG for the FGEs. The attitudes of the people who are supposed to implement ISG are important for its use, and ISG outcomes can be used to improve such attitudes (Abu-Musa, 2010).
The third objective is to find out the main features of ISG practices and processes in FGEs. The fourth objective is connected to the previous one; it consists of determining the presence or absence of strategic alignment and performance-measuring systems in FGEs. According to the literature review, these features are very important for ISG (Abu-Musa, 2010; Anand et al., 2018; Nicho, 2018), and they will be considered separately to ensure their coverage.
The fifth objective is to determine the best practices and strategies of FGEs’ ISG. The sixth objective is to evaluate the maturity of the entities’ ISG. The final objective is to rank FGEs. The findings regarding the best practices and ISG maturity will be consolidated into a benchmarking system that will then be used to rank FGEs based on their following or failing to follow particular best practices (Perumal et al., 2018). This way, the project will evaluate the state of ISG in the UAE and gather enough data to produce the framework.
Theoretical and Conceptual Framework
The theoretical framework that was chosen for this project consists of the theory of open innovation and the model of continuous innovation. The former refers to the theory that innovation is enabled and advanced due to idea exchanges within and outside of an entity (Alexy, Bascavusoglu-Moreau, & Salter, 2016; Gupta et al., 2016). The latter model has varied definitions, but the one that is used here proposes that entities are capable of and can benefit from continuous learning and improvement, which express themselves in innovation (Lianto, Dachyar, & Soemardi, 2018). Together, these two models can summarize the core intention and underlying assumptions of the project.
The key assumption of this research is that the current state of FGEs’ ISG can be improved through the introduction of ideas from individual FGEs and relevant literature. In a way, the project attempts to promote the exchange of ideas between FGEs and other entities that are interested in ISG. ISG, which is the central concept of the project, is treated as an innovative element that the UAE government promotes and the subject of innovation. The embracing of the most effective practices and processes would allow the improvement of FGEs’ ISG. Thus, it is assumed that continuous innovation is an important factor in FGEs and that an open idea and data exchange between FGEs would facilitate it. This way, the two theories connect the key concepts of the project, including ISG, FGEs, and best practices.
Information Security Governance: Case Profile
There is little to no research on ISG in the UAE, especially in FGEs, but certain information can be gleaned from official documents produced by the government. The UAE government highlights its interest in information technology and security. Thus, the National Cybersecurity strategy is regularly updated, and its goals include employing mechanisms for governance (Government.ae, 2019a). Moreover, governance is an element of the maturity model for the UAE e-government (Government.ae, 2019b). However, the guidelines on security policy that were issued by the Computer Emergency Response Team and Telecommunications Regulatory Authority (2012) did not include governance specifically.
Still, the ISG is a major part of the policy by the Abu Dhabi Systems and Information Centre (2014). In it, ISG is described as an information security domain that is one of the main pillars (or foundations) required for comprehensive security systems. The policy states that every government entity is expected to institute an ISG committee for security-related decision-making. The committee is also supposed to be responsible for overseeing security programs, including their design (with measurable objectives and strategic alignment), funding, and monitoring. In other words, government entities of the capital of the UAE are required to implement ISG.
The UAE government has announced its intent to review the maturity of the e-government services of all its entities. It has already created an evaluation framework, which includes governance, but the project is yet to be completed, and the findings are not released yet (Government.ae, 2019b). There are no recent peer-reviewed sources that would evaluate the entities’ implementation of ISG requirements.
International organizations offer some data; for example, the International Institute for Management Development (2019) demonstrates that the country has been steadily improving its digital competitiveness in many aspects, including regulatory frameworks and cybersecurity. However, the organization does not discuss the performance of individual FGEs and does not explicitly focus on ISG. In other words, the current assessment of ISG in the UAE is not completed, and while policies for it exist, little can be said about its practical use.
The project will utilize a survey design to collect information about ISG in FGEs and their best practices. Surveys are an approach to examining units by gathering relevant data from their representatives (Joye, Wolf, Smith, & Fu, 2016). This structure is aligned with the project’s objectives and final goal; a part of the project will be aimed at collecting data about FGEs, which is appropriate for a survey (Joye et al., 2016; O’Sullivan, Rassel, Berner, & Taliaferro, 2017). However, the project will also employ a mixture of survey responses and literature review to determine the features that are likely to distinguish positive and helpful practices from less effective ones. The first four objectives will use primary data (survey), but the remaining three will also utilize secondary data from literature reviews.
The data collection instrument (a survey) will be made for the project, but it will employ the data from the literature review, including the questions that had been adopted by similar studies. Also, since there is no study that would pursue this project’s objectives, they will be treated as the main guide in creating the survey. The development of questionnaires for surveys is a common practice for this methodology (McNabb, 2015), which means that this method is justified. The systematic approach to literature review will be used (McNabb, 2015; O’Sullivan et al., 2017). This way, the project should be able to collect relevant and recent information for the evaluation of best practices.
The data analysis approaches of the study can be considered mixed. The survey will produce quantifiable findings, and they will be subjected to descriptive statistical analysis (Burke & Soffa, 2018). This way, the project will be able to describe ISG in FGEs. However, the last objectives of the project can only be achieved through an in-depth analysis of the data and its comparison with the existing findings from other literature. This part of the project is qualitative, and its analysis methods can be termed as comparative (Burke & Soffa, 2018; McNabb, 2015). Thus, the analysis methods will be determined by the needs of the study.
The recruitment will be carried out by directly contacting FGEs, which offer phone numbers and online contact information. At least two people from each FGE will be recruited; as a result, the sample will contain the representatives of all the studied entities. However, it should be acknowledged that their reports may be subject to individual biases and might not be fully accurate (McNabb, 2015; O’Sullivan et al., 2017). From this perspective, the recruitment of several representatives should serve as a form of controlling for discrepancies in data. As of 2019, the Ministry of Cabinet Affairs (2019) distinguishes 49 FGEs, which means that the total sample is supposed to have 98 people. In summary, the study will have well-established methods that are aligned with its objectives.
Innovation and Significance of the Study
As has been demonstrated, the proposed research will cover a topic that has not been studied on its own. Furthermore, it is in line with the interest of the UAE government in ISG and information technology. Since the government is currently in the process of developing a maturity framework for its e-services, recent data on ISG that is tailored to the UAE FGEs would be helpful. The resulting framework of ISG best practices and improvement might find practical use.
The expected outcome of the project is a workable framework that would guide UAE FGEs in their employment of ISG. In addition, the data that will be used to develop this framework will be important on its own for both individual entities and the government as a whole. Furthermore, this research will help to determine issues and potential for improvement in FGEs. Thus, the project will review and diagnose the current state of FGE ISG and offer direct recommendations to FGEs. Finally, the study might also produce some data that future studies can employ to ask new, more detailed questions about ISG in the UAE and other countries, as well as ISG in FGEs and other entities.
To summarize, the importance of ISG is determined by the risks that are associated with using cyberspaces. As FGEs proceed to employ information technologies to deliver services to the UAE citizens, they need to ensure appropriate management and controls, which implies the need for effective ISG. There is currently little information about ISG in FGEs, and no recent peer-reviewed studies consider its current state. For a rapidly developing field, it is very important to have up-to-date information. As a result, the presented project is justified in conducting a survey in FGEs to describe and assess their practices and propose a framework for ISG and its improvement in FGEs. Guided by innovation theories, the project will employ mixed methods to achieve its objectives. The findings will be useful to FGEs, as well as other entities interested in the current ISG practices.
Abu Dhabi Systems and Information Centre. (2014). Information security policy: Abu Dhabi Government. Version 2.0. Web.
Abu‐Musa, A. (2010). Information security governance in Saudi organizations: An empirical study. Information Management & Computer Security, 18(4), 226-276. Web.
Alexy, O., Bascavusoglu-Moreau, E., & Salter, A. (2016). Toward an aspiration-level theory of open innovation. Industrial and Corporate Change, 25(2), 289-306. Web.
Anand, R., Medhavi, S., Soni, V., Malhotra, C., & Banwet, D. (2018). Transforming information security governance in India (a SAP-LAP based case study of security, IT policy and e-governance). Information and Computer Security, 26(1), 58-90. Web.
Burke, P., & Soffa, S. (2018). The elements of inquiry (2nd ed.). New York, NY: Routledge.
Computer Emergency Response Team, & Telecommunications Regulatory Authority. (2012). Standard information security policy. Web.
Government.ae. (2019a). National cybersecurity strategy 2019. Web.
Government.ae. (2019b). UAE digital government maturity model. Web.
Gupta, A. K., Dey, A. R., Shinde, C., Mahanta, H., Patel, C., Patel, R.,… Ganesham, P. (2016). Theory of open inclusive innovation for reciprocal, responsive and respectful outcomes: Coping creatively with climatic and institutional risks. Journal of Open Innovation: Technology, Market, and Complexity, 2(1), 1-16. Web.
Huang, C. C., & Farn, K. J. (2016). A study on E-Taiwan promotion information security governance programs with e-government implementation of information security management standardization. International Journal of Network Security, 18(3), 565-578.
International Institute for Management Development. (2019). The IMD world digital competitiveness ranking 2019. Web.
Joye, D., Wolf, C., Smith, T., & Fu, Y. (2016). Survey methodology: Challenges and principles. In D. Joye, C. Wolf, T. Smith & Y. Fu (Eds.), The Sage handbook of survey methodology (pp. 3-15). London, UK: Sage Publications.
Lianto, B., Dachyar, M., & Soemardi, T. (2018). Continuous innovation: A literature review and future perspective. International Journal on Advanced Science, Engineering and Information Technology, 8(3), 771-779. Web.
McNabb, D. (2015). Research methods in public administration and nonprofit management (3rd ed.). New York, NY: Routledge.
Ministry of Cabinet Affairs. (2019). Federal government entities. Web.
Nicho, M. (2018). A process model for implementing information systems security governance. Information and Computer Security, 26(1), 10-38. Web.
O’Sullivan, E., Rassel, G., Berner, M., & Taliaferro, J. (2017). Research methods for public administrators (6th ed.). New York, NY: Routledge, Taylor & Francis Group.
Perumal, S., Pitchay, S., Samy, G., Shanmugam, B., Magalingam, P., & Albakri, S. (2018). Transformative cyber security model for Malaysian government agencies. International Journal of Engineering & Technology, 7(4.15), 87. Web.
Ramtohul, A., & Soyjaudah, K. (2016). Information security governance for e-services in southern African developing countries e-Government projects. Journal of Science and Technology Policy Management, 7(1), 26-42. Web.
Safa, N., Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations. Computers & Security, 56, 70-82. Web.