Examining the Relationship between Information Security Effectiveness and Information Security Threats

  • Mohamad Noorman Masrek Universiti Teknologi MARA Selangor
  • Tri Soesantari Universitas Airlangga
  • Asad Khan University of Peshawar
  • Aang Kisnu Dermawan Universitas Islam Madura
Keywords: information security, security policy, information threats, structural equation modelling, survey, Malaysia


Information is the most critical asset of any organizations and business. It is considered as the lifeblood of the organization or business. Because of its importance, information needs to be protected and safeguarded from any forms of threats and this is termed as information security. Information security policy and procedure has been regarded as one of the most important controls and measures for information security. A well-developed information security policy and procedure will ensure that information is kept safe form any harms and threats. The aim of this study is to examine the relationship between information security policy effectiveness and information security threats. 292 federal government agencies were surveyed in terms of their and information security practices and the threats that they had experienced. Based on the collected, an analysis using partial least square structural equation modeling (PLS-SEM) was performed and the results showed that there is a significant relationship between information security policy effectiveness and information security threats. The finding provides empirical evidence on the importance of developing an effective information security policy and procedure.


Adedayo, W. S., & Ayobami, A. S. (2013). Relationship Between Information Security Awareness and Information Security Threat. International Journal of Research in Commerce, IT & Management, 3(8), 115-119.

Al-Awadi, M., & Renaud, K. (2007). Success Factors in Information Security Implementation in Organizations. In Kommers, P. (Eds.), e-Society 2007: Proceedings of the IADIS International Conference e-Society (pp. 169-176). Lisbon, Portugal.

Al-Mhiqani, M. N., Ahmad, R., Abidin, Z. Z., Yassin, W., Hassan, A., Abdulkareem, K. H., Ali, N. S., & Yunos, Z. (2020). A Review of Insider Threats Detection: Classification, Machine Learning Techniques, Datasets, Open Challenges, and Recommendations. Applied Sciences, 10, 1-41.

Alkabani, A., Deng., H., & Kam, B. (2014, December 8-10). A Conceptual Framework of Information Security in Public Organizations for E-Government Development. In Proceedings of the 25th Australiasian Conference on Information Systems (pp. 179-189). Auckland, New Zealand.

Arnau, R. C. (1998, April 11). Second-Order Factor Analysis: Methods and Interpretation. Paper presented at the Annual Meeting of the Southwestern Psychological Association, New Orleans, USA.

Bace, R.G. (2000). Intrusion Detection. USA: MacMillan Publishing.

Chen, F. F., Sousa, K. H., & West, S. G. (2005). Testing Measurement Invariance of Second-Order Factor Models. Structural Equation Modelling, 12(3), 471–492.

Chicherov K. A., & Norkina A. N. (2018). Confidential Data Protection as a Means of Ensuring Information Security. KnE Social Sciences, 3(2), 85–88.

Chinyemba, M. K., & Phiri, J. (2018). An Investigation into Information Security Threats from Insiders and how to Mitigate them: A Case Study of Zambian Public Sector. Journal of Computer Science, 14(10), 1389-1400.

Cohen, J. (1988). Statistical Power Analysis for The Behavioural Science. Mahwah, New Jersey: Lawrence Erlbaum.

Cybersecurity Malaysia (2019). About Critical National Information Infrastructure. Retrieved from https://cnii.cybersecurity.my/main/about.html

Cybersecurity Strategic Headquarters (2016). Common Standards for Information Security Measures for Government Agencies (FY2016). Retrieved from https://www.nisc.go.jp/eng/pdf/Common%20Standards(FY2016).pdf

Diamantopoulos, A., & Siguaw, J. A. (2006). Formative Versus Reflective Indicators in Organizational Measure Development: A Comparison and Empirical Illustration. British Journal of Management, 17(4), 263-282.

Diesch, R., Pfaff, M., & Krcmar, H. (2020). A Comprehensive Model Information Security Factors for Decision Makers. Computers & Security, 92, 1-21.

Ernst & Young (2018). 2018 Top Cybersecurity Risk and Areas of Focus. Retrieved from http://www.isaca.org/chapters1/puget-sound/education/Documents/2018%20Emerging%20Trends%20in%20Cybersecurity%20-%20EY%20ISACA%20Presentation%20-%2020MAR.pdf

Falk, R. F., & Miller, N. B. (1992), A Primer for Soft Modelling (1st ed). Ohio: University of Akron Press,

Fornell, C., & Larcker, D. F. (1981). Evaluating Structural Equation Models with Unobservable Variables and Measurement Error, Journal of Marketing Research, 19, 39- 50.

Geisser, S. (1974). A Predictive Approach to the Random Effects Model, Biometrika, 61(1), 101-107.

ISO/IEC (2005). ISO/IEC 27002 – Information Technology – Security Techniques – Information Security Management Systems – Requirements. Retrieved from https://www.iso27001security.com/html/27002.html

Jouini, M., Rabai L. B. A., & Aissa, A. B. (2014). Classification of Security Threats in Information Systems. Procedia Computer Science, 32, 489 – 496.

Jourdan, Z., Rainer, R. K., Marshall, T. T., & Ford, F. N. (2010). An Investigation of Organizational Information Security Risk Analysis. Journal of Service Science, 3(2), 33-42.

Kimwele, M., Mwangi, W., & Kimani, S. (2010). Adoption of Information Technology Security Policies: Case Study of Kenyan Small And Medium Enterprises (SMES). Journal of Theoretical and Applied Information Technology, 18(2), 1-11.

Lopes, I. M., & Sa-Soares, Filipe de. (2012). Information Security Policies: A Content Analysis.

(2012). In Proceedings of the Pacific Asia Conference on Information Systems (PACIS) 2012, Ho Chi Minh City, Vietnam.

MAMPU (2002). MyMIS - Malaysian Public Sector Management of Information & Communication Technology Security Handbook. Retrieved from https://jkrmlk.gov.my/1/dl.php?filename=Pengurusan%20Keselamatan%20ICT%20Sektor%20Awam%20Malaysia%20(MyMIS).PDF

Martins, N., & Da Veiga, A. (2015). An Information Security Culture Model Validated with Structural Equation Modelling. In Proceedings of the Ninth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2015), Lesvos, Greece.

Masrek, M. N., Harun, Q. N., & Sahid, N. Z. (2018). Assessing the Information Security Culture in a Government Context: The Case of Developing Country. International Journal of Civil Engineering and Technology, 9(8), 96-112.

Nieles, M., Dempsey, K., & Pillitteri, V. Y. (2016). An Introduction to Information Security. National Institute of Standards and Technology. Retrieved from https://doi.org/10.6028/NIST.SP.800-12r1

Peltier, T. R., Peltier, J., & Blackley, J. (2005). Information Security Fundamentals. Boca Raton, Florida: Aeurbach Publication.

Podsakoff, P. M., & Organ, D. W. (1986). Self-reports in organizational Research: Problems and Prospects, Journal of Management, 12(4), 531-44.

Ramayah, T., Cheah, J., Chuah, F., Ting, H., & Memon, M. A. (2018). Partial Least Squares Structural Equation Modelling (PLS-SEM) Using SmartPLS3.0: An Updated and Practical Guide to Statistical Analysis (2nd ed). Kuala Lumpur, Pearson.

Sekaran, U., & Bougie, R. (2010). Research Methods for Business: A Skill Building Approach, (5th ed.) West Sussex, UK, John Wiley & Sons.

Stone, M. (1974). Cross-Validatory Choice and Assessment of Statistical Predictions, Journal of the Royal Statistical Society, 36(2), 111-147.

Wu, Y. C., Sun, R., & Wu, Y. J. (2020). Smart City Development in Taiwan: From the Perspective of the Information Security Policy. Sustainability, 12, 1-18.

How to Cite
Mohamad Noorman Masrek, Tri Soesantari, Asad Khan, & Aang Kisnu Dermawan. (2020). Examining the Relationship between Information Security Effectiveness and Information Security Threats. International Journal of Business and Society, 21(3), 1203-1214. https://doi.org/10.33736/ijbs.3335.2020