An empirical analysis on the effectiveness of information security policies, information technology governance, and international organization for standardization security certification

Security professionals and researchers believe that information security policies are a crucial element to good information security. This study sought to explore the relationship between information security policies, Information Technology (IT) governance, International Organization for Standardization (ISO) security certification and the number and severity of breaches suffered by organizations in the US. This quantitative study used an online survey to collect responses from IT professionals about information security policies, IT governance, and ISO security certifications. It then compared those qualities to the number and severity of breaches experienced by the organization. Multivariate analysis was used to analyze the results. This study finds that there is a significantly higher number of more severe breaches suffered by organizations that have an information security policy. Organizations that follow an IT governance framework also reported a higher number of severe breaches. ISO certification did not exhibit a statistically significant relationship. Further research should be performed to discover why organizations that are attempting to follow security best practices would report higher numbers of severe breaches.