A comprehensive model of information security factors for decision-makers

Decision-making in the context of organizational information security is highly dependent on various in- formation. For information security managers, not only relevant information has to be clariﬁed but also their interdependencies have to be taken into account. Thus, the purpose of this research is to develop a comprehensive model of relevant management success factors (MSF) for organizational information security. First, a literature survey with an open-axial-selective analysis of 136 articles was performed to identify factors inﬂuencing information security. These factors were categorized into 12 areas: physical security, vulnerability, infrastructure, awareness, access control, risk, resources, organizational factors, CIA, continuity, security management, compliance & policy. Second, an interview series with 19 experts from the industry was used to evaluate the relevance of these factors in practice and explore interdependen- cies between them. Third, a comprehensive model was developed. The model shows that there are key-security-indicators, which directly impact the security-status of an organization while other indicators are only indirectly connected. Based on these results, information security managers should be aware of direct and indirect MSFs to make appropriate decisions.


Introduction
Today, most businesses are based or even fully dependent on information such as financial data for banks to stay at the market and be competitive ( Knapp et al., 2006 ). According to thycotic, 62 % of all cyber-attacks are hitting small-and mid-sized businesses of which 60 % are going out of businesses six months after such an attack ( Thycopic Software Ltd., 2017 ). 53 % of the attacks are causing $50 0.0 0 0 or more ( Cisco Systems Inc., 2018 ) while the average cost of a data breach was $3.86 million ( Ponemon Institute LLC, 2018 ). Not just financial losses are a risk but also legal and reputation repercussions ( Tu and Yuan, 2014 ). Therefore, it is necessary for organizations to keep their information and the underlying technology secure against business-harming attacks.
In the past, information security was purely a technical concern and therefore, technical employees were responsible for information security issues within an organization ( Willison and Backhouse, 2006 ). This perspective fails when it comes to a comprehensive and holistic view and the overall security strategy. Thus, in the past years, there was a shift from the executive technology expert * Corresponding author at: Guerickestr. 25, 80805 Munich, Germany.
E-mail address: diesch@fortiss.org (R. Diesch). to a management responsibility and a more business-focused view protecting information ( Ashenden, 2008;Ransbotham and Mitra, 20 09;Yeh and Chang, 20 07 ). Nowadays, security managers are fully responsible to consider and respond to information security issues ( Abu-Musa, 2010;Soomro et al., 2016 ). Various cases like the "Equifax breach" had shown the consequences for the top management in case of information security disregards. There, over 146 million personal information were stolen because of an unpatched system, which was a technical shortcoming. This causes, that the company gets rid of their CEO, CIO, and CSO by the "retirement" of them right after the breach ( Bernard and Cowley, 2017 ). The technical personal was not affected. This goes further in manifesting the management responsibility within laws like the German Stock Corporation Act ( §91 Section 2) which also requires an active risk management within companies.
Because of the shift from a technical to a management perspective, the research focus also changed from studies in a technical context to exploring the management role ( Soomro et al., 2016 ). Managers must be able to take technical threats as well as other factors like human behavior into account to take the right and effective actions to mitigate threats ( Coronado et al., 2009 ). To provide necessary funds, make good decisions and argue to the business, it is necessary for information security managers to https://doi.org/10.1016/j.cose.2020.101747 0167-4048/© 2020 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY license. ( http://creativecommons.org/licenses/by/4.0/ ) understand the complexity of information security ( Willison and Backhouse, 2006 ) and have a comprehensive view on the topic ( Soomro et al., 2016 ). This comprehensive view with specific factors and their interdependencies as well as the impact on the security status of an organization is still a gap in research ( Diesch et al., 2018;Horne et al., 2017;Kraemer et al., 2009;Norman and Yasin, 2013;Soomro et al., 2016 ). Therefore, this study has the purpose to identify the key factors, evaluate them and explore interdependencies to finally generate a comprehensive model to understand the information security complexity and thus provide good information security management decisions.
The remaining research article is structured as follows. In Section 2 , previous work on management practices and management success factors (MSF) in information security is described and the need for a comprehensive information security model with current shortcomings is shown. In Section 3 , the threestep methodology which contains the literature survey, the literature analysis, and the expert interview series is presented. In Section 4 , the evaluated MSFs are provided. The MSFs in conjunction with interdependencies are proposed as a comprehensive model in Section 5 . In Section 6 , a critical discussion of the results and areas for future research are highlighted. A conclusion is given in Section 7 .

Background and motivation
This chapter is divided into three sections. In Section 2.1 , standards and best practices in information security management for practitioners and their shortcomings are described. In Section 2.2 , the term MSF and the current state of the art in research regarding this topic is introduced. In Section 2.3 the need for practitioners, as well as the gap in the literature, are highlighted to motivate this research.

Standards and best practices
Information security management is often build based on international standards or best practices ( Hedström et al., 2011 ). The terms "standard" and "best practice" are often used as synonyms but "standards" are usually checked by an international standardization organization while "best practices" and other frameworks are published independently.
The most common standard from such an organization is the ISO/IEC 270 0 0-series ( ISO/IEC, 2018 ). This standard is widely accepted, play an important role and it is possible to certify the organizational information security based on it ( Siponen and Willison,20 09 ). The ISO/IEC 270 0 0-series defines basic requirements in order to implement an information security management system. Also, control guidance, implementation guidance, management measures, and the risk management approach is specified. Special sub-norms are also included in the series, for example, the ISO/IEC 27011 which deals especially with telecommunication organizations.
In addition to the information security management standard, there are frameworks or best practices like the NIST SP800-series ( NIST, 2018b ), the Standard of Good Practices from the Information Security Forum (ISF) ( ISF, 2018 ) or the COBIT framework ( ISACA, 2012 ). These best practices are used to implement an information security management system (ISMS), define and develop controls and address the most pressing problems regarding information security with an overview for their risk mitigation strategy ( Mijnhardt et al., 2016 ). All in all, security standards provide a common basis for organizations to help reducing risks by developing, implementing and measuring security management ( Ernest Chang and Ho, 2006 ). Information security management certificates do provide a basic assurance level and show that some security measures are available. But in practice, experts are skeptical about certificates. Experts mentioned, that standards do help with compliance but not always help to reduce risk or improve security ( Johnson and Goetz, 2007 ). Lee et al. (2016) show, that a higher security standard does not necessarily lead to a higher security level. The following shortcomings of standards were highlighted in the past literature: (1) Well known standards are very generic in scope and tend to be very abstract ( Siponen and Willison, 2009 ). For these standards, concrete countermeasures and combinations of them are missing, which leads to inefficient or even misleading risk mitigation strategies ( Fenz et al., 2013 ).
(2) Standards consists of a huge amount of information. For example, the ISO 270 0 0-series consists of 450 items with 9 focus areas. This complexity and the fact, that there are rarely fully implemented standards in small-and mediumsized businesses in place, leads to a fall back to ad-hoc implementations. An easy to understand toolkit is missing ( Mijnhardt et al., 2016 ). (3) The defined controls and countermeasures of the frameworks are often implemented without sufficient consideration of the daily work or their need ( Hedström et al., 2011 ). This is because the organization usually do not consider the relationships between the security concepts ( Fenz et al., 2013 ) and do not check whether a control is really necessary or less critical ( Bayuk and Mostashari, 2013;Tu and Yuan, 2014 ). (4) Rigorous empirical studies which consider different factors which may affect the decisions and validate the standards and best practices are missing in literature ( Diesch et al., 2018;Siponen and Willison, 2009 ). (5) There are regional differences in the use and contexts of frameworks. For example, the NIST SP800-series is "developed to address and support the security and privacy needs of U.S. Federal Government information and information systems" ( NIST, 2018b ) while the current standard in Australia is the IS0/IEC 270 0 0-series . Therefore the NIST SP800 framework "is individually useful but (outside of the U.S.) do not provide a cohesive and explicit framework to manage information security" .

Information security success
Besides standards and best practices which were described before, there are theories and concepts in the literature which help decision-makers in information security. Managers need to know the current information security status of their organizational assets to make decisions. If there are not well protected, they need possible sets of controls with the consideration of the related costs to improve the information security situation ( Diesch et al., 2018;Horne et al., 2017;Johnson and Goetz, 2007;Tu and Yuan, 2014;von Solms et al., 1994 ).
The literature deals with MSFs to describe the state of information security which is needed in practice. The term was used first in 1987 to describe factors which take into account as "catalysts to generate new and more effective systems security activities" in the security context ( Wood, 1987 ). After that the theory of information systems success of DeLone and McLean (1992) deals with different dependent and independent variables, which are indicating a successful information systems strategy and that they can be categorized into dimensions. Recent studies used other terms in the context of information security: 1. "Information systems security management success factors" are factors to show the state of elements, which has to anticipate preventing information security failure in the e-commerce context ( Norman and Yasin, 2013 ). 2. "Critical success factors" describe factors, which influence the successful implementation of an information security management system ( Tu and Yuan, 2014 ). 3. "Critical success factors are described as key areas in the firm that, if they are satisfactory, will assure successful performance for the organization" ( Tu et al., 2018 ).
In this research, management success factors (MSF) are defined as factors to show the state of elements, which has to take into account in order to make appropriate management decisions in the information security context of an organization. If the security decisions are appropriate, it assures a successful security performance for the organization.
Current literature mostly looks on factors which influence security separately. To highlight just a view studies, they separately deal with organizational factors ( Ernest Chang and Ho, 2006;Hall et al., 2011;Kankanhalli et al., 2003;Kraemer et al., 2009;Mijnhardt et al., 2016;Narain Singh et al., 2014 ), policy compliance issues ( Boss et al., 2009;Goel and Chengalur-Smith, 2010;Höne and Eloff, 2002;Ifinedo, 2012;Johnston et al., 2016;Lowry and Moody, 2015a ) or human factors ( Alavi et al., 2016;AlHogail, 2015;Ashenden, 2008;Gonzalez and Sawicka, 2002;Kraemer et al., 2009 ). The reason for the separation is, that security is managed in a separate manner in different departments which includes information security, risk management, business continuity, operational security ( Tashi and Ghernaouti-Hélie, 2008 ). This shows that various studies are available which do discuss different factors in great detail but do not include a integral view on them. There are just a view attempts to consolidate the body of knowledge in comprehensive MSFs. The information systems success theory explains six factors which are contributing to the systems success ( DeLone and McLean, 1992 ). This view does not include specific security considerations including the costs and available countermeasures that a manager must consider. The authors self-criticized the proposed theory because of the missing evaluation. The only other success factor model was a model of factors, influencing the successful implementation of an information security management system ( Norman and Yasin, 2013 ) and not the security decisions of managers itself.

Shortcomings in literature and practice
As the Sections 2.1 and 2.2 suggest, there are a view shortcomings in literature for supporting decisions on the security management level. A recent survey of McKinsey & Company with 1125 managers involved in 2017 identified three main problems, managers face in order to deal with information security issues ( Boehm et al., 2017 ). These are the lack of structure within reports with dozens of indicators with inconsistent and too-high levels of details. The lack of clarity because of reports, which are too technical which a manager typically not understand. A lack of consistent real-time data .
The lack of clarity within reports is not just present in practice. Managers do not know all technical details and do not need them because of their teams and experts ( Fenz et al., 2013;May, 1997 ). But they have to establish a security establishment and have to improve the security status by using a security dashboard ( Dogaheh, 2010 ). The reports and dashboards have to be on the need for information security managers ( Wilkin and Chenhall, 2010 ) but there are no standards for the content of such dashboards ( Bayuk and Mostashari, 2013 ). The lack of structure is related to the first problem and causes in the high diversity and complexity of the information security problem which causes uncertainty and confusion among top managers ( Savola, 2007;von Solms et al., 1994;Willison and Backhouse, 2006 ). This causes in the fact, that managers do not make decisions based on data but on their experience, judgment and their best knowledge ( Chai et al., 2011 ). Therefore, current research asks for a comprehensive approach to information security management ( Abu-Musa, 2010;Nazareth and Choi, 2015;Savola, 20 07;20 09;Soomro et al., 2016;Tu and Yuan, 2014 ) which captures the definition of "factors that have a significant impact on the information security" ( Bayuk, 2013;Leon and Saxena, 2010;Ransbotham and Mitra, 2009;Soomro et al., 2016 ) and the established relationships between these fundamental objectives ( Dhillon and Torkzadeh, 2006;Hu et al., 2012;Soomro et al., 2016 ). This research addresses the described needs with the development of the first theory of interrelated MSFs, which give a basis for decision-makers to understand the complexity of information security on an abstract level and also could be the basis of multiple future needs also described in literature like the goal based security metrics development ( Bayuk, 2013;Boss et al., 2009;Diesch et al., 2018;Hayden, 2010;Jafari et al., 2010;Johnson and Goetz, 2007;Pendleton et al., 2017;Savola, 2007;Zalewski et al., 2014 ).

Methodology
To develop a comprehensive model of information security factors for decision makers the methodology of this work consists of two steps. Fig. 1 illustrates the steps. The first step is to find relevant literature with the help of a literature search process described in Section 3.1 . The second step is to analyze the relevant literature for factors which have an influence on information security decisions. The results are categorized and high-level impact factors which are derived from literature. This step is illustrated in Section 3.2 . The third step contains a semi-structured expert interview in order to evaluate the relevance of the impact factors in practice and explore interdependencies between them. The results are evaluated and relevant MSFs in practice as well as interdependencies which results in the comprehensive model of MSFs for decision-makers. In Section 3.3 the description of the expert interview methodology is shown.

Literature search
The search process is performed based on the method of Webster and Watson (2002) . The literature search consists of the search scope followed by a keyword-search which ends in a forward and backward search. To provide high-quality articles, the scope is set to highly ranked journals within the information security domain and the information systems management domain because of the relation to the management view. Journals of the management domain were selected from the Senior Scholars' Basket of Journals ( AIS Members, 2011 ). The journals of the security domain were selected from the Scimago Journal & Country Rank (SJR) ( SJR, 2018 ) with the condition that they need to be part of the following categories: security, safety, risk or reliability. To not limit the search only to Journals, the scope was extended to several databases. These are ScienceDirect, OpacPlus and Google Scholar. OpacPlus is a wrapper of multiple databases including Scopus, Elsevier, Wiley, and ACM Digital Library. The results of Google Scholar were limited by 100 hits because the most relevant articles can be found within the first sites ( Silic and Back, 2014 ). After the scope definition, the following search string was used to find articles: "(it OR information OR cyber)AND (resilience OR security)AND (factors OR kpi OR measures OR metrics OR measurement OR indicator OR management)". Because the management literature is not information security specific, the search string of these journals was adjusted to the first two parts: "(it OR information OR cyber)AND (resilience OR security)". Another adjustment was done by searching just for the title and abstract within information security specific sources because of the underlying diverse topic. The selection of relevant articles out of the first keyword search was done based on the title and abstract. Including criteria was, that there are factors described or mentioned which are influencing information security decisions. The forward and backward search was applied to all selected articles while the forward search was based on the "cited by" function of Google Scholar. The literature identification methodology results in 136 articles. The complete search matrix with the applied source, the keywordsearch hits and the selected relevant article numbers is shown in Appendix A .

Literature analysis
The analysis was done based on the "open-axial-selective" approach of Corbin and Strauss, 1990 which is a grounded theory approach based on Glaser and Strauss (1967) and was recommended as a rigorous method for analyzing literature ( Wolfswinkel et al., 2013 ). This approach has the advantage, that the whole context of an article can be analyzed in order to extract factors. Webster and Watson (2002) also support a literature analysis but with the categorization of a whole article in order to identify gaps in the literature, pointing out the state of the art and explaining past research. To extract specific knowledge and categorize this, the coding on a textual level of articles is more appropriate in this case. The coding follows the following steps: (1) Assignment of text segments to a "first-order code". For example, the text segment those organizations that have had a systems security function for some time should use these assessment methods to validate the results of other methods and to cross-check that they have not overlooked some important vulnerability" ( Wood, 1987 ) was assigned the cluster "vulnerability assessment" as a factor which influences information security.
(2) Combines synonymous and their meanings to a "secondorder code". (3) Categorize the "second order codes" to clusters based on overlapping meanings (infrastructure overview and asset knowledge), overlapping functions (management support and management standards) or theoretical constructs (confidentiality, integrity, and availability).

Expert interview
Previous research has been criticized in order of missing support of reliability and validity by empirical studies ( Siponen and Willison, 2009;Tu and Yuan, 2014 ). The first goal of the expert interview was to evaluate the factors of the literature and thus generate MSFs which are relevant in practice. The second and main goal is the exploration of interdependencies between MSFs to develop the comprehensive model of MSFs.
There are various ways to design an expert interview. This study is designed as a semi-structured interview ( Bortz and Döring, 1995 ) to combine the advantages of structured and open interviews. The interviewer is able to give room for explanations but also ensures, that all answers are given. With these considerations, the expert interview itself consists of three steps which are the operationalization of the described goals (chapter 3.3.1 ), the selection of experts ( Section 3.3.2 ) and the analysis of the expert interviews ( Section 3.3.3 ).

Operationalization
The interview guide gives the interviewer an orientation and an analysis is more comparable than without any structure. To develop the survey instrument, the rules of good expert interviews were considered ( Bortz and Döring, 1995 ). The beginning of the interview was done with an open question on the most important factor, the interviewee considers for the information security in the organization ( Q0 ). The following areas were discussed with the experts to support the given goals and control as well as confirm the validity of the factors:

• Evaluationof factors:
A discussion about the meaning of each factor from a practical perspective was done in order to evaluate the content of the factors ( Q1.1 ). The practical relevance was tested by asking about the importance of each factor for the information security of the organization ( Q1.2 ).

• Exploration of interdependencies:
To explore the interdependencies between the factors and get insights into them, a discussion about the practical usage and how the experts deal with each factor was done ( Q2.1 ). To crosscheck the given statements, experts were asked for each factor, if the factor has a direct impact on the information security of the organization ( Q2.2 ).

• Control questions:
Questions about the absence of not mentioned important factors ( Q3.1 ) and if the experts consider a factor which was discussed to be unimportant ( Q3.2 ) are used to control the completeness of the given factors and further confirm the explored results.

Expert selection
An expert is a person with specific practical or experimental knowledge about a particular problem area or subject area and is able to structure this knowledge in a meaningful and actionguiding way for others ( Bogner et al., 2014 ). The selection of interviewees was derived by this definition. Therefore, an expert should have several years of experience in the field of information security which points to specific practical knowledge in the field of information security. The expert should have a leading position within the organization which testifies the ability to the meaningful and action-guiding structuring of the information for others. Also, a leading position supports the underlying comprehensive view which is required for the goal of this research. The selection results in 19 participants. They were mainly chief information security officers (12) and information security officers (4). The others were one chief executive officer, one chief information officer, and a technical delivery manager. All experts had 5 years of experience at minimum, 16 years at average and 30 years at maximum. This shows, that the selected interviewees meet the requirements and are suitable for this approach. The participants worked in the following industries at this point in time: finance, automotive, diversified, aircraft, metal and electrical, services, hardware and software, and others. All but one organization had more than 20 0 0 employees. This was the result of the requirements for experts which mean, that the organization has to had at minimum an information security team, which is typically not available in small businesses.

Interview analysis
The interviews were analyzed according to Mayring (2015) . The basis for each question was a full transcript of the interview. The process contains of the following steps:

Paraphrasing
• Painting of components that do not contribute or have little content. • Standardize language level. • Generate grammatical short forms.

Generalization
• Generalize paraphrases on an abstract level.
• Generalize predicates in an equal form.
• Generate assumptions in case of doubt. 3. Reduction (can be done multiple times) • Delete phrases which have the same meaning.
• Combine phrases of similar meaning.
• Select phrases that are very content-bearing.
• Generate assumptions in case of doubt.
To analyze quantitative aspects or interdependencies, Mayring (2015) also suggests two methods which are called "valence or intensity analysis" (V) and "contingency or interrelation analysis" (I) and used to analyze the interviews. Both methods contain mainly the same steps: 1. Formulate a question. 2. Determine the material sample. 3. Define the variables (V) / text modules for interrelation (I) 4. Define the scale (V) / rules for interrelation (I) 5. Coding 6. Analysis 7. Presentation and interpretation

Management success factors
The prerequisite for a comprehensive model of MSFs is evaluated MSFs, which have an influence on information security decisions. In Section 4.1 , the results of the literature analysis are shown. These are factors which have an influence on information security decisions from the literature perspective. After that, the factors have to be evaluated and proved for their relevance in practice which results in evaluated MSFs. These results are shown in Section 4.2 .

Factors derived from the literature
The analysis of 136 relevant articles from the search methodology resulted in 188 first-order codes. A code is a tuple of "factor in literature"-"author". So for each author, the different impact factors were coded. These codes appear in the following situations: (1) They appear directly within the literature. An example is the following sentence of Atoum et al. (2014) "enrich the framework in other related dimensions such as human resource, organization structures, global governance, regulation regimes, awareness programs and thus provide a more detailed framework". This result directly in the corresponding list of first order codes. Most of these direct codes appear in enumerations within the introduction or future work sections of the analyzed literature and are not further explained.
(2) The first order codes are part of a theory . The first order codes are part of a hypothesis construct with a underlying theory and are tested with quantitative or qualitative studies. A example work is Kankanhalli et al. (2003) which describes the impact of the organizational size, the top management support and the industry type on the information systems security effectiveness. This exam ple results in the corresponding first-order codes.
(3) Indirectly within the articles or because of their focus.
These appearances are derived from the overall classification of the articles or some descriptions within the text which are not directly mention the first order code but the meaning was chosen to name it. The article with the title "design and validation of information security culture framework" ( AlHogail, 2015 ) is named "security culture" as a first-order code. A other example for indirect mentions is those organizations that have had a systems security function for some time should use these assessment methods to validate the results of other methods and to cross-check that they have not overlooked some important vulnerability" ( Wood, 1987 ) which is "vulnerability assessment" as a first-order code.
The aggregation of the 188 first-order codes results in 44 second-order codes. The following aggregation criteria were identified: (1) Articles describe often, that the codes have the same mean- ing . An example is given by Jafari et al. (2010) which described "Safeguards: Protective measures prescribed to meet the security requirements [...], synonymous with countermeasures". This in conjunction with "improving the overall information security state by selecting the best security countermeasures (controls) to protect their information assets" ( Yulianto et al., 2016 ) are safeguards, countermeasures, and controls a second-order code.
(2) Certain first-order codes are part of or included in other first-order codes which results in a second-order code. Examples in literature are "Value delivery (i.e. cost optimization and proving the value of information security)" ( Yaokumah, 2014 ), "aside from the personnel measures which focus on human behavior" ( Sowa and Gabriel, 2009 ) or "threats, which form part of such risk" ( Willison and Backhouse, 2006 ). This indicates, that threats are part of risks.
(3) First-order codes are aggregated in order of their underlying object . An example is "organizational size", "industry type" and "organizational structure" which are all features of an organization and thus are aggregated to the second-order code "organizational factors".
The aggregation of the second-order codes to clusters and thus the overall factors, influencing security decisions, is based on common theories in literature. An example is the theory of the protection goals of information security which is supported by various authors: "with a goal to compromise Confidentiality, Integrity, and Availability (CIA)" or "it also coincides with the Confidentiality-Integrity-Availability (CIA) framework" ( Goldstein et al., 2011 ) or "one view, which gained especially wide popularity, is called C-I-A triad" ( Zalewski et al., 2014 ). This theory results in the consolidation of protection goals in the factor "CIA".
The literature analysis confirms the assertions made in Section 2.3 which say that various individual factors are mentioned, enumerated or examined. However, up to now, there has been no comprehensive view on them, a discussion of the practical relevance is missing and the interdependencies of the factors among each other are not described. The result of this chapter gives an abstract view of current factors in literature, influencing information security decisions.

Evaluation of Factors
The explored factors of the last Section 4.1 are the basis for the following evaluation and therefore to transform these factors to MSFs for information security decision-makers. In Section 4.2.1 the practical view of experts on the factors is compared to the literature view which is derived out of the literature analysis in Section 4.1 . In addition, challenges of practitioners are supported for each factor. The result of the relevance validation is present in Section 4.2.2 . Section 4.2.3 contains the result of the control questions and thus confirm the validity and relevance of the explored factors.

Content validation of MSFs
The relevance of the factors in practice and their validity makes them to MSFs. The general context analysis ( Section 3.3 ) was used to determine the practical usage and meaning of the different factors out of the literature. To analyze them, the scope was set to the whole interview transcripts while the main answers are given by the guiding question Q1.1 of the interview guide. Because of the methodology design of a semi-structured interview, the challenges and problems of each factor in practice is a side-result and also reported here. The following itemization shows each MSF with a description of the literature view, a consolidated practical view and the challenges practitioners face regarding each MSF. The literature view is a consolidation of definitions and opinions out of the literature analysis 3.3.3 . The practical view and the descriptions of the challenges are a consolidation of the main opinion of all 19 experts.
• Vulnerability 1. Literature: The definition of a vulnerability in literature is generally a "weakness of an asset or control that can be exploited by one or more threats" ( ISO/IEC, 2018 ). This definition is very generic and can be technical as well as nontechnical. NIST gives a more detailed definition as a "weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source" ( NIST, 2018a ). Common usage of the term in the analyzed literature is, that vulnerabilities are technical in nature. More specifically, "a vulnerability is a software defect or weakness in the security system which might be exploited by a malicious user causing loss or harm" ( Joh and Malaiya, 2011 ). 2. Practice: Vulnerabilities from the management perspective are always technical in nature. Specifically, known vulnerabilities within systems and software are meant by them. The common understanding of the experts was that vulnerability is a topic of patch management and a problem of not patched systems. All organizations do have patch management in place and try to minimize the vulnerabilities in the infrastructure. The assessment of them is done with vulnerability-scanners, penetration-tests, automatic scans, audits and the definition of toxic software which is detected on systems. Patching and the elimination of vulnerabilities are done based on the given assessment methods. 3. Challenges: A problem is, that the vulnerabilities have to be known first. Not just the knowledge of the vulnerabilities is a problem but also the knowledge of the assets and the whole infrastructure of an organization is a challenge in practice. Just if an organization knows the whole assets and infrastructure, it is possible to determine, if there are known vulnerabilities or not. • Infrastructure 1. Literature: Infrastructure does have different aspects. Components are technical systems which itself try to protect the underlying assets or are there to identify attacks. Examples are firewalls, intrusion detection systems, information visibility, compromise detection, defense modeling, and other solutions. A second important concern is the prevention of attacks without any known vulnerabilities. This includes architectural decisions to segment the network, limit open access points or external connections, harden the systems, encrypt the communication or clean configuration issues. Since these are no specific vulnerabilities but considered as weaknesses, this topic is a stand-alone factor. 2. Practice: Some of the experts see this factor as a vulnerability-topic but most of them associate more than that with the infrastructure factor. It is about knowing all systems and software as well as the connections between them and if they are secured or not. It is also about the "hardening" of all available systems, make threat models and secure the infrastructure in each network layer. To accomplish that, the experts use hardening-guidelines, secure deployment, installation routines, design reviews and configuration management databases. 3. Challenges: Problems are the complexity of the activity, that it is difficult to check the wright implementation of the hardening guidelines and the above-mentioned problem of the difficulty to know all available systems and their connections. • Compliance & Policy 1. Literature: Security policies are an "aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information" ( NIST, 2013 ). All activities concerning compliance and policies like policy deployment, policy effectiveness, legal compliance, and regulatory requirements are subsumed in this factor. The literature describes also multiple characteristics for good and bad policies and controls which have an influence on the information security of organizations. 2. Practice: This factor means the implementation of requirements which are given from external and internal. These include laws, policies from the management and requirements from standards to get certificates. Practitioners use frameworks to implement them and audits as well as selfassessments to check them. This frameworks and policies help organizations which have not the common knowledge to consider all aspects of security. 3. Challenges: 100% compliance does not mean 100% secure.
This factor alone does not help in case of security but without, it is not possible to make audits or push measures through. • Security management 1. Literature: This factor subsumes all process activities within the information security management system and operational tasks like change management, incident management, process effectiveness measurement and the implementation of security standards. All aspects of the Plan-Do-Check-Act approach of the ISO/IEC 270 0 0 ( ISO/IEC, 2018 ) are part of the security management factor. The other part are strategic topics like goal definition, top management support, governance, and strategic alignment as well as the documentation of these activities. Also, an important aspect in literature is the communication with employees and the top management. The ISO/IEC 270 0 0 defines security management as a "systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's information security to achieve business objectives" ( ISO/IEC, 2018 ). This definition shows that the monitoring part is also established within this factor. There are different methods and processes described to continuously improve the information security of an organization. This covers the implementation of metrics and the topic of compromise detection. 2. Practice: There are two management approaches in place.
The risk-based and the control-based approach. There are various processes in place to support the two different approaches. Therefore the experts control their management processes with audits and using the Plan-Do-Check-Act framework from the ISO/IEC 270 0 0 ( ISO/IEC, 2018 ). The next important aspect for the interviewees was the business (top) management support and their understanding of the risks the organization is facing. 3. Challenges: A problem is the missing knowledge of concepts behind the security processes and also the lack of knowledge of available actions for improvements. The security management does not have an impact on the security of an organization without this knowledge. • Awareness 1. Literature: The definition of awareness in literature is to be aware of security concerns ( NIST, 2013 ). Awareness in academic literature is discussed in different subjects. Including in this factor are behavioral topics like employee behavior, user activities, user interaction but also user reaction, user errors, and faults. All parts depending on knowledge like skills, education, training, and competence are also including in the awareness factor. Awareness in literature is not just about peoples behavior but also the personal needs of them, privacy issues, trust concerns as well as cultural thoughts and the social environment. 2. Practice: All topics that concerning people and can not be treated with technology are subsumed by awareness. Typical understanding is the employee as a vulnerability with human errors, human behavior or not enough knowledge. A typical countermeasure is web-based and conventional training. Practitioners test their employees with own phishing-campaigns or check click-rates on their proxyservers. Cultural and privacy concerns are not often taken into consideration. 3. Challenges: Challenge in practice is, that awareness activities are very resource heavy and the effects are not that huge. Countermeasures often do not lead to measurable effects, they lead to annoyed employees and therefore, employees more often fail the same tests. • Risk 1. Literature: The risk factor is discussed as an overall risk management concern with possible threats, the likelihood of their occurrence and the possible impact on the organization. Literature mostly discusses the risk management process and the possible handling of present risks like prevention, tolerance, exposure, prediction, and perception. A comprehensive definition is given by the NIST SP800-37: "A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence" ( NIST, 2018a ). 2. Practice: Experts use the same definition and understanding of risk as in literature. A risk is a severity and likelihood combined with an issue. Information security is the applied risk management because it is used to prioritize and define countermeasures. Therefore, all of the experts have risk management based on certain standards like ISO/IEC 270 0 0 or NIST in place. 3. Challenges: Not all risks can be mitigated, because of missing resources or other restrictions. Some managers also have problems to define risks which are understandable for technical employees or even for the top management. Also, the availability of the underlying data is a challenge in practice. An example of this is the consolidated view on possible threats. There are various technical solutions like threat intelligence platforms available on the market which helps to consolidate these data. The problem comes with the combination of the different factors to define the risk. A possible threat alone is not important for the information security management. The challenge is to analyze the underlying assets and their vulnerabilities and check if the threat can exploit one of these. After this combination, the risk can be defined and is useful for an information security manager. • Access control 1. Literature: Access control is not mentioned as a part of countermeasures. This topic is such important that it often emerges as an independent and important factor for security. Access control contains account management, software access control as well as access rights. It means "to ensure that access to assets is authorized and restricted based on business and security requirements" ( ISO/IEC, 2018 ). 2. Practice: Access control is the management and regulation of access to systems, applications, data, and infrastructure.
It is not just about the access but also the key management, role administration, classification of data and the management of the identities within organizations. Therefore the experts have procedures per applications, try to implement the common principles like the need-to-know-or the leastprivilege-principle. They check the available accesses, have identity and access management in place and use tools to monitor them. 3. Challenges: Challenges occur in case of on-, off-boarding and department changes as well as the more and more open culture of organizations with "bring your own device" and "cloud infrastructure". Not just the open culture but also technologies and trends like the "internet of things" and "mobile devices" are increasingly a problem for this factor because each of these devices also has an identity. This increases the complexity of managing access control and has to be considered by choosing such technologies. • CIA 1. Literature: This factor is based on the overall theoretical construct of the protection goals of information security. Therefore the codings confidentiality, integrity, availability, as well as underlying goals like the non-repudiation, are subsumed in this factor. Articles about security metrics and security success are mostly based on this factor and plays a huge role in the security discussion. 2. Practice: In practice, this factor is a theoretical construct with the same definition as in literature. It is used to communicate with the business management, to classify the need for protection or is not used in practice at all. 3. Challenges: The problem in practice is that these classes can not be uniquely assigned to countermeasures. Many experts consider this factor as an academic construct, which is outdated and not really practicable. • Organizational factors 1. Literature: The organizational factor itself means the properties of an organization which has an influence on the security of this organization. There are multiple authors which mentioned the influence of several factors like the organizational size, the industry type or the internal and external structure of the organization. 2. Practice: These factor has the same meaning in practice like in literature. Most of the experts are not dealing with it because there are no possibilities to change the characteristic of the organization from their perspective. But it is considered in other factors like risks or in consideration of the implementation countermeasures. Practitioners say, that it might influence the possibilities of an organization. 3. Challenges: A challenge is, that some attack surfaces are not influenced by any type of character an organization could have. A good example of this is ransomware which does not even look at the victim they attack. • Physical security 1. Literature: This factor have influence in reducing the opportunity to access assets physically in form of physical entry controls, the protection of the environment, building security with fences or other countermeasures, travel security and all activities around this. The literature does not mention this factor very often but consider it as really important for organizations and their management. 2. Practice: Physical security is the physical protection of buildings, offices, servers, and hardware. It also contains the protection of the environment, persons, traveling and environmental disasters. Interviewees do work together with other departments dealing with this factor. It is mainly not the part of the security department of an organization. 3. Challenges: The topic gets less important in times of the changing environment like mobile offices, roaming-users, home offices and cloud computing. This change brings with it other challenges. • Continuity 1. Literature: Continuity is split in business continuity and IT continuity. In case of cyber security, the term "refers to the ability to continuously deliver the intended outcome despite adverse cyber events" ( Björck et al., 2015 ). The business continuity is on a more abstract level than cyber or it continuitiy and is defined as a "predetermined set of instructions or procedures that describe how an organization's missionessential functions will be sustained [...] before returning to normal operations" ( NIST, 2013 ). Resilience is not often represented in the literature and has already been identified as a research gap ( Diesch et al., 2018 ). 2. Practice: This factor is understood as the goal of the business as well as a partial goal of information security. Important is a continuous IT and a disaster and recovery plan which should be tested from time to time. There are opposite opinions in relation to business continuity management (BCM). Some experts say, that requirements come from the BCM to the information security management and others say, that they are being submitted to the BCM. 3. Challenges: A challenge is finding a common understanding and effective communication between BCM and IT continuity. • Resources 1. Literature: Resources are not just money but also the availability of good skilled and well-educated employees. More general resources are "information and related resources, such as personnel, equipment, funds, and information tech- nology" ( NIST, 2013 ). The literature describes this factor as a limitation and mostly in a negative way. The perspective is given that, if you do not have enough resources, the organization is not able to implement security which as a negative influence. A second part is the cost-effectiveness of countermeasures and the return on security investments (ROSI). 2. Practice: In practice, this factor is mostly addicted to budget, which has to be given by business management. A small part is also the number of employees with good knowledge and a appropriate education. Therefore, experts have applied budget-processes and recruitment campaigns. Costeffectiveness and ROSI is not mentioned by the practitioners. 3. Challenges: Problems are often in place of buying expensive tools and equipment in the security field and the argumentation of their adding value. It is often a tension between business management and security management.
Partial aspects of individual factors are not covered by the literature or are not considered in practice. However, the contents and the understanding of the factors from the literature analysis agree with those of the experts. The challenges are not supported by all of the experts, because this was no explicit question. Thus, they were just included, if there are more than 2 mentions of the same challenge. The challenges further indicate, that a comprehensive model of them could help, improving the understanding of information security within organizations and also to help, improving specific factors.

Relevance validation of MSFs
The "valence or intensity analysis" ( Section 3.3 ) was used to not just validate the factors concerning their content but also to determine their relevance in practice to the information security of an organization. Therefore, the scope of the analysis was also set to the whole interview transcripts but the main question supporting this validation is Q1.2 . A 4-point Likert-scale which points out the importance of the factor for the information security of the organization is used. The coding of the scale is from not important (not imp) to important (imp). Table 1 shows an assorted view of the result. The assortion is based on the sum of the codings for "not important" and "rather not important" in conjunction with the sum of the coding "rather important" and "important", descending by the importance of the MSFs.
This result support, that all factors are relevant in practice. The last three factors are "Organizational factors", "CIA" and "Compliance & Policy". For all of them, the experts do have an explanation, why they are less important than the other factors. "Compliance & Policy" are not important for the information security of the organization itself but are necessary to comply with the law, to enforce countermeasures and to align the top management of the organization. The "CIA" factor is a goal factor and is useful to com- municate and explain different risks or attacks and their impacts. "Organizational factors" are less important because there are cases, in which these factors are important but there are also attack scenarios in which this factor is not important. The management has to consider all the factors in order to make good decisions. The proposed factors are valid in their context as well as relevant in practice for decision-makers and thus are now called management success factors (MSFs).

Control questions
The main control questions Q3.1 and Q3.2 are used to ask for factors, which are important to make decisions and are not present in the interview guide as well as a consideration of the most unimportant factor. The most experts (12) do not have a factor, which is really unimportant. The only mentions of factors were the "Compliance & Policy" as well as "CIA" which agree with the ranking on the previous result. The question of missing factors results in a similar situation like before. 10 experts do not mention missing factors. The other factors which are missing are "management support", "external interfaces", "threat landscape" and "strategy" which are part of the coding and thus included in the aggregation of the literature analysis.

A comprehensive model of MSFs
The purpose of this research was the development of a comprehensive model of MSFs for information security decision makers. This result section combines the previous results with evaluated and relevant MSFs and adds interdependencies between them.
The interdependencies were explored with the help of the "contingency or interrelation analysis" method ( Section 3.3 ). The scope is the whole interview which was analyzed. The following text modules are examples to identify interrelations: • ...have a direct impact on... • ...is a basis to... • ...is essential for... • ...is the goal from... • ...is considered in... Fig. 2 shows all MSFs with their interrelations based on the expert interview. Solid ovals are representatives for the MSFs. Dotted ovals are representatives of concepts necessary to explain certain interdependencies. In this case, "Information security" is the representative for the information security status of an organization. The statement behind this is, that certain factors do have a direct impact on the information security status of the organization. The dotted oval "Countermeasures" is a part of the factor "Security management" but have important interdependencies which are explained by the experts. Thus, the security management itself does not have a huge impact on other factors, but they define and implement countermeasures which do have an influence on the MSFs given in the figure. Rectangles within the picture clusters multiple MSFs with the same interdependency to other MSFs. The dotted line within the rectangles indicates, that all MSFs which are left of this line, are not the primary part of the information security department of an organization. They are from other departments like the cooperate-security in the case of "Physical security" and the business continuity in case of "Continuity". However, the collabo-ration between the departments is very close and the MSFs must certainly be considered in information security as well.
Key security indicators. The term key security indicator is not present in literature but is mentioned by practitioners. Key security indicators are MSFs, which have a direct impact on the security status of the organization. Therefore, the rectangle which includes the MSFs "Physical security", "Vulnerability", "Access control", "Awareness" and "Infrastructure" are key security indicators. Because of the direct connection to the information security concept, these factors are considered as indicators of the actual information security status of an organization. Security management has to implement countermeasures to actively improve these factors. These are the most important factors because of their direct impact.
Security goals. The MSFs "Continuity" and "CIA" are the protection goals of information security. This cluster is considered in the "Risk" MSF by data classification as well as a communication instrument which describes the impact of certain risks to top managers or technical employees. Disasters and continuity thoughts are also considered as risks which are the basis for recovery plans. The security goals are considered as the least important part of the MSF model by experts ( Section 4.2.2 ) because they do not actively improve the security status and just help by prioritizing risks and communicate them to the business management.
Risk. The MSF "Risk" have the most interrelations and is the basic input for "security management". It uses security goals like described before. A prerequisite and a part of risks are key security indicators. They show the current information security status of which weaknesses were deriving. This, in combination with possible threats, the impact on the organization, and the likelihood of occurrence is a risk. Risks are influencing the "Security management" and is a basis to prioritize and define "Countermeasures". The management mostly uses standards and best practices like the ISO/IEC 270 0 0 ( ISO/IEC, 2018 ), NIST SP80 0-30 ( NIST, 2015 ), NIST SP800-37 ( NIST, 2018a ) or others to deal with risks and derive countermeasures in a structured way.
Security management. The cluster with "Organizational factors" as well as "Resources" are MSFs which cannot be directly influenced by the experts. They are either given in case of "Organizational factors" or are set by the business management in case of "Resources". They are considered in the "Security management" in conjunction with the "Risk" MSF which are the basis to develop and implement countermeasures which should improve the key security indicators. "Compliance & Policy" are aids which help to enforce countermeasures with employees and are necessary to comply with laws. "Compliance & Policy" is split into external and internal rules which causes the interdependency in both ways to and from the "Security management" MSF. "Security management" define rules and external rules are influencing the "Security management". These rules are considered as the least important by the experts ( Section 4.2.2 ) because they are not actively improving the security situation but are helpful to enforce countermeasures and help to deal with the topic.

Discussion and future research
The results of this research propose a comprehensive model of MSFs with their interdependencies for information security decision-makers. The MSFs were supposed based on the literature and are evaluated by experts from practice. These interviews also support interdependencies between the MSFs. The combination of these results in the development of the comprehensive model of MSFs.
Practitioners, as well as the literature, stated the need for a comprehensive view of the information security of organizations.
The proposed model does support an abstract and comprehensive view of the complex topic of information security from the management perspective. The different MSFs are not explained in great detail but the interdependencies between them and the overall decision-making process are present in this research. The model gives a basis to decision-makers, which with information security management and help to decide if certain countermeasures are necessary or even useful. It is not just a basis for security managers but also for the business management as well as technical employees. With the help of this model, they are able to understand the difficulties and retrace certain decisions better. A better understanding also leads to better alignment and awareness.
The results are related to several other studies. Past literature does support a great explanation and study of different factors in detail and stated the importance of them. Studies also deal with models of different factors like awareness and their components. This research supports a comprehensive overview of high-level factors (MSFs) and a validation of them as well as a discussion of the relevance of these factors which has been criticized as missing in past articles. The research adds value to the research community by exploring interdependencies between the evaluated MSFs and propose a comprehensive model from the perspective of information security decision-makers. Best practices and standards are very generic and mostly describe processes. But, a complete implementation does not necessarily lead to better security and the standards have been criticized, also by experts in the interview, that they are just frameworks to be compliant. The interdependencies of the comprehensive model in this research help to decide which countermeasures are appropriate and which are not necessary. The standards and best practices give action proposals for improvements of the MSFs and thus complete this research with the next step after the decision was made.
Current standards and best practices, for example, the ISO/IEC 270 0 0-series, the NIST SP80 0-series or the ISF are important to structure the processes of improving the information security of an organization. These documents either describe processes based on a risk management approach to implement countermeasures or define controls which have to be implemented to comply with the standard. The most experts in the interviews said that they combine two or more of them and uses the concepts they need or are appropriate for them to improve the information security status of the organization. The proposed model in this research contributes to these standards by improving the overall understanding and the interdependencies between the concepts described in the standards. Also, the model is a possibility to report the information security status based on the MSFs. Such a reporting is missing in the current standards and best practices as well as in research articles. The missing reporting standard or suggestions for that is a need which all of the interviewed experts have. Experts also struggle to report the information security decisions and status to the business management in an abstract and understandable way. The current solution of the interviewed experts is that they develop their own reporting standard. These reports do not contain aspects which can be compared with other businesses or even business units. The results of this research support these needs and can be used as a basis for such a reporting standard. Experts also looking for dedicated technical solutions like threat intelligence platforms, security incident management systems and information on indicators of compromise to mention just three. These technologies help to consolidate various information and present them to the management. Each technology is useful for a specific area. This research can help to argue the implementation of specific technologies, to illustrate their role in the overall security context and to identify gaps within the security landscape of an organization in which technologies could help.
The result can also be interpreted from the perspective of the information security status of an organization. From this perspective, the model indicates, that the key security indicators are important to improve the information security status of the organization. This interpretation in mind, small-and medium-sized businesses with fewer resources and not that much competence could implement light-weight countermeasures, which focus on the key security indicators. It could be a quick-win for the decisions in those organizations to focus on the key security indicators. This does not mean, that the standards and best practices or even the other factors of the model should be ignored by small-and medium-sized business. To continuously improve and monitor the information security status in a structured way, the processes and concepts of these standards have to be implemented and used. The proposed model can help these businesses and their management with less expertise in the field of security to understand the interdependencies between relevant concepts, understand which factors are influential and also which factors a manager has to consider by making decisions. Even which factors have to keep in mind to make well-informed decisions.
This study uses a mixed method approach with a literature analysis followed by a semi-structured interview to generate the results. Although a rigorous methodology was used, the study has several limitations. Despite the validation and the discussion with experts, a bias in the interpretation of the texts and the creation of the codes cannot be excluded. Surveyed experts are mainly active in large organizations. Some of them were previously employed in smaller businesses, but the inclusion of opinions from managers of smaller organizations could change the outcomes and importance of individual factors.
The results give many opportunities for future research. The proposed model is based on interdependencies, which are explored by a qualitative study. The interdependencies should be further tested with quantitative approaches to ensure their validity. Certain MSFs were clustered into rectangles. There could be interdependencies between the containing MSFs on deeper levels, which are not be explored in this study. Also, a look deeper within the certain proposed MSFs would be a possibility for future research. Open question from past literature could be solved with a more focused approach based on this results. Leon and Saxena (2010) identified a gap of the security metrics approach, which was not goalfocused in the past and suggested the development of a goal-list which could improve further security metrics development. This comprehensive model and their MSFs could be considered as a list of security goals from the management perspective and thus can be the basis of such research. Also, past metric approaches are mainly based on the individual security processes and thus is not appropriate for cross-organizational comparisons ( Bayuk, 2013 ). A metrics approach based on a comprehensive model could be suitable for this. Also, the interview partner requested a dashboard and reporting standard for key security indicators which is not present in standards, best practices or research articles. To reduce the shortcomings, a future study is possible, which includes smalland medium-sized businesses and integrate them in the proposed model.
Information security managers should consider all the explored MSFs by taking decisions. The countermeasures and processes should not only be adopted because of their appearance in standards and best practices, but they should appropriate in the given situation. A common practice is also the fallback to risk acceptance ( Bayuk, 2013 ) which do not improve the security status at all but is very easy to implement. The results of this study facilitate the understanding of the complex topic of information security and enable more people to make appropriate decisions and take the right actions within their current situation.

Conclusion
This research is suggesting a comprehensive model of management success factors (MSFs) for information security decisionmakers. Therefore, a literature analysis with an open-axial-selective approach of 136 articles is used to identify factors which have an influence on the information security decisions of managers. A validation of these factors, as well as the check for their relevance, was supported by conducting an interview series of 19 experts from practice. This results in 12 MSFs. To finally develop the comprehensive model, the interviews are the basis to explore interdependencies between the MSFs. This research suggests that "Physical security", "Vulnerability", "Access control", "Infrastructure" and "Awareness" are key security indicators which have a direct impact on the information security status of an organization. The "Security management" have to consider "Risks", "Organizational factors" and available "Resources" in order to generate countermeasures, which have an influence on the key security indicators. "Compliance & Policy" is an aid to enforce countermeasures and be compliant with laws. The well discussed MSF "Risk" is considering the security goals "CIA" and "Continuity" and also is using key security indicators to determine a risk level which is used to prioritize countermeasures.
This research offers a high-level view of the complex topic of information security decision-making from the perspective of security management experts. The comprehensive model of MSFs helps them and other employees as well as the business management to better understand the security needs and certain decisions in this context and thus improve their awareness. Future development of goal-oriented metrics and methods to quantify the status of information security as well as methods to aggregate them based on the key security indicators are not just interesting in research but also asked by practitioners.

Declaration of Competing Interests
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.  Table 3 Vulnerability.