Information security risk factors and management framework for ICT outsourcing / Nik Zulkarnaen Khidzir

Information Communication Technology (ICT) services have become increasingly important in today’s business environment with most private and government agencies without sufficient resources and expertise outsourcing their ICT projects to vendors. However, this strategy could invite potentially damaging information security risks (ISRs). Subsequently, a dedicated framework for information security risk management for ICT outsourcing activities needs to be in place to address and manage its related risk factors. The research focuses on managing Information Security Risks (ISRs) in ICT outsourcing projects in a Malaysian environment. The mixed research method, combining the quantitative and qualitative was employed to achieve the research objectives. 110 respondents participated in a survey while focus groups from eight organizations were interviewed. From the quantitative study, the critical information security risks in ICT outsourcing project were identified and ranked. Furthermore, through an exploratory factor analysis, two additional critical Information Security Risk (ISR) factors were discovered, being information security management defects and the challenges of managing unexpected change of service providers...