Critical Success Factors for an Effective Security Risk Management Program: An Exploratory Case Study at a Fortune 500 Firm

We investigate differences in perception between management and staff with regard to the influence of critical success factors (CSFs) on security risk management (SRM) effectiveness at a Fortune 500 company. Nine CSFs are confirmed to exist in the organization. Management and staff agree that each CSF is important for SRM effectiveness, but differ on the level of importance of each CSF. With regard to six of the nine CSFs (executive management support, organization maturity, open communication, holistic view of organization, corporate security strategy, and human resource development), management and staff concur on their current implementation, and have a positive perception about their impact. The results also indicate that both management and staff are not satisfied with the current practices pertaining to risk management stakeholders, team member empowerment, and security maintenance. Recommendations are presented for the organization as part of possible solutions to counter the dissatisfaction with these three CSFs.