Information Technology Governance Mechanisms For Organisational Security Commerce Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

This paper reports research in progress work on IT governance in Malaysian firms. The paper addresses determinants and impact of IT governance effectiveness based on previous studies. This is followed by development of a proposed research framework and hypotheses.

Keywords-IT governance; structure; process; relational mechanisms; organisational culture; environmental uncertainty


The booming growth of e-commerce, e-business, social and businesses networking has exposed the management of corporate information to a wide range of internal and external vulnerabilities, thus demanding mitigation of risk through proper information technology (IT) governance or more specifically through extenuating frameworks such as Service Oriented Architecture governance framework [11]. Academicians and IT practitioners have included IT governance as part of organisation's overall effective internal control to address security issues and manage risk [27]. IT governance focusing on information security has thus become an integral part of corporate governance strategy and in strategic information systems plan [17].

The rising interest in IT governance is also partly due to regulatory compliance initiatives (e.g. Sarbanes-Oxley in the United States, Basel II in Europe), as well as the acknowledgment that IT projects can easily get out of control and profoundly affect the performance of an organisation. In Malaysia, compliance law such as Malaysian Code of Governance enforced since the year 2000 is based on Committee of Sponsoring Organizations of the Treadway Commission's Internal Control - Integrated Framework (COSO) that sets out best practices on structures and processes in operations towards achieving good governance framework.

IT Governance

IT governance refers to three core elements i.e. structure, process, and relational mechanisms [14]; [41]; [61]. Other researchers refers IT governance as, how IT decisions are made and who is responsible for making decisions [19]; [20]; [26]; [48]; [56]; weillwoodham[62]; [65]. To Rolich [46] and Webb et al. [60], IT governance means the control and monitoring of IT-related risks.

Congruent with the definitions provided by de Haes and van Grembergen [14], and Peterson et al. [40], IT governance, in this research refers to as a set of mix mechanisms of IT resource structures, processes and relational mechanisms put in place to lay out how decisions are made, who is responsible for making decisions, who is responsible for ensuring that decisions get implemented, and that decisions actually do get implemented.

Why IT Governance?

IT governance is important for several reasons. Firstly, IT is an expensive venture. Since most organisation see IT an essential and necessary asset for business growth and organisational performance, considerable investment are made to build IT enabling infrastructure. However, increased in IT expenditure may not necessarily gain the desired value in business. Thus IT practitioners have expounded the need for governance to be articulated throughout the IT investment process that will ensure required value and expected business goals are being delivered [33].

IT governance is a vehicle to enable organisational sustainability. Given that IT is essential for day-to-day business operation to promote business growth and innovation, IT must be managed properly via effective IT governance. Innovation in IT is considered as critical and fundamental for future and long term sustainability.

IT governance is a tool for achieving business and IT alignment. Coordinated IT governance enables business units to work in partnership with IT so that business requirements are met. In order to so, a culture of openness and collaboration should be cultivated to create a state of harmony between business and IT.

Business operations relying on IT is vulnerable to many IT-related risks. IT governance provides the necessary shield to protect organisation information and infrastructure from harmful threats. Realising this, most organisations have turned to specific and additional layer of protection through enterprise-wide IT security governance, like ISO17799.

research gap

In the past, researchers on IT governance have attempted to define IT governance [40]; [60]; [52] and understand the factors that are associated with effectiveness of IT governance [45]; [10]; [12]; [26]; [32]; [59]. Researchers have shown the relationship between IT governance and organisational performance [45]; [39]; [3]; [23]. The research design used in previous researches was primarily exploratory and qualitative [48]; [36]; [6]; [38]; [63]; [65]; [64]; and very few adopted quantitative methods. Further, the contexts of the researches were in countries like United States [56]; [52], Australia [36]; [59], and Europe [41]; [29]; [15]; [16].

Organisations in a developing country such as Malaysia, presents distinct organisational values from developed countries. This research attempts to fill in the gaps on:

The lack of empirical findings on IT governance in Malaysian firms.

An integrated framework that can explain the factors influencing effectiveness and importance of IT governance practices and its effects on organisational performance.

Findings that could be generalised to the Malaysian context.

The application of quantitative research design in IT governance research.

Thus, this study seeks to answer the following research questions;

Is there a gap between effectiveness and perceived importance of IT governance practices in Malaysian firms?

What are the factors that influence IT governance effectiveness in Malaysian firms?

Is there a relationship between IT governance effectiveness and organisational performance?

Henceforth the research objectives are as follows;

To determine the gap between effectiveness and perceived importance of IT governance implementation in Malaysian firms

To explore factors that influence IT governance implementation effectiveness in Malaysian firms

To identify the types of organisational characteristics (higher IT budgets, larger organisations, longer established organisations, equity structure) influence IT governance effectiveness in Malaysian firms

To investigate whether higher information intensity relate to a more effective IT governance in Malaysian firms

To investigate whether Malaysian firms with higher environmental uncertainty have more effective IT governance

To investigate whether Malaysian firms with certain types of organization culture have more effective IT governance

To investigate whether Malaysian firms with a more matured IT infrastructure have more effective IT governance

To determine if IT governance implementation effectiveness has effects on organisational performance in Malaysian firms

To develop, validate and test a framework for IT governance implementation effectiveness that would explain the scenario of Malaysian firms

Research Model

The research model will draw on theories from the following sources of literature:

IT governance implementation mechanisms [41]; [61]; [14]; [15]; [16];

dependent variable taken from resource-based view (RBV) [10]; [29]; [32];

independent variables based on SISP [28]; [41]; organisational theories [10]; [12], information security management [9].

Organisational Performance

Past researches have shown that there is significant relationship between IT governance and organisational performance [45]; [39]; [23]. IT governance in this study refers to the structure, process, and relational mechanisms, put in place when implementing IT strategy. Several studies have confirmed that IT governance practices like corporate communications systems [57], management collaboration with CIO [8], and shared knowledge between business and IT [25] are practices for effective IT governance, which lead to performance impact. We posit that effective IT governance practices solicit stronger support for business process improvements [32]. Firms with more effective IT governance search out opportunities for competitive advantage, seek IT-based opportunities in value chain activities, and use IT to leverage unique business strengths.

Therefore, it is hypothesized that:

H1: There is a relationship between IT governance effectiveness and organisational performance.

Organisational demographics

The organisational demographics highlights the influence of determinants such as organisational size [18]; [48], company nationality [54], and firm's age. Though adoption of IT governance best practices and/or framework like COBIT, ITIL, ISO9000, TQM etc., has been reckoned to be important for all sizes of organisations [53]; [21], however, study by Bernroider [4] showed that some IT governance practices are more prevalent in large organisations than others.

Studies have also shown that parent firms that are owned by foreign companies are more regulated than parent firms that are locally owned [13]; [54]. A firm that is obliged to be regulated will be able to implement practices and/or principles of IT governance than those are not.

In this study, firm age represents the number of years since the firm was incorporated. In a quantitative study in the United States, Ravichandran and Lertwongsatien [43] found that firm age was significantly negative related to firm performance. The researcher postulates that longer incorporated organisations tend to resist changes, particularly when implementing IT governance initiatives.

Therefore, it is hypothesized that:

H2a: There is a relationship between organisational size and IT governance effectiveness.

H2b: There is a relationship between company nationality and IT governance effectiveness.

H2c: There is a relationship between firm's age and IT governance effectiveness.

Information intensity

Information-intensive industry is grouped as a construct on its own due to its profound effects on IT governance practices as reported in the prior literature [28]; [54]; [59]. An information intensive industry uses IT to support their core activities and identify strategic opportunities [7]; [28]. Organisations in this type of industries are more dependent on IT for the operation of business processes. Information intense companies seek out ways to manage and exploit their IT governance [7].

The following research hypothesis is postulated:

H3: There is a relationship between firms in information-intensive industry and IT governance effectiveness.

Environmental uncertainty

Environmental uncertainty does play a significant role in IT governance implementation. External factors like government and regulatory policies, competitive pressure, environmental dynamism and turbulence, are said to influence IT governance implementation [40]; [45]; [28]; [65].

The following research hypothesis is postulated,

H4: There is a relationship between firms' external environment and IT governance effectiveness.

Organisational culture

The inclusion of organisational culture would provide an interesting finding to this study as prior studies have shown its significant effect with IT governance success or effectiveness [24]; [10]; [12]; [9]; [58]; [25]; [59]. Organisational culture has an influence in implementing IT governance strategy and enable communication of that strategy to support strategic directions [10]. Thus,

H5: There is a relationship between types of organisational culture and IT governance effectiveness.

IS function characteristics

IS function characteristics represents factors like size of IT budget, size of IT department, and IS function maturity. IT budget refers to the IT spending or IT investments [44]; [50]. With low level of IT investment, an organisation would not expect progressive IT governance [54].

Sabherwal and Chan [44] used number of IS employees to represent size of IT function. In a meta-analysis, conducted by Lee and Xia [34] showed that IS department size was a stronger predictor of IT innovation adoption.

In Lee and Pai [33], maturity of IS function was found to be significantly positive effect on effectiveness of SISP practices. In an organisation where greater IS maturity is present, the more likely the decision is perceived as important and greater the chance of implementation.

Thus, the following hypothesis is postulated:

H6a: There is a relationship between size of IT budget and IT governance effectiveness.

H6b: There is a relationship between size of IT function and IT governance effectiveness.

H6c: There is a relationship between IS function maturity and IT governance effectiveness.

Figure 1 models the research framework of this study.

H2a, b, c

Organisational demographics



Information intensive

IT governance

Organisational performance


Environmental uncertainty


Organisational culture


IS function characteristics

Figure 1: Research Model

Proposed Research methodology

The unit of analysis is organizational level. The research targets at private organisations in the Klang Valley, in Malaysia. The research will adopt a cross-sectional survey research being the main approach via the development of survey questionnaire and usage of self-administered procedure. The population and sampling frame will be drawn from Bursa Malaysia (Stock Exchange), Federation of Malaysian Manufacturers (FMM) directory and several other directories including Superpages and Yellow Pages. Since the study expects to get responses on strategic issues, respondent at middle or lower level management is excluded. A candidate that has a high-level in the organisation hierarchy is more appropriate for this research. Therefore, the key informant for this study is expected to be CIOs, IT directors or vice president of IT. Data analysis strategy will cover three phases i.e. descriptive, exploratory and confirmatory analysis to achieve the objectives of the research.

Significance Of Study

There will be several theoretical and empirical contribution of this research. Firstly, is the identification of factors affecting IT governance. Secondly, development of a framework that integrates the determinants and the impact of IT governance effectiveness. The research expects to develop, validate and test the proposed research framework. Thirdly, with the use of quantitative research approach, this research expects to contribute to the application of research method for IT governance. The findings from validation and test of the proposed framework is expected to serve as an important guideline and strategies for administrative policy-making to high-level IT executives in focusing on key elements of IT governance effectiveness, their determinants and outcomes.

Progress To Date

This paper reports research in-progress efforts. Currently, the compilation of a survey questionnaire is underway. The next step would be an exploratory case research with selected CIOs to validate the questionnaire and enhanced research model. The questionnaire will then be distributed to several IS academicians for a pre-test. Feedback from these two groups will be incorporated into a revised questionnaire for distribution in a pilot study.