Theorizing the concept and role of assurance in information systems security

Assurance has different meanings, depending on the source, audience, and interpretation. We applied institutional theory and the Capability Maturity Model to conceptualize assurance: its symbolic aspects to gain social acceptance, and its substantive aspects to improve organizational capability and effectiveness in performing IS security risk management (SRM). An empirical study examined assurance-seeking behavior and outcomes for regulatory compliance. Some degree of process maturity in SRM was found necessary for producing convincing verbal accounts and compliance evidence. Findings suggest that unless an organization's assurance claims are based on achieving Level 4 maturity, assurance will be based more on symbolism than effectiveness.