To help practitioners effectively implement security programs, we explored the interrelationship between security objectives and practices by conducting a canonical analysis based on the data from 354 certified security professionals. We found that for moderately information-sensitive organizations, “Confidentiality” had the highest correlation with information security practices. In these organizations, the security practice contributing most to the security objectives was “Access Control”. For highly information-sensitive organizations, the “Confidentiality”, “Accountability,” and “Integrity” together determine the security practices. In these organizations, the major security practices that impact on security objectives are: “Access Control”, “Organizational Security”, and “Security Policy”. “Access Control” was the only practice contributing to information security objectives in both groups. The items in this dimension focused mainly on technical controls.
Ma, Qingxiong and Pearson, J. Michael, "The Interrelationship Between Objectives and Practices in Information Security Management" (2005). AMCIS 2005 Proceedings. 444.