This paper explores whether IT and audit professionals have different perceptions of the substantive and symbolic perspectives of information security assurance and the role of security configuration management (SCM) using a mixture of qualitative and quantitative approaches. Importance performance analysis (IPA) is utilized to identify differences in perceived importance and perceived controllability from both substantive and symbolic perspectives between these two professional groups. Our results suggest that SCM plays a vital role in maintaining consistency between the IT and audit professionals by enhancing their confidence in controlling and managing information security control sets. IPA also helps determine an information security program's strengths and weaknesses and supports remedial strategic actions more efficiently. Implications for both research and practice are discussed.

You do not currently have access to this content.