SECURQUAL: An instrument for evaluating the effectiveness of enterprise information security programs

Paul Steinbart, Robyn L. Raschke, Graham Gal, William N. Dilla

Research output: Contribution to journalArticlepeer-review

27 Scopus citations


The ever-increasing number of security incidents underscores the need to understand the key determinants of an effective information security program. Research that addresses this topic requires objective measures, such as number of incidents, vulnerabilities, and non-compliance issues, as indicators of the effectiveness of an organization’s information security activities. However, these measures are not readily available to researchers. While some research has used subjective assessments as a surrogate for objective security measures, such an approach raises questions about scope and reliability. To remedy these deficiencies, this study uses the COBIT Version 4.1 Maturity Model Rubrics to develop an instrument (SECURQUAL) that obtains an objective measure of the effectiveness of enterprise information security programs. We show that SECURQUAL scores reliably predict objective measures of information security program effectiveness. Future research might use the instrument as a surrogate effectiveness measure that avoids asking respondents to disclose sensitive information about information security incidents and vulnerabilities.

Original languageEnglish (US)
Pages (from-to)71-92
Number of pages22
JournalJournal of Information Systems
Issue number1
StatePublished - Mar 1 2016


  • Information security
  • Information security effectiveness
  • Internal audit
  • Survey instrument development

ASJC Scopus subject areas

  • Management Information Systems
  • Software
  • Information Systems
  • Accounting
  • Human-Computer Interaction
  • Information Systems and Management
  • Management of Technology and Innovation


Dive into the research topics of 'SECURQUAL: An instrument for evaluating the effectiveness of enterprise information security programs'. Together they form a unique fingerprint.

Cite this