Doctoral Research Project Report

Summary of interviews with information security experts in

Vietnam

Duy Dang-Pham
School of Business IT and Logistics
RMIT University, Melbourne, Australia
[email protected]

Unpublished Report: Please do not reproduce without authors permission

Acknowledgement
On behalf of the research team, I would like to thank the six information security experts who have
contributed their valuable time and insights to this report and my doctoral research project. Your
contributions have provided me a clearer understanding of the critical success factors of ISO 27001s
implementation projects in Vietnamese context, which will guide my research in the later phases.

Executive summary
This report summarises insights about the critical success factors of ISO 27001 implementation
in Vietnamese context, which were resulted from interviews with six information security
experts in March 2015. The semi-structured interviews (questions are included in Appendix)
are parts of a doctoral research project and were conducted by the author as a PhD candidate at
RMIT University. The interviewed data was analysed within- and cross-cases, then compared
with prior researches in other contexts to find matching patterns. As a result, 10 critical factors
belonging to three implementation phases were found and illustrated in a framework.

Background
Despite the growing attention to cyberthreats in Vietnam, the local information security
landscape still demands urgent responses. According to the recent ICT Whitebook published by
the Vietnamese Ministry of Information and Communications (Vietnam MIC 2014), in 2013
there were only 27.5 per cent of organisations which have implemented information security
policies, and 21.7 per cent of those having processes to handle information security incidents in
place. Furthermore, implementation of other controls remained at low levels e.g. data
protection (23.9 per cent), hardware, software and system protection solutions (28.2 per cent),
just to name a few. Provided that Vietnam belonged to the top 4 countries in the world that face
the highest risk of online infection (Kaspersky 2014), the current investment in information
security protection appears to be falling far behind the threats.
Regarding the implementation of ISO 27001 in Vietnam, there were 39 valid certificates
distributed in 2013 (ISO 2015). As information security is currently not prioritised in
Vietnamese firms, those organisations that were certified for ISO 27001 would have undergone
many challenges so to change the existing security state. Consequently, those cases in the
Vietnamese context would be considered interesting and worth investigating, not because of
them being the leading examples but rather potential for providing lessons learned about how
organisations could overcome or even exploit the challenges to achieve internationally
recognised ISMS.

Research method
Invitations were sent to information security experts involved in ISO 27001 implementation
projects in Vietnamese private firms over a period of one month. The researchers approached
the experts from online professionals social media platforms and forums such as LinkedIn and
Facebooks community pages of Vietnamese IT experts, as well as via personal contacts and
referrals. Among the seven experts who agreed to be interviewed, one from an multinational
hardware manufacturing enterprise refused to participate after consulting with the their
1|Page

Unpublished Report: Please do not reproduce without authors permission

external affairs department. In overall, the invited experts displayed concerns about answering
topics related to organisational information security, even though ethics clearance and
measures to protect the participants anonymity have been demonstrated.
Semi-structured interviews in Vietnamese were conducted in-person and online with six
information security experts (Table 1), and the interviews were audio recorded. The interviews
structure and questions were designed by three information systems academics following the
responsive interviews format suggested by Rubin and Rubin (2011). All interviews last for one
hour on average, and quick analyses were performed after every interview to add or modify
questions in the next one.
Table 1: Participants' profiles
Occupation
#1
#2
#3
#4
#5
#6

Information security
experience
Consultant/Auditor
3 years
IT Manager
14 years
Consultant
5 years
Information Security Officer 7 years
Deputy IT Director
10 years
Data Security Manager
3.5 years

Industry
Banking and financial services
IT services
Banking
IT services
Banking
Engineering and electronics

Research findings
Consistent with ISO 27001 guideline (Plan-Do-Check-Act), an information security management
systems (ISMS) implementation project consists of three phases: (1) Formation, (2) Implementation,
and (3) Adoption. Formulation involves designing the secure measures and processes to be
implemented in the next phase. Implementation entails exploiting the persuasive and enforcing
approaches to influence employees perceptions of information security, and Adoption aims at
maintaining and fostering those desired perceptions. More important, 10 critical success factors
were found in each of the above phases.
For a brief summary of the critical success factors, please refer to Table 2 in page 5.

Formulation phase
The initial Formulation stage which focuses on designing acceptable information security controls
has been a topic of interest emphasised by standards (e.g. the Plan phase in ISO 27001) and
academic research.
To begin with, brevity and clarity are expected for a control to be effective, especially for
information security policy. From our interviews, being concise was recognised as important
features of not only the policy but also its communication. Effective communication of information
security would be determined by selecting effective implementation measures rather than the
design of the policy alone. In fact, having the end users read the policy was not recommended, as
they could be overwhelmed by the content however it is tailored.
Secondly, the policy as a formal guideline of information security activities needs to be practically
implementable and enforceable. These criteria essentially require top management support and
participation that subsequently affect the scope of the policy and the allocation of supporting
2|Page

Unpublished Report: Please do not reproduce without authors permission

resources. Furthermore, we found the experts only expected the top management to provide
sufficient resources and authority to enforce the proposed items. In practicality, top management
executives were described to be occupied with other commitments, hence their active participation
was not anticipated. The visibility of supportive actions and commitment are instead demanded
more from the employees immediate supervisors to encourage compliance due to their closer
power distance.
While the interviewed experts were aware of user resistance as a result of the trade off between
end users cost of compliance and organisational security, they could only seek inputs from the
department heads who are assumed to accurately represent the voice of their business units. This
dilemma is due to the limited resources that prevent the information security team from taking into
account everyones opinions, as well as the risk of failing to reach a consensus by doing so.
Subsequently, this emphasises the roles of the business units representatives and the information
they provide when designing the controls. In summary, stakeholders management appears to be
most critical during the Formulation stage.

Implementation phase
The Implementation stage involves communicating the defined controls and evaluate for their
effectiveness(Karyda et al. 2005), which corresponds to both Do and Check phases of the ISO
27001s PDCA model. The goal of this stage is to increase and evaluate the end users security
awareness and compliance.
Increasing perception of risk, as well as recognition and tangible rewards for information security
efforts were recommended for increasing compliance. The experts revealed that personal threats
(e.g. punishment) and rewards (e.g. recognition, money) only work as the stimulants that encourage
individuals involvement in information security activities. The greater implications of these factors,
which help the end users to recognise the importance of having the information security controls in
place, must be achieved by explaining to them the mutual benefits and consequences (of compliance
and violation) of themselves and their organisation as a whole. It is also vital to educate the
employees about their roles and responsibilities in protecting the organisations information security.
Consistently, the interviewed experts also emphasised roles and responsibility as the critical and
only factor that is used to enforce information security.
A number of studies have investigated the use of training and its impacts on compliance, especially
that those measures may need to be tailored according to the employees varied levels of computer
understanding. While our findings continue to support these discussions and add that training
program should be interactive and fun to attract end users engagement, they elaborated further the
characteristics of the trainers and especially the sources of information security influence in the
work environment.
Supervisors actions and co-workers socialisation have been empirically supported to constitute
information security environment that subsequently influences individuals compliant intention. The
experts in our case further discussed that only formal leaders who have knowledge about
information security and authority could be taken seriously by the others and influence their
information security decisions. Moreover, trainers with unique experiences and communication
styles could improve information security learning. However, careful consideration is needed when
3|Page

Unpublished Report: Please do not reproduce without authors permission

using norms to disseminate information security. Practitioners may leverage high collectivism to
efficiently communicate the desired messages, but uncontrolled norms would promote compliance
as a voluntary choice and jeopardise its intended image as the employees work duty.
The research by Guo and Yuan (2012) specified that formal sanctions did not have a direct impact on
the employees intention to violate policy but rather indirectly via personal and workgroup sanctions,
thus informed that security enforcement may not be effective as the influence approach. Our
findings, which is also in an Asian context, supported that punishments are not suitable for
motivating compliance but should only be used as a deterrent of violations. Instead, the experts
suggested the use of agreements or continuous reminders such as banner, poster, or emails to
constantly promote information security.

Adoption phase
Both the Act phase of ISO 27001s PDCA model and the Adoption stage entail the continuous
improvement of the ISMS, which goal is to develop an information security culture.
One of the critical factors that contributes to the cultivation of information security culture is
organisational culture. Our findings extended that highly hierarchical organisations could exploit
their culture to enforce information security more effectively by taking the Train for Trainers tactic
which delegates information security dissemination to a group of key authoritative persons. More
importantly, autocratic culture with large distance between the top management and the end users
was argued to result in autonomous departments which allow inconsistency between the
announced policy and its actual enactment.
In addition, information security culture could be developed more easily depending on the industries.
For example, banking sector which requires high responsibility would increase end users acceptance
of the security measures to protect themselves from legal issues. Moreover, contexts such as
Vietnam where protecting information and security risks are not common topics would pose as a
challenge for implementation of information security. Nevertheless, it can be compensated by
exploiting the characteristics of the national culture such as high collectivism to disseminate
information security more effectively.
A summary of the discussed critical factors is presented in Table 2 below.

4|Page

Unpublished Report: Please do not reproduce without authors permission

Table 2: Critical factors of ISO 27001s implementation in Vietnam

Formulation

Critical factors
Concise and practical
controls

Top management support

Joint design of controls

between InfoSec team and
department heads

Perceived threats and

rewards

Implementation

Cost of compliance

Roles and responsibility

Training, monitoring and
evaluation

Social interactions (top

managements actions and
co-workers socialisation)

Adoption

Sanctions
National and organisational
cultures

Findings
Confirmed the importance of brevity and clarity of
information security controls
Extended that brevity and clarity of information security
controls would be better achieved via selecting appropriate
communication means rather than their design
Specified that only financial and authoritative supports are
required but not active participation in the project (which
could be hard to achieve in practicality)
Confirmed the importance of collaboration between InfoSec
team and department heads
Extended that importance of end users opinions was
acknowledged, but was challenging to consider everyones
inputs
Confirmed the importance of communicating threats and
rewards to employees
Extended that threats and rewards should be
communicated as mutual consequences and benefits of
both the organisation and its end users, so to support
importance of having information security controls and
compliance
Confirmed the existence of cost of compliance, which may
lead to user resistance
Extended that cost of compliance is inevitable, and it may
only be reduced by designing better controls in the
Formulation stage
Supported that educating roles and responsibility
significantly enhances compliance
Extended that training should be made interactive and fun
(e.g. quizzes with rewards) to improve end users
engagement; agreements and reminders can be used to
continuously promote information security
Controversial debate about whether internal or external
trainers would deliver better training
Specified that only formal leaders that have knowledge and
authority would be able to influence others information
security attitude and behaviour;
The use of norms or peers influence to change information
security attitude and behaviour needs to be carefully
considered
Extended that sanctions should be better used as a
punishing tool but not motivation of compliance
Supported that national and organisational cultures
influence implementation of information security

5|Page

Unpublished Report: Please do not reproduce without authors permission

Summary framework
The critical factors identified from the six in-depth interviews are encapsulated within the
framework in Figure 1. Information security culture was described as the desired state that an
information security implementation project would want to achieve, thus makes it the top of the
illustrated structure. At its rooftop position, information security culture is supported by three blocks
including positive habit, prosocial behaviour, and compliance.
Compliance alone would constitute an information security environment, but for such environment
to be converted into culture it would require the other two blocks. Further down, compliance is
affected by the employees information security awareness and knowledge, as well as cost of
compliance. While the prior could be achieved with its supporting blocks, cost of compliance was
inevitable and can be reduced only during the Formulation stage of the implementation project.
Finally, Vietnamese and organisational contexts are two stand-alone factors affecting the
implementation approaches that need to be thoughtfully selected. For instance, collectivist culture
and hiearchical distance in the organisation were discussed to determine the effectiveness of
training and social interactions in communicating information security.
Green and plain blocks denote organisations factors, while those with orange and diagonal pattern
belong to the employees. The Vietnamese context and culture is independent from both the
organisation and its employees, thus coloured distinctively. Moreover, the important outcomes have
their text bolded and colour darkened.

Figure 1: Framework of critical factors for ISO 27001 implementation in Vietnam

6|Page

Unpublished Report: Please do not reproduce without authors permission

Appendix
Interview questions
BACKGROUND
The participants experience related to information security (IS) management
Current roles related to IS management
IS landscape in Vietnam (e.g. how organisations feel concerned about IS, standards being applied
etc.)
IS POLICY IMPLEMENTATION
*Based on past and current experience of the interviewee, not necessarily about current firm

Step-by-step of the implementation process

The stakeholders and their roles in the implementation process
The critical factors of a successful implementation process
The methods and factors that contribute to effective communication of IS to the employees

DEVELOPING IS ENVIRONMENT AND CULTURE

How to develop an IS environment and culture?
The factors that change the employees perceptions of IS matters
The factors that motivate the employees compliance with IS policy
How to make the employees prioritise IS in their daily operations?
Should organisations enforce or convince their employees to comply with IS policy?

References
Guo, K. H., and Yuan, Y. 2012. The effects of multilevel sanctions on information security violations:
A mediating model, Information & Management (49:6)Elsevier B.V., pp. 320326.
ISO. 2015. ISO/IEC 27001 - Information security management, Management system standards, .
Karyda, M., Kiountouzis, E., and Kokolakis, S. 2005. Information systems security policies: a
contextual perspective, Computers & Security (24:3), pp. 246260.
Kaspersky. 2014. Kaspersky Security Bulletin 2014, .
Rubin, H. J., and Rubin, I. S. 2011. Qualitative interviewing: The art of hearing data, Sage Publications.
Vietnam MIC. 2014. Vietnam Information and Data on Information and Communication Technology
Whitebook 2014, Hanoi, Vietnam.

7|Page