Article Info

Critical Success Factors for Strategic Information Security Policy Implementation in Malaysia's Public Sector

Surayahani Hasnul Bhaharin, Umi Asma' Mokhtar, Maryati Mohd Yusof, Rossilawati Sulaiman
dx.doi.org/10.17576/apjitm-2026-1501-06

Abstract

The implementation of strategic information security policy in Malaysia's public sector faces various challenges that require an understanding of critical success factors. This study addresses challenges arising from governance gaps in effective information security management in Malaysia's public sector. This study aims to examine the critical success factors that influence the implementation of strategic information security policy and provide a comprehensive understanding of the key elements that contribute to effective implementation. This study employs a qualitative case study approach, with data collected through semi-structured interviews with key stakeholders involved in information security governance in government agencies. Thematic analysis was used to identify and analyze critical success factors across four main factors: (i) leadership and management support, (ii) human and organizational factors, (iii) environmental factors, and (iv) process factors. The findings indicate that effective policy implementation requires holistic integration among these factors, specifically focusing on organizational culture, stakeholder perceptions, regulatory compliance, and continuous risk management. This study contributes practical insights for developing security frameworks that are contextually appropriate and tailored to the unique administrative and legislative complexities of Malaysia's public sector, as well as contributing to the literature on information security governance by providing empirical evidence and strategic recommendations to enhance information security policy implementation practices.

keyword

Information security, information governance, strategic information, public sector, information security policy, information security management.

Area

Strategic Information Systems