Information security is necessary not only to protect an organization's resources, but also to ensure the
reliability of its financial statements and other managerial reports (AICPA and CICA, 2008). Consequently,
COBIT4 (ITGI 2007), a normative framework for control and governance of information technology,
stresses that it is a component of management's governance responsibilities to design and implement a costeffective
information security program.