Information Management Strategy framework and data security.
A Framework for Research in Information Security Management
-
Upload
derrick-senyo -
Category
Documents
-
view
19 -
download
0
description
Transcript of A Framework for Research in Information Security Management
-
A FRAMEWORK FOR RESEARCH IN INFORMATION SECURITY MANAGEMENT
Sindhuja Parakkattu, University of Toledo, (419)-530-5644, [email protected]
Dr. Anand. S. Kunnathur, University of Toledo, (419)-376-5391, [email protected]
ABSTRACT
Information security is a critical issue concerning organizations round the globe. All organizations
involve in information-handling activities and therefore it becomes increasingly important to
organize, manage and disseminate information in a useful and secured manner. Extant research in
information security has been mostly focused on technological controls to protect information from
threats and vulnerabilities. The information security literature widely discusses the role of
information systems (IS) and information technology (IT) in secured management of information.
However, practitioners and academicians have started to realize that effective organizational
information security lies in the coordination of people, processes and technology. This motivates the
development of a research framework for information security management that ensures the
selection of adequate and proportionate security controls that protect information assets and give
confidence to business stakeholders. As organizations become more and more interconnected, an
effective information security management will help to build trust and commitment in inter-
organizational activities.
AN OVERVIEW OF INFORMATION SECURITY RESEARCH
In todays dynamic and competitive business environment, an effective information system is part of the essential infrastructure of most organizations. Information systems include not only the
hardware, software, data and other information assets, but also the people, policies, and procedures
associated with the gathering, distribution, usage and maintenance of the information. As
organizations rely more and more on information systems to perform most of their business
operations, concerns about controlling and securing information become paramount. Increased
organizational dependence on information systems has led to a relative increase in the impact on the
organization of compromised information security [1]. In this context, information security
management (ISM) is a critical issue that is beginning to attract the attention of the communities of
research and practice. ISM focuses on streamlining the management activities that creates an
organizational framework within which the information system operates and mainly aims at
protecting the information assets of the organization [2]. It includes ensuring the security of
information through proactive management of information security risks, threats and vulnerabilities.
This necessitates the need for ISM to be built into the daily business operations and alignment with
the overall business objectives of the organization.
The real challenge of information systems is to ensure that the information is of highest quality in
terms of timeliness, completeness, accuracy, confidentiality, reliability, readability and
appropriateness [3, 4, 5]. As organizations experience unacceptably high levels of security abuses,
they seldom provide consistently high quality information resources to meet managers requirements [6]. The cost of compromising the information for any reason is extremely grave in
terms of the damages caused due to monetary losses, disruption of internal processes and
communication, loss of potential sales, loss of competitive advantage, wastage of time, efforts and
-
manpower and even business opportunities, while it also damages the reputation, goodwill, trust and
business relationships [7,8].
Most of the past studies on ISM focused on the technological [9] and administrative [10, 11] issues
from an IS or IT perspective. However, the challenges faced by ISM stem from those related to the
management of organization as a whole. In spite of the vast resources expended by organizational
entities attempting to secure information systems through technical controls and restrictive formal
procedures, occurrences of security breaches and the magnitude of consequential damage continue
to rise. The weakest link in the security chain appears to be the absence or inadequate emphasis on
the behavioral and organizational aspects of ISM. Effective organizational information security
depends on managing the three components, namely; people, process and technology. Werlinger et
al., [12] tried to provide an integrated view of human, organizational and technological factors that
contributed to the complexity of security related challenges. The study aimed at providing
suggestions for improving the security tools and processes. Though they have identified and
described 18 challenges that can affect the ISM within an organization, the paper is silent on
implications on organizations performance. Hagen et al., [13] tried to assess the effectiveness of implemented organizational information security measures and suggested that awareness creating
activities should be encouraged in organizations where security measures are implemented. Though
the authors looked at the effectiveness of such measures from a technical and administrative stand
point, the study has not taken into consideration other critical factors of management. Further,
implications of assessed effectiveness of security measures on organizational output are not dealt
with. Studies have been done to measure the effectiveness of ISM from various individual
dimensions. Chang and Lin [14] examined the influence of organizational culture on the
effectiveness of ISM implementation. Authors suggested that human dimension of information
security cannot be resolved by technical and management measures alone. They proposed a
research framework relating organizational culture traits with the principles of ISM. Ashenden [15]
addresses the human challenges of ISM and pointed out that information security management
depends on technology, processes and people. Author suggests that organization should look into
the skills that are needed to change the culture and build effective communication between all
members of the organization, with regards to information security.
It is evident from the available information security literature that while ISM is a multidimensional
phenomenon, reflecting technical, management and institutional perspectives [16], most of the
research emphasis has been on the technical and formal aspects of ISM. Effective ISM seems to be
an organizational challenge and no longer merely a technical commitment. In this regard, the
research framework we propose to develop, examines the challenges of ISM by exploring the
objectives, practices and other management factors that could influence the organizational
performance and competitive advantage.
ISM Objectives and Practices
To safeguard organizational information assets from internal and external security threats, variety of
information security standards and guidelines have been proposed and developed. The phrase
security framework has been used in a variety of ways in the security literature over the years, but British standards (BS 7799) promoted the term information security management system (ISMS)
and came to be used as an aggregate term for the various documents and architectures, from a
variety of sources, that give recommendations on topics related to information systems security,
particularly with regard to the planning, managing, or auditing of overall information security
practices for a given institution. BS 7799/ISO 17799 deals with ISMS requirements and is used
within companies to create security requirements and objectives. The Generally Accepted System
Security Principles (GASSP) is a joint international attempt to develop a protocol to achieve
information integrity, availability and confidentiality. However, ISO 17799:2005 (ISO 27001) is the
-
widely accepted and suitable model for ISM, as it adequately addresses various security issues in
organizations [17].
Qingxiong Ma et al. [18] examined the objectives of ISM and management practices used to
achieve the same, as well as the relationship between information security objectives and practices.
They identified four objectives which are most frequently considered for ISM. They are
confidentiality, integrity, availability and accountability. Therefore, this proposed framework
proposes to use these objectives for its purpose. ISO 17799 (ISO 27001) code of practice covers 10
control areas such as security policy, organizational security, asset classification and control,
personnel security, physical and environmental security, communications and operations
management, access control, systems development and maintenance, business continuity
management and compliance. The authors refined these practices and obtained 8 commonly used
practices by the ISM professionals. The framework also considers those 8 practices which is in
alignment with ISO 17799 code of practice for ISM, as the basis for ISM practices.
Other critical organizational factors
Identification and addressing of other critical organizational factors that has practical significance to
ISM will give a comprehensive perspective to the organizational view of information security
management. As most of the operational, procedural and technical part of ISM is covered by the
ISM objectives and practices, other factors that drive the need for ISM need to be considered. Based
on the literature, some of the factors identified are top management support, organizational culture
and structure, self-efficacy, and awareness creation [19].
Top Management Support: According to an Auburn University study, sponsored by the
International Information Systems Security Certification Consortium ((ISC2), obtaining senior
management support is one of the most critical issues influencing information security effectiveness
in organizations today [20]. The survey found that 62% of their daily tasks require the exchange of
information or cooperation with others. And so implementing information security programs
requires exceptionally high levels of task interdependence, which warrants greater levels of
executive support to be successful. Knapp et al. [21] examined the impact of top management
support on organizations security culture and security policy enforcement. An organizational culture with less tolerance to good security practices is found with low levels of support and also
retard the enforcement of security policies. Considering top management support to be an important
driver for ISM, the study proposes to include top management support as one of its dimensions.
Organizational Culture: Culture is considered as the operating system of an organization, as it
directs how employees think, act and feel [22]. It is also evident from the literature that culture
paradigm is associated with the existing practices and roles in an organization [23]. Consequently,
exploring the various cultural traits that facilitates an organization to perform ISM is of utmost
importance from an organizational perspective. Hall [24] identified 10 streams of culture useful for
addressing security issues that might emerge in any given setting. Later, Dhillon [25] named it as
the web of culture consisting of 10 streams namely; interaction, association, subsistence, gender,
temporality, territoriality, learning, play, defense and exploitation. Chang and Lin [14] used two
dimensions, internal/external orientation and flexibility/control orientation, in their study on
influence of organizational culture on ISM. The four constructs of organizational culture that
emerged out these two dimensions were cooperativeness, innovativeness, consistency and
effectiveness. The research framework proposes to use the Chang and Lin cultural constructs to
measure organizational culture.
Self-efficacy: The eventual success of information security depends on appropriate information
security practice behaviors by all who are associated with the system, and especially by the end
-
users. Rhee et al. [26] explored the antecedents of individuals' self-efficacy beliefs in information
security and tested relationships among self-efficacy in information security, security practice
behavior and motivation to strengthen security efforts. This study also considers self-efficacy as an
important construct for ISM in an organization.
Awareness Creation: Hagen et al. [13] pointed out that awareness creating activities have greater
impact on ISM compared to technical and administrative measures applied by organizations.
Increasing the awareness of security issues is the most cost-effective measure that any organization
can envisage [25]. This framework considers awareness as part of the ISM dimensions.
Organizational Performance
Organizational Performance is a broad construct which captures what agencies do, produce, and
accomplish for the various constituencies with which they interact. However, there is no universally
recognized measure of organizational performance. Venkataraman [27] studied the perception of
the respondents regarding organizational performance with respect to market and financial
performance. This measure was used in many studies that examined the organizational performance
[28, 29].
Competitive Advantage
When a firms sustained profit pattern exceeds the industry average, the firm is said to possess a competitive advantage over its competitors. From a resource based perspective, a firm is said to
have a competitive advantage when it is implementing a value creating strategy not implemented or
not simultaneously being implemented by any current or potential player. It defines capabilities that
differentiate an organization from its rivals. Suhong Li et al. [29], in their study used price, quality,
delivery dependability, product innovation and time to market as the dimensions of competitive
advantage construct.
Research Agenda
We represent the framework using the conceptual model given in figure. 1. The model depicts
organizational factors to be the drivers of information security management. ISM objectives and
practices are dimensions to assess ISM. Further, the influence of ISM, driven by the organizational
factors, on the performance and competitive advantage is represented in the model. The research
framework proposes to:
Develop a comprehensive framework for ISM, reflecting, in addition, the organizational dimensions of security concerns.
Examine the role of each dimension towards effective ISM.
Examine the influence of ISM dimensions on Organizational performance and Competitive advantage
Figure 1: The Conceptual Model
ISM Objectives
ISM Practices
Awareness Creation
Top management
support
Organizational
Culture
Self-efficacy
Competitive
advantage
Organizational
performance
-
Deliverables
Every business, big or small, faces major financial consequences due to loss of data or a breach of
security. Out of the various types of security breaches happening in US, 47% accounted for the
security incidents involving corporations and businesses [30]. At the bottom line, a business cannot
afford to take the risk of ignoring data loss and security breach exposure. Therefore it is imperative
that an organization give due consideration to the information security management aspects. This
conceptual framework aims at providing a better understanding of the information security
objectives and practices, considering other organizational factors, for an effective information
security management. Information security management plays a vital role in addressing the security,
compliance and efficiency needs of an organization. This provides a vast range of benefits which
includes a holistic understanding of organizations security status of the assets, prioritizing security occurrences, evading security breaches and demonstrating conformity with regulations in a much
more efficient fashion than in the past.
We envision the developed framework to help:
Explore approaches to integrate ISM within the organization
Develop an information security strategy for the organization
Create a pervasive information security culture
Build trust and confidence in inter-organizational activities and processes to strengthen the supply chain.
References
1. Kankanhalli, A., Teo, H-H., Tan, B.C., Wei, K-K. An integrative study of information systems security effectiveness,. International Journal of Information Management, 2003, 23(2), pp. 139-154.
2. Karyda, M., Kiountouzis, E., Kokolakis, S. Information Systems security policies: a contextual perspective,. Computers & Security, 2005, 24, pp. 246-260.
3. Wang, R. Y., Strong, D.M. (1996), Beyond accuracy: what data quality means to data consumers,. Journal of Management Information Systems, 1996, 24(4), pp. 5-34.
4. Caby, E. C., Pautke, R. W., Redman, T. C. Strategies for improving data quality,. Data Quality, 1995, 1(1), pp. 4-12.
5. Miller, H. The multiple dimensions of information quality,. Information systems management, 1996, 13(2), pp. 79-83.
6. Garg, A., Curtis, J., Halper, H. Quantifying the financial impact of information security breaches,. Information Management and Computer Security, 2003, 11(2), pp. 7483.
7. Dhillon, G., Moores, S. Computer crimes: Theorizing about the enemy within,. Computers & Security, 2001, 20(8), pp. 715-723.
8. Bruce, L. Information security key issues and developments,. 2003, available at:www.pwcglobal.com/jm/images/pdf/Information%20Security%20Risk.pdf.
9. Siponen, M.T., Oinas-Kukkonen, H. A review of information security issues and respective research contributions,. The Database for Advances in Information Systems, 2007, 38(1), pp. 60-81.
10. Kraemer, S., Carayon, P. Computer and information security culture: findings from two studies, In the Proceedings of the 49th Annual Meeting of the Human Factors and Ergonomics Society. Human Factors and Ergonomics Society, Orlando, Florida, 2005, pp.
14831487. 11. Mouratidis, H., Jahankhani, H., Nkhoma, M. Z. Management versus security specialists: an
empirical study on security related perceptions,. Information Management & Computer Security, 2008, 16(2), pp. 187-205.
-
12. Werlinger, R., Hawkey, K., Beznosov, K. An integrated view of human, organizational and technological challenges of IT security management,. Information management & Computer Security, 2009, 17(1), pp. 4-19.
13. Hagen, J. M., Albrechtsen, E., Hovden, J. Implementation and effectiveness of organizational information security measures,. Information Management & Computer Security, 2008, 16(4), pp. 377-397.
14. Chang, S. E., Lin, C. Exploring organizational culture for information security management,. Industrial management and Data Systems, 2007, 107(3), pp. 438-458.
15. Ashenden, D. Information Security Management: A human challenge?. Information security technical report, 2008, 13, pp. 195-201.
16. von Solms, B. Information security the third wave?. Computers & Security, 2000,19(7), pp. 615-20.
17. Dhillon, G., Backhose, J. Current directions in IS security research: towards socio-organizational perspectives,. Information Systems Journal, 2001, 11(2), pp. 127-53.
18. Qingxiong Ma, Johnston, A. C., Pearson, J. M. Implementation security management objectives and practices: a parsimonious framework,. Information Management & Computer Security, 2008, 16(3), pp. 251-270.
19. Siponen, M. A conceptual foundation for organizational information security awareness, Information Management and Computer security, 2000, 8(1), pp. 31-41.
20. "Managerial Dimensions in Information Security: A Theoretical Model of Organizational Effectiveness," available at http://www.isc2.org/auburnstudyAbout (ISC)2
21. Knapp, J. K., Marshall, E. T., Kelly Rainer, R., Nelson Ford, F. Information security: managements effect on` culture and policy,. Information Management & Computer Security, 2006, 14(1), pp. 24-36.
22. Hagberg, R., Heifetz, J. Corporate Culture: Telling the CEO the Baby is Ugly,. Hagberg Consulting Group, San Mateo, CA, 1997, available at: www.hcgnet.com/research.asp.
23. Allen, D.K., Fifield, N. Re-engineering change in higher education, Information Research, 1999, 4(3).
24. Hall, E. T., The Silent Language, 2nd ed. New York, Anchor Books, 1959. 25. Dhillon, G., Principles of Information systems Security, NJ, John Wiley & Sons, 2007. 26. Rhee, H., Kim, C., Ryu, Y. U. Self-efficacy in information security: Its influence on end
users' information security practice behavior,. Computers & Security, 2009, 28. 27. Venkatraman, N. Strategic orientation of business enterprises: the construct dimensionality
and measurement,. Management Science, 1989, 35(8), pp. 942-962. 28. Croteau, A., Bergeron, F. An information technology trilogy: business strategy,
technological deployment and organizational performance,. Journal of strategic information systems, 2001, 10, pp. 77-99.
29. Suhong Li, Ragu-nathan, B., Ragunathan, T. S., Rao, S.S. The impact of supply chain management practices on competitive advantage and organizational performance, Omega, 2006, 34, pp. 107-124.
30. Bennet, K. The real risks of business, retrieved from http://www.connecticutbusinesslitigation.com/tags/security-breach/.