A FRAMEWORK FOR RESEARCH IN INFORMATION SECURITY MANAGEMENT

Sindhuja Parakkattu, University of Toledo, (419)-530-5644, menon.sindhuja@gmail.com

Dr. Anand. S. Kunnathur, University of Toledo, (419)-376-5391, AKunnat@utnet.utoledo.edu

ABSTRACT

Information security is a critical issue concerning organizations round the globe. All organizations

involve in information-handling activities and therefore it becomes increasingly important to

organize, manage and disseminate information in a useful and secured manner. Extant research in

information security has been mostly focused on technological controls to protect information from

threats and vulnerabilities. The information security literature widely discusses the role of

information systems (IS) and information technology (IT) in secured management of information.

However, practitioners and academicians have started to realize that effective organizational

information security lies in the coordination of people, processes and technology. This motivates the

development of a research framework for information security management that ensures the

selection of adequate and proportionate security controls that protect information assets and give

confidence to business stakeholders. As organizations become more and more interconnected, an

effective information security management will help to build trust and commitment in inter-

organizational activities.

AN OVERVIEW OF INFORMATION SECURITY RESEARCH

In todays dynamic and competitive business environment, an effective information system is part of the essential infrastructure of most organizations. Information systems include not only the

hardware, software, data and other information assets, but also the people, policies, and procedures

associated with the gathering, distribution, usage and maintenance of the information. As

organizations rely more and more on information systems to perform most of their business

operations, concerns about controlling and securing information become paramount. Increased

organizational dependence on information systems has led to a relative increase in the impact on the

organization of compromised information security [1]. In this context, information security

management (ISM) is a critical issue that is beginning to attract the attention of the communities of

research and practice. ISM focuses on streamlining the management activities that creates an

organizational framework within which the information system operates and mainly aims at

protecting the information assets of the organization [2]. It includes ensuring the security of

information through proactive management of information security risks, threats and vulnerabilities.

This necessitates the need for ISM to be built into the daily business operations and alignment with

the overall business objectives of the organization.

The real challenge of information systems is to ensure that the information is of highest quality in

terms of timeliness, completeness, accuracy, confidentiality, reliability, readability and

appropriateness [3, 4, 5]. As organizations experience unacceptably high levels of security abuses,

they seldom provide consistently high quality information resources to meet managers requirements [6]. The cost of compromising the information for any reason is extremely grave in

terms of the damages caused due to monetary losses, disruption of internal processes and

communication, loss of potential sales, loss of competitive advantage, wastage of time, efforts and

manpower and even business opportunities, while it also damages the reputation, goodwill, trust and

business relationships [7,8].

Most of the past studies on ISM focused on the technological [9] and administrative [10, 11] issues

from an IS or IT perspective. However, the challenges faced by ISM stem from those related to the

management of organization as a whole. In spite of the vast resources expended by organizational

entities attempting to secure information systems through technical controls and restrictive formal

procedures, occurrences of security breaches and the magnitude of consequential damage continue

to rise. The weakest link in the security chain appears to be the absence or inadequate emphasis on

the behavioral and organizational aspects of ISM. Effective organizational information security

depends on managing the three components, namely; people, process and technology. Werlinger et

al., [12] tried to provide an integrated view of human, organizational and technological factors that

contributed to the complexity of security related challenges. The study aimed at providing

suggestions for improving the security tools and processes. Though they have identified and

described 18 challenges that can affect the ISM within an organization, the paper is silent on

implications on organizations performance. Hagen et al., [13] tried to assess the effectiveness of implemented organizational information security measures and suggested that awareness creating

activities should be encouraged in organizations where security measures are implemented. Though

the authors looked at the effectiveness of such measures from a technical and administrative stand

point, the study has not taken into consideration other critical factors of management. Further,

implications of assessed effectiveness of security measures on organizational output are not dealt

with. Studies have been done to measure the effectiveness of ISM from various individual

dimensions. Chang and Lin [14] examined the influence of organizational culture on the

effectiveness of ISM implementation. Authors suggested that human dimension of information

security cannot be resolved by technical and management measures alone. They proposed a

research framework relating organizational culture traits with the principles of ISM. Ashenden [15]

addresses the human challenges of ISM and pointed out that information security management

depends on technology, processes and people. Author suggests that organization should look into

the skills that are needed to change the culture and build effective communication between all

members of the organization, with regards to information security.

It is evident from the available information security literature that while ISM is a multidimensional

phenomenon, reflecting technical, management and institutional perspectives [16], most of the

research emphasis has been on the technical and formal aspects of ISM. Effective ISM seems to be

an organizational challenge and no longer merely a technical commitment. In this regard, the

research framework we propose to develop, examines the challenges of ISM by exploring the

objectives, practices and other management factors that could influence the organizational

performance and competitive advantage.

ISM Objectives and Practices

To safeguard organizational information assets from internal and external security threats, variety of

information security standards and guidelines have been proposed and developed. The phrase

security framework has been used in a variety of ways in the security literature over the years, but British standards (BS 7799) promoted the term information security management system (ISMS)

and came to be used as an aggregate term for the various documents and architectures, from a

variety of sources, that give recommendations on topics related to information systems security,

particularly with regard to the planning, managing, or auditing of overall information security

practices for a given institution. BS 7799/ISO 17799 deals with ISMS requirements and is used

within companies to create security requirements and objectives. The Generally Accepted System

Security Principles (GASSP) is a joint international attempt to develop a protocol to achieve

information integrity, availability and confidentiality. However, ISO 17799:2005 (ISO 27001) is the

widely accepted and suitable model for ISM, as it adequately addresses various security issues in

organizations [17].

Qingxiong Ma et al. [18] examined the objectives of ISM and management practices used to

achieve the same, as well as the relationship between information security objectives and practices.

They identified four objectives which are most frequently considered for ISM. They are

confidentiality, integrity, availability and accountability. Therefore, this proposed framework

proposes to use these objectives for its purpose. ISO 17799 (ISO 27001) code of practice covers 10

control areas such as security policy, organizational security, asset classification and control,

personnel security, physical and environmental security, communications and operations

management, access control, systems development and maintenance, business continuity

management and compliance. The authors refined these practices and obtained 8 commonly used

practices by the ISM professionals. The framework also considers those 8 practices which is in

alignment with ISO 17799 code of practice for ISM, as the basis for ISM practices.

Other critical organizational factors

Identification and addressing of other critical organizational factors that has practical significance to

ISM will give a comprehensive perspective to the organizational view of information security

management. As most of the operational, procedural and technical part of ISM is covered by the

ISM objectives and practices, other factors that drive the need for ISM need to be considered. Based

on the literature, some of the factors identified are top management support, organizational culture

and structure, self-efficacy, and awareness creation [19].

Top Management Support: According to an Auburn University study, sponsored by the

International Information Systems Security Certification Consortium ((ISC2), obtaining senior

management support is one of the most critical issues influencing information security effectiveness

in organizations today [20]. The survey found that 62% of their daily tasks require the exchange of

information or cooperation with others. And so implementing information security programs

requires exceptionally high levels of task interdependence, which warrants greater levels of

executive support to be successful. Knapp et al. [21] examined the impact of top management

support on organizations security culture and security policy enforcement. An organizational culture with less tolerance to good security practices is found with low levels of support and also

retard the enforcement of security policies. Considering top management support to be an important

driver for ISM, the study proposes to include top management support as one of its dimensions.

Organizational Culture: Culture is considered as the operating system of an organization, as it

directs how employees think, act and feel [22]. It is also evident from the literature that culture

paradigm is associated with the existing practices and roles in an organization [23]. Consequently,

exploring the various cultural traits that facilitates an organization to perform ISM is of utmost

importance from an organizational perspective. Hall [24] identified 10 streams of culture useful for

addressing security issues that might emerge in any given setting. Later, Dhillon [25] named it as

the web of culture consisting of 10 streams namely; interaction, association, subsistence, gender,

temporality, territoriality, learning, play, defense and exploitation. Chang and Lin [14] used two

dimensions, internal/external orientation and flexibility/control orientation, in their study on

influence of organizational culture on ISM. The four constructs of organizational culture that

emerged out these two dimensions were cooperativeness, innovativeness, consistency and

effectiveness. The research framework proposes to use the Chang and Lin cultural constructs to

measure organizational culture.

Self-efficacy: The eventual success of information security depends on appropriate information

security practice behaviors by all who are associated with the system, and especially by the end

users. Rhee et al. [26] explored the antecedents of individuals' self-efficacy beliefs in information

security and tested relationships among self-efficacy in information security, security practice

behavior and motivation to strengthen security efforts. This study also considers self-efficacy as an

important construct for ISM in an organization.

Awareness Creation: Hagen et al. [13] pointed out that awareness creating activities have greater

impact on ISM compared to technical and administrative measures applied by organizations.

Increasing the awareness of security issues is the most cost-effective measure that any organization

can envisage [25]. This framework considers awareness as part of the ISM dimensions.

Organizational Performance

Organizational Performance is a broad construct which captures what agencies do, produce, and

accomplish for the various constituencies with which they interact. However, there is no universally

recognized measure of organizational performance. Venkataraman [27] studied the perception of

the respondents regarding organizational performance with respect to market and financial

performance. This measure was used in many studies that examined the organizational performance

[28, 29].

Competitive Advantage

When a firms sustained profit pattern exceeds the industry average, the firm is said to possess a competitive advantage over its competitors. From a resource based perspective, a firm is said to

have a competitive advantage when it is implementing a value creating strategy not implemented or

not simultaneously being implemented by any current or potential player. It defines capabilities that

differentiate an organization from its rivals. Suhong Li et al. [29], in their study used price, quality,

delivery dependability, product innovation and time to market as the dimensions of competitive

advantage construct.

Research Agenda

We represent the framework using the conceptual model given in figure. 1. The model depicts

organizational factors to be the drivers of information security management. ISM objectives and

practices are dimensions to assess ISM. Further, the influence of ISM, driven by the organizational

factors, on the performance and competitive advantage is represented in the model. The research

framework proposes to:

Develop a comprehensive framework for ISM, reflecting, in addition, the organizational dimensions of security concerns.

Examine the role of each dimension towards effective ISM.

Examine the influence of ISM dimensions on Organizational performance and Competitive advantage

Figure 1: The Conceptual Model

ISM Objectives

ISM Practices

Awareness Creation

Top management

support

Organizational

Culture

Self-efficacy

Competitive

advantage

Organizational

performance

Deliverables

Every business, big or small, faces major financial consequences due to loss of data or a breach of

security. Out of the various types of security breaches happening in US, 47% accounted for the

security incidents involving corporations and businesses [30]. At the bottom line, a business cannot

afford to take the risk of ignoring data loss and security breach exposure. Therefore it is imperative

that an organization give due consideration to the information security management aspects. This

conceptual framework aims at providing a better understanding of the information security

objectives and practices, considering other organizational factors, for an effective information

security management. Information security management plays a vital role in addressing the security,

compliance and efficiency needs of an organization. This provides a vast range of benefits which

includes a holistic understanding of organizations security status of the assets, prioritizing security occurrences, evading security breaches and demonstrating conformity with regulations in a much

more efficient fashion than in the past.

We envision the developed framework to help:

Explore approaches to integrate ISM within the organization

Develop an information security strategy for the organization

Create a pervasive information security culture

Build trust and confidence in inter-organizational activities and processes to strengthen the supply chain.

References

1. Kankanhalli, A., Teo, H-H., Tan, B.C., Wei, K-K. An integrative study of information systems security effectiveness,. International Journal of Information Management, 2003, 23(2), pp. 139-154.

2. Karyda, M., Kiountouzis, E., Kokolakis, S. Information Systems security policies: a contextual perspective,. Computers & Security, 2005, 24, pp. 246-260.

3. Wang, R. Y., Strong, D.M. (1996), Beyond accuracy: what data quality means to data consumers,. Journal of Management Information Systems, 1996, 24(4), pp. 5-34.

4. Caby, E. C., Pautke, R. W., Redman, T. C. Strategies for improving data quality,. Data Quality, 1995, 1(1), pp. 4-12.

5. Miller, H. The multiple dimensions of information quality,. Information systems management, 1996, 13(2), pp. 79-83.

6. Garg, A., Curtis, J., Halper, H. Quantifying the financial impact of information security breaches,. Information Management and Computer Security, 2003, 11(2), pp. 7483.

7. Dhillon, G., Moores, S. Computer crimes: Theorizing about the enemy within,. Computers & Security, 2001, 20(8), pp. 715-723.

8. Bruce, L. Information security key issues and developments,. 2003, available at:www.pwcglobal.com/jm/images/pdf/Information%20Security%20Risk.pdf.

9. Siponen, M.T., Oinas-Kukkonen, H. A review of information security issues and respective research contributions,. The Database for Advances in Information Systems, 2007, 38(1), pp. 60-81.

10. Kraemer, S., Carayon, P. Computer and information security culture: findings from two studies, In the Proceedings of the 49th Annual Meeting of the Human Factors and Ergonomics Society. Human Factors and Ergonomics Society, Orlando, Florida, 2005, pp.

14831487. 11. Mouratidis, H., Jahankhani, H., Nkhoma, M. Z. Management versus security specialists: an

empirical study on security related perceptions,. Information Management & Computer Security, 2008, 16(2), pp. 187-205.

12. Werlinger, R., Hawkey, K., Beznosov, K. An integrated view of human, organizational and technological challenges of IT security management,. Information management & Computer Security, 2009, 17(1), pp. 4-19.

13. Hagen, J. M., Albrechtsen, E., Hovden, J. Implementation and effectiveness of organizational information security measures,. Information Management & Computer Security, 2008, 16(4), pp. 377-397.

14. Chang, S. E., Lin, C. Exploring organizational culture for information security management,. Industrial management and Data Systems, 2007, 107(3), pp. 438-458.

15. Ashenden, D. Information Security Management: A human challenge?. Information security technical report, 2008, 13, pp. 195-201.

16. von Solms, B. Information security the third wave?. Computers & Security, 2000,19(7), pp. 615-20.

17. Dhillon, G., Backhose, J. Current directions in IS security research: towards socio-organizational perspectives,. Information Systems Journal, 2001, 11(2), pp. 127-53.

18. Qingxiong Ma, Johnston, A. C., Pearson, J. M. Implementation security management objectives and practices: a parsimonious framework,. Information Management & Computer Security, 2008, 16(3), pp. 251-270.

19. Siponen, M. A conceptual foundation for organizational information security awareness, Information Management and Computer security, 2000, 8(1), pp. 31-41.

20. "Managerial Dimensions in Information Security: A Theoretical Model of Organizational Effectiveness," available at http://www.isc2.org/auburnstudyAbout (ISC)2

21. Knapp, J. K., Marshall, E. T., Kelly Rainer, R., Nelson Ford, F. Information security: managements effect on` culture and policy,. Information Management & Computer Security, 2006, 14(1), pp. 24-36.

22. Hagberg, R., Heifetz, J. Corporate Culture: Telling the CEO the Baby is Ugly,. Hagberg Consulting Group, San Mateo, CA, 1997, available at: www.hcgnet.com/research.asp.

23. Allen, D.K., Fifield, N. Re-engineering change in higher education, Information Research, 1999, 4(3).

24. Hall, E. T., The Silent Language, 2nd ed. New York, Anchor Books, 1959. 25. Dhillon, G., Principles of Information systems Security, NJ, John Wiley & Sons, 2007. 26. Rhee, H., Kim, C., Ryu, Y. U. Self-efficacy in information security: Its influence on end

users' information security practice behavior,. Computers & Security, 2009, 28. 27. Venkatraman, N. Strategic orientation of business enterprises: the construct dimensionality

and measurement,. Management Science, 1989, 35(8), pp. 942-962. 28. Croteau, A., Bergeron, F. An information technology trilogy: business strategy,

technological deployment and organizational performance,. Journal of strategic information systems, 2001, 10, pp. 77-99.

29. Suhong Li, Ragu-nathan, B., Ragunathan, T. S., Rao, S.S. The impact of supply chain management practices on competitive advantage and organizational performance, Omega, 2006, 34, pp. 107-124.

30. Bennet, K. The real risks of business, retrieved from http://www.connecticutbusinesslitigation.com/tags/security-breach/.