8/8/2019 Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm
1/13
INFORMATION SECURITY IN THE
EXTENDED ENTERPRISE
Presented byAditya ahuja (054)
Anshul pachouri (6503861)
Pooja bagga (085)
14/10/2010 Information Security In the Extended Enterprise 1
8/8/2019 Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm
2/13
Each firms security decisions have an impact
on the overall security of the information
infrastructure.
Managing the security of the sensitive
information flowing across the extended
enterprise is a significant and under
researched topic.
14/10/2010 Information Security In the Extended Enterprise 2
8/8/2019 Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm
3/13
Three research efforts that address the core
information security issues pertaining to the
efficacy of economic and other potential
drivers of information security are:
1)
To understand how firms adapt informationsecurity capabilities.
2) To access interdependency risk magnitude.
3) To evaluate the information security gap.
14/10/2010 Information Security In the Extended Enterprise 3
8/8/2019 Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm
4/13
Interviews with security and supply chain
executives and manager at a host firm and
four of its direct suppliers.
Interviews were designed to elicit theknowledge and belief of the interviewed
individuals.
The host firm is a Fortune 500 manufacturing
firm with plants and sales worldwide. 13 individuals were interviewed, duration
was 30 mints to 2 hrs,
14/10/2010 Information Security In the Extended Enterprise 4
8/8/2019 Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm
5/13
Candidates had to use some form of
electronic communication to manage their
supply relation with the host.
Candidates would be a range of sizes interms of their annual revenue.
Candidates would provide products directly
used in the hosts products.
Candidates should be close to a small set ofgeographic locations.
14/10/2010 Information Security In the Extended Enterprise
8/8/2019 Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm
6/13
Drivers of adoption of information security
1) InfoSec managers protecting their firms
internal network and data.
2) Government regulation and customerrequirements
Hence ,as a group the interviewed firms made
few or no demands on their suppliers for levelsof information security, although Supplier b said
that they would start having requirements in the
near future.
14/10/2010 Information Security In the Extended Enterprise
8/8/2019 Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm
7/13
Information security risk: The risk
associated with the internal IT system and
information due to integration of supply
chain systems.Examples: E-Mail, VPN, Web-applications
Supply Chain Continuity Risk: The firms
ability to produce a product due to
disruptive supply chain caused byinformation infrastructure events.
Use of Phone and Fedex is preferred to avoid
the risk.
14/10/2010 Information Security In the Extended Enterprise 7
8/8/2019 Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm
8/13
Technology
Market Conditions
Government Regulations
Government Spending
Litigations
Cost-Benefit
Standard Setting Best Practices
14/10/2010 Information Security In the Extended Enterprise
8/8/2019 Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm
9/13
Most of the executives who were interviewed focused purelyon the cost trade- off of security, disregarding the possibility
of increased revenue. These costs can be broken into two
major groups:
Costs of avoiding security failures.
Cost of security failures.
14/10/2010 Information Security In the Extended
Enterprise 9
Cost of avoiding security failures Cost of security failures
Cost of prevention Cost of internal failure
Firewall/ Antivirus Lost productivity
Training IT services- restoration
Cost of appraisal Cost of external failure
Audits Lost Confidence/ revenues
Monitoring Litigations
Intrusion detection Fines
8/8/2019 Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm
10/13
Costs of avoiding security failures such as on-going security appraisals and investments inpreventive measures like installing a firewall.
Costs associated with security failures eitherinternal failures that are not observed bycustomers or external failures which areobserved by those outside the firm
Internal failures are security problems that arediscovered internally, resulting in costs such aslost productivity (for example lost worker
productivity and restoring informationservices).
External failures, such as exposing confidentialinformation can lead to many costs includinglitigation, fines, and brand damage.
14/10/2010 Information Security In the Extended Enterprise 10
8/8/2019 Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm
11/13
According to one of the clients even when informationsecurity does not increase revenue there can still be a positive
business value for increasing information security.
This client felt that even though increasing informationsecurity would likely not increase profits directly, the
processes put in place would take costs out of the business.
As an example the client talked about single sign-on: while
this was being done for reasons of information security, itwould reduce her costs as well as increase the efficiency ofher staff.
14/10/2010 Information Security In the Extended Enterprise 11
8/8/2019 Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm
12/13
This study examined how firms identify and manageinformation security risks internally and within their supplychains.
Our initial results are from a sample size of 5 industryspecific, which lead us to believe:
Firms are adopting levels of information security that are
appropriate for their internal operations.
Market forces, in the form of customer requirements orqualifications, are the primary driver for additionalinformation security measures.
The interviewed firms were reactive in their approach toinformation security.
Firms need to pay more attention to the risks they areexposed to as a result of using the information infrastructure
to manage their extended enterprise.14/10/2010 Information Security In the Extended Enterprise 12
8/8/2019 Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm
13/13
14/10/2010 Information Security In the Extended Enterprise 1
Top Related