A broad definition of information security is given in ISO/IEC 17799 (2000) standard as:
"The preservation of confidentiality (ensuring that information is accessible only to those authorized to have access), integrity (safeguarding the accuracy and completeness of information and processing methods), and availability (ensuring that authorized users have access to information and associated assets when required" (ISO/IEC 17799, 2000, p. viii).
Prior to the computer and internet security emerged as we see it in different dimensions of today, the basic focus regarding security within majority of organizations was to protect physical assets. Those organizations where computers were being used in the initial years of computing, the security included protection of data from natural disasters or malevolent actions. With the introduction of the personal computer, computer security became the focus of the organizations.
Business organization and other institutions which hold intensive information require tenable management of information and it has become a major issue for them. There is intensive use of security technologies for information security among these organizations. In recent times, it is being realized among practitioners and academics that information cannot be made secure by just using technological tools and software but to effectively manage information security within organizational setting there is need to focus on three components, specifically: people, processes and technology.
As the information and computer security technology have become much advanced, many computing attitudes for example patch management and antivirus updates are now being computerized to decrease the job knowledge and time loads on customer or buyers. Though, attitudes for instance proper use of computer and network resources, sufficient and appropriate password habits etc. that can only be addressed by employees themselves rather than by security technologies are mostly managed with the help of organizational computer security policies. Many security violation occurrences (2005b) reveal that staff neglect and disobedience frequently outlay organizations millions of dollars in losses. Mishra and Dhillon (Mishra and Dhillon 2006) challenge that failure rates in managing information security and rise in the occurrences of breach of security that are caused by end-users noncompliance are the proof that of unsuccessful IS security control programs which do not deal with the resources that assist employee in conventionality with policies. Even though, organizations have adopted appropriate computer use strategies and consider these policies to be important for a long time, the empirical research on this topic is still sprouting.
2. Background Theory and Application
Information security problems impact negatively almost all the aspects of an organization's operations, and this is an issue in not only private but also public sector firms. Some of the customary security matters that today's organizations are facing comprise, "identity thefts, security of transactions over the Internet, viruses, Spyware, security breaches of confidential information, securing networks and databases, corporate accountability through Sarbanes-Oxley Act, internal controls through COSO (Committee of Sponsoring Organizations), information technology (IT) governance through COBiT (Control Objectives for Information and related Technologies), etc. Within business firms, security architectures are present at the operational levels for networks, data, databases, applications, infrastructure, and web services. Yet, there is incomplete or nonexistent awareness about the information security architecture for enterprise security supremacy.
For the past many years, the focus related to information security has developed from the concept of physicaly securing computer centers to the security of information technology systems and networks and to safeguarding business information systems. Computer centers have since developed into data centers that house more than a few servers and databases. These databases restrain data and information that is significant to the economic endurance and productivity of the organizations. After a while, computer architecture developed from stand-alone settings to networked systems. Before this, there was no concept that computer can communicate with each other. The arrival of networked computer systems escorted in a new age in computer communications.
The development of computer networks and the arrival of the Internet has further broadened the scope of information security. Now, by using internet, computers have facility to communicate and share information with other computers exterior an organization's networks and further than its computer center. This new method of communication predestined that the previously used security model was not enough to convene the intimidation and confronts intrinsic in this new technology infrastructure. With the widespread communication among computer users through internet and sharing of information needs a new model of information security management so that today's security challenges be handled. The purpose of this new model will be to protect the business information systems in the enterprise, and to secure the business operations surroundings. As a part to meet this new challenge, it would also be needed to take in the renaissance of risk management as a key element of information security management.
3. Purpose of Research
Through this research study the researcher aims to explore the positive and negative attitudes among managers and employees regarding security of the information systems in their organizations. The researcher will attempt to decide how information security management can be improved as a repeatable management process. The researcher will use survey questionnaires for staff and information security professional particularly managers to explore their behaviors such as password habits and computer use and will also develop a suitable framework and methodology, which may facilitate addition of information security management with other enterprise business processes.
4. Research Problem
There have been incidents where organizations secure information was disclosed because employees were no careful and it caused a loss for organizations. Much attention and focus is being observed on computer network security using latest technologies but less is emphasized on policy making and training of staff in information security of the organization. To some extent research has been conducted evaluating organizational security practices and their efficiency but attention has been mostly given on IT administrators or top-level managers (e.g.,(Choi et al. 2006; Dhillon and Torkzadeh 2006; Knapp et al. 2005b; Loch et al. 1992; Ma and Pearson 2005; Straub and Collins 1990)), and there is need to conduct a study about the computer use and password habits of workers
5. Research Questions
Relevant to the research problem declaration are the subsequent research questions. These questions will cover up major aspects of information security management, i.e. main beliefs, policy structure, incorporation with management procedures, and its importance to enterprise planning process.
1: How do various information security related beliefs, attitudes and perceptions mold end user behaviors?
How can the employee security behaviors be influenced? How do the various incentive mechanisms, more specifically penalties, social pressures and perceived contributions, influence the employee security policy compliance?
Do the end-user perceived organizational security values play a role in security behavior?
General Review of the Research Field
Generally, organizations have been able to accomplish specific security goals and objectives, based on their history of security incidents, together with the skills and experience of internal staff, using internally developed security practices. Most of these security management activities have been focused at the technical and operational levels. Hong (2003) suggest that even at these levels, there seems to be an absence of a formal framework and methodology for security management, which they attribute to a lack of security management theory (Hong et al., 2003). The lack of security management theory that Hong et al. (2003) alluded to could also be the reason for the absence of a consensus on what constitutes an information security framework in the broader sense. Perks & Beveridge (2003) define framework as
…a reasoned, cohesive, adaptable, vendor-independent, technology independent, domain-neutral, and scalable conceptual foundation for detailed architecture representation (Perks & Beveridge, 2003, p. 437).
It could be argued that ISO/IEC 17799 (2000) or COBIT 4.0 (2005) can be viewed as a framework. However, ISO/IEC 17799 (2000) is a standard that provides general guidance about how to deal with information security issues. It was designed, as a guide, to appeal to a wide variety of organizations in various industries, and it does not seem to have the theoretical foundation for information security management. As von Solms (2005) noted, additional work is required by users to integrate ISO/IEC 17799 (2000) into specific organizational security framework (von Solms, 2005). COBIT is a tool for information technology governance (COBIT 4.0, 2005), and it is not specific to information security management. This lack of specificity, in information security governance, therefore makes it difficult to use COBIT as a framework or methodology for information security management. If, on the other hand, information security is managed as part of IT governance, then COBIT would be useful in that respect, but only in managing total IT governance, that includes information security. Rungta et al. (2004) argued in favor of a new approach to information security management, and their study concluded that existing enterprise security management structures are inadequate (Rungta et al., 2004, p.304). The reason for such conclusion could be due to the maturing aspect of information security as a discipline, as information security management continues to evolve.
The nature of information security management in the past made it possible…