Information security principles and practices

¶ … Security

A broad definition of information security is given in ISO/IEC 17799 (2000) standard as:

"The preservation of confidentiality (ensuring that information is accessible only to those authorized to have access), integrity (safeguarding the accuracy and completeness of information and processing methods), and availability (ensuring that authorized users have access to information and associated assets when required" (ISO/IEC 17799, 2000, p. viii).

Prior to the computer and internet security emerged as we see it in different dimensions of today, the basic focus regarding security within majority of organizations was to protect physical assets. Those organizations where computers were being used in the initial years of computing, the security included protection of data from natural disasters or malevolent actions. With the introduction of the personal computer, computer security became the focus of the organizations.

Business organization and other institutions which hold intensive information require tenable management of information and it has become a major issue for them. There is intensive use of security technologies for information security among these organizations. In recent times, it is being realized among practitioners and academics that information cannot be made secure by just using technological tools and software but to effectively manage information security within organizational setting there is need to focus on three components, specifically: people, processes and technology.

As the information and computer security technology have become much advanced, many computing attitudes for example patch management and antivirus updates are now being computerized to decrease the job knowledge and time loads on customer or buyers. Though, attitudes for instance proper use of computer and network resources, sufficient and appropriate password habits etc. that can only be addressed by employees themselves rather than by security technologies are mostly managed with the help of organizational computer security policies. Many security violation occurrences (2005b) reveal that staff neglect and disobedience frequently outlay organizations millions of dollars in losses. Mishra and Dhillon (Mishra and Dhillon 2006) challenge that failure rates in managing information security and rise in the occurrences of breach of security that are caused by end-users noncompliance are the proof that of unsuccessful IS security control programs which do not deal with the resources that assist employee in conventionality with policies. Even though, organizations have adopted appropriate computer use strategies and consider these policies to be important for a long time, the empirical research on this topic is still sprouting.

2. Background Theory and Application

Information security problems impact negatively almost all the aspects of an organization's operations, and this is an issue in not only private but also public sector firms. Some of the customary security matters that today's organizations are facing comprise, "identity thefts, security of transactions over the Internet, viruses, Spyware, security breaches of confidential information, securing networks and databases, corporate accountability through Sarbanes-Oxley Act, internal controls through COSO (Committee of Sponsoring Organizations), information technology (IT) governance through COBiT (Control Objectives for Information and related Technologies), etc. Within business firms, security architectures are present at the operational levels for networks, data, databases, applications, infrastructure, and web services. Yet, there is incomplete or nonexistent awareness about the information security architecture for enterprise security supremacy.

For the past many years, the focus related to information security has developed from the concept of physicaly securing computer centers to the security of information technology systems and networks and to safeguarding business information systems. Computer centers have since developed into data centers that house more than a few servers and databases. These databases restrain data and information that is significant to the economic endurance and productivity of the organizations. After a while, computer architecture developed from stand-alone settings to networked systems. Before this, there was no concept that computer can communicate with each other. The arrival of networked computer systems escorted in a new age in computer communications.

The development of computer networks and the arrival of the Internet has further broadened the scope of information security. Now, by using internet, computers have facility to communicate and share information with other computers exterior an organization's networks and further than its computer center. This new method of communication predestined that the previously used security model was not enough to convene the intimidation and confronts intrinsic in this new technology infrastructure. With the widespread communication among computer users through internet and sharing of information needs a new model of information security management so that today's security challenges be handled. The purpose of this new model will be to protect the business information systems in the enterprise, and to secure the business operations surroundings. As a part to meet this new challenge, it would also be needed to take in the renaissance of risk management as a key element of information security management.

3. Purpose of Research

Through this research study the researcher aims to explore the positive and negative attitudes among managers and employees regarding security of the information systems in their organizations. The researcher will attempt to decide how information security management can be improved as a repeatable management process. The researcher will use survey questionnaires for staff and information security professional particularly managers to explore their behaviors such as password habits and computer use and will also develop a suitable framework and methodology, which may facilitate addition of information security management with other enterprise business processes.

4. Research Problem

There have been incidents where organizations secure information was disclosed because employees were no careful and it caused a loss for organizations. Much attention and focus is being observed on computer network security using latest technologies but less is emphasized on policy making and training of staff in information security of the organization. To some extent research has been conducted evaluating organizational security practices and their efficiency but attention has been mostly given on IT administrators or top-level managers (e.g.,(Choi et al. 2006; Dhillon and Torkzadeh 2006; Knapp et al. 2005b; Loch et al. 1992; Ma and Pearson 2005; Straub and Collins 1990)), and there is need to conduct a study about the computer use and password habits of workers

5. Research Questions

Relevant to the research problem declaration are the subsequent research questions. These questions will cover up major aspects of information security management, i.e. main beliefs, policy structure, incorporation with management procedures, and its importance to enterprise planning process.

Question 1:

1: How do various information security related beliefs, attitudes and perceptions mold end user behaviors?

Question 2:

How can the employee security behaviors be influenced? How do the various incentive mechanisms, more specifically penalties, social pressures and perceived contributions, influence the employee security policy compliance?

Question 3:

Do the end-user perceived organizational security values play a role in security behavior?

General Review of the Research Field

Generally, organizations have been able to accomplish specific security goals and objectives, based on their history of security incidents, together with the skills and experience of internal staff, using internally developed security practices. Most of these security management activities have been focused at the technical and operational levels. Hong (2003) suggest that even at these levels, there seems to be an absence of a formal framework and methodology for security management, which they attribute to a lack of security management theory (Hong et al., 2003). The lack of security management theory that Hong et al. (2003) alluded to could also be the reason for the absence of a consensus on what constitutes an information security framework in the broader sense. Perks & Beveridge (2003) define framework as

…a reasoned, cohesive, adaptable, vendor-independent, technology independent, domain-neutral, and scalable conceptual foundation for detailed architecture representation (Perks & Beveridge, 2003, p. 437).

It could be argued that ISO/IEC 17799 (2000) or COBIT 4.0 (2005) can be viewed as a framework. However, ISO/IEC 17799 (2000) is a standard that provides general guidance about how to deal with information security issues. It was designed, as a guide, to appeal to a wide variety of organizations in various industries, and it does not seem to have the theoretical foundation for information security management. As von Solms (2005) noted, additional work is required by users to integrate ISO/IEC 17799 (2000) into specific organizational security framework (von Solms, 2005). COBIT is a tool for information technology governance (COBIT 4.0, 2005), and it is not specific to information security management. This lack of specificity, in information security governance, therefore makes it difficult to use COBIT as a framework or methodology for information security management. If, on the other hand, information security is managed as part of IT governance, then COBIT would be useful in that respect, but only in managing total IT governance, that includes information security. Rungta et al. (2004) argued in favor of a new approach to information security management, and their study concluded that existing enterprise security management structures are inadequate (Rungta et al., 2004, p.304). The reason for such conclusion could be due to the maturing aspect of information security as a discipline, as information security management continues to evolve.

The nature of information security management in the past made it possible for senior management to adopt a hands-off approach to information security. This meant that IT departments became the de facto authority on all information security management matters. The outcome of this type of arrangement was that senior management approved or rejected information security management options presented to it by IT departments. These options include security architecture designs. However, Nolan (1997) noted that enterprise architectural designs should be a top-down approach (Nolan, 1997). This means that senior management's involvement in enterprise security architecture design is critical. The necessity for senior management increased involvement in enterprise security matters has been motivated in recent years by legislation, such as Sarbanes-Oxley Act, HIPAA, etc. These statutes outline specific requirements and obligations for senior management and company officers, about corporate accountability, internal controls, and governance.

Mitchell, Marcella, and Baxter (1999) in their research pointed out that mostly the organizations that were surveyed were not proactively handling information security management. They concluded that the clear result for these organizations was their unpreparedness for any security event (Mitchell et al., 1999, p. 213). On the other hand, to some extent the results of their survey may no longer be suitable in the present hi-tech environment. This is for the reason that with the passage of time, a lot of variables have added to main efforts by organizations to alter their previous security management practices. A few of these variables consist of legislation, authoritarian necessities, impact of publicly recognized security breaches, as wells as market competition.

Prior Research Related To Employee Information Security Behaviors

A review of the literature related to information security management reveals that there is much research on technological controls for protection of the information systems but there is rare research as regards compliance of security policy and informal controls (Mishra and Dhillon 2006). While the significant of security domination that involves the employees' attitudes has been emphasized by the practitioners and academics equally, there has been merely inadequate concentration dedicated to behavioral information security.

There are some experiential research studies that examine organizational security observations and their efficiency. Nevertheless, the participants have usually IT administrators or top level managers (e.g., (Choi, 2006; Dhillon and Torkzadeh 2006), and limited research is present representing the employees security behaviors and their compliance toward organization policies regarding information security. The reality that in the earlier studies the participant were mostly ther personnel liable to set up and run technical security proposals resultantly comes up with the question as to whether their opinions and beliefs can represent the views and behaviors of all the employees of an organization (Finch, 2003). For instance, even though an IT administrator may claim thet adequate security policy is present but there is no surety that the other staff members give similar importance to it. Post and Kagan (2006) conducted an empirical research assessing perceptions regarding right of entry to controls reports that employees observe add to security conventionality as greater job interference. Such insight may direct workers to pay no attention to security policies to accomplish competence in their day-to-day job routines.

Majority of participants of an ICIS 1993 conference panel described that in an organizational setting information security strategies are essential; yet, they were of the view that these policies are not effective (Loch et al. 1998). Frank et al. (Frank, 1991) conducted an empirical research about the relationship of information security and user knowledge. It was found that user information and informal division standards were associated with the behavior related to information security while the presence of typical strategies about PC security was not linked with behavior related to security. Knapp (Knapp et al. 2005b) after approximately fifteen years conducted a study about the perceptions of security managers. This study reveals that employee insights regarding security policies are still unclear and diverse Other information security surveys (such as eCrime Survey (2004)) show that, though, the strategies and procedures are in position, a lot of workers as well as exterior contractors in most of the instances be inclined to pay no attention to them. Even though, the literature centering policies of information security management and its compliance in organization is spare, following are some of the relevant literature in the field of behavioral security that has provided researcher with guidelines and motivation to conduct a study.

Security Policy Compliance and Agency Paradigm

Mostly the purpose of any organizational policy is to control and establish employees' guiding principle to accomplish organizational interests of any business firm. Yet the plans and policies might be translucent and comprehensive, there is possibility that the outcome might not turn out to be as preferred, particularly as regards the information security (Mishra and Dhillon 2006). The objectively as of behavioral aspects of security systems is usually to make sure that workers demonstrate agreement with the regulations and policies (Solms and Solms 2004). Existing research studies and field surveys, though, propose that employees hardly ever obey the information security policies and processes. Policies, particularly that connecting information security, are taken as just guidelines by staff (Gupta 2007) or general instructions to pursue relatively than "hard and fast rules" that are specified as standards (Pahnila, 2007; Stanton, 2005). Because of the comparatively unrestricted nature of obedience to these policies, organizations face the challenge of enforcing these policies as a critical confront. Therefore currently, research related to behavioral information security has began centering its attention to workers' intent to pursue security policies (Chan et al. 2005; Pahnila et al. 2007).

Agency theory has been extensively deliberated in managerial background. An agency association is present at any time one party (major) delegates some authority to make a decision to another party (agent). Agency theory or principal agent paradigm (Eisenhardt 1989) is mostly apprehensive with the hard work offered by the individual members and to motivate them to attain the desired attempt contribution. This model presumes that agents bring upon yourself personal costs as they dedicate their time, knowledge and effort to the organization; and if awarded a chance they can draw in the level of attempt, ability, and knowledge they present (shirking). When it is not possible to observe or monitor a member's attempt, it is very pricey, and objectives are dissimilar it generates a major agent dilemma. The principal's aims is to efficiently inspire the agent's attempts from side to side inducements that identifies the member's attempts in addition to environmental issues that have a comportment on the output. Since the early evaluation of employer employee relations (Spence 1973), agency theory has been unmitigated to almost all types of transactional connections that take place in a socio economic organization where information unevenness, doubts of opportunism, and delimited level-headedness subsist (Pavlou, 2007; Raghu, 2004; Raghu, 2003), among others.

In an information security surroundings, the indecision of employee proceedings takes place when employees and management (IT management) hold contradictory interests. In organizational information security, liability of whether to stick to organizational security rules or pay no attention to them is passed on to employees. Employees can make a choice to break security regulations for malevolent reasons or choose to avoid security policies for simply expediency. A new research in the framework of access controls (Bennet and Regan 2004) established that employees consider that advanced level of information security confines their capacity to pursue supple process schedules, and recognize it as oppose productive. As well, it may also be difficult to monitor workers actions related to security policy conformity. To monitor employee presentation of security behaviors necessitates surveillance. Surveillance control methods have become more ordinary and are being used in social spaces as well as workplaces. Even as organizational surveillance techniques can be utilized for the purposes of monitoring and controlling employee behaviors, it is very expensive to monitor every action of an end-user relevant to information security and might not even be virtually possible. For example, one can take up network scrutinizing to follow online behaviors or install cameras to achieve definite level of physical security; though, behaviors for example one cannot monitor if the workers note the passwords or share them with friends.