Comparative analysis of major psychological theories

SECURITY

Information Security and Risk Management in IT

This essay is designed to present and discuss both an assessment of information security and risk management in IT systems and a comparative discussion of important academic theories related to security and risk. In the first section, An assessment, a conceptual framework will emerge including reference to important terminology and concepts as well as an outline of legislation and authorized usage examples. In the second section, Comparative discussion, is a brief discussion of comparison on the academic theories.

Conceptual framework

To begin any work of this nature, it is important to clarify important terminology and concepts. First, an information technology (IT) system is also known as an application landscape, or any organism that allows for the integration of information and communication technology with data, algorithmic processes, and real people (Beynon-Davies, P., 2009 (1)(2)). Every organization consists of some type of IT system in which this integration of processes, activities, information, and technology provides a landscape for decision-making, operations, management, leadership, and any (or all) other organizational functions (Beynon-Davies (1)(2)). IT systems can be

The next important concept to define is that of information security. This concept is about protecting information from the unauthorized access to it for any/all of the following purposes: viewing, disclosing, modifying, exploiting, copying, critiquing, or destroying (or any other unauthorized (mis)use). The people whose information exists within these systems and who interact with these systems count on the confidentiality of the data and the integrity of the processes. The people who create and manage these systems (for whatever purpose) count on effective and efficient functioning and protocols for security and risk management.

The same can also be said for risk management. Risk management is a process for maintaining information security and protocols for it in the case that threats do arise. In fact, the risk management process is one of identifying any opportunity for a threat to arise, assessing the nature and (possible) outcomes of such threats, and prioritizing the focal points for when and where threats may arise. In other words, risk management is about identifying, assessing, and prioritizing risks as well as organizing and implementing protocols for minimizing, monitoring, controlling, and addressing the potential impact of such risks should they arise (Hubbard, D., 2009).

The tasks of information security and risk management within IT systems are important issues that all organizations have to deal with to some degree. The complexity of these issues varies depending on the purposes of the system, the size of the organization, and, of course, the nature of the organization, the number of systems it runs, and the sensitivity of the data its systems contain. Another important point is to acknowledge the overarching protocols that are established by legislation regarding information security and risk management.

Some examples of information security legislation and government protocols are listed and described as follows:

1. HIPAA (Health Insurance Portability and Accountability Act): Signed into law in 1996 and since updated appropriately. This Act seeks to make information more secure from any access/usage outside of strict health care boundaries.

2. U.S. PATRIOT (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism) Act: Signed into law in 2001, it is intended to minimize the restrictions on any law enforcement agencies and essentially make information less secure when these agencies justify access for evidence or intelligence gathering processes or threat assessments related to domestic or global terrorism.

3. Sarbanes-Oxley (Public Company Accounting Reform and Investor Protection OR Corporate and Auditing Accountability and Responsibility Act OR SOX) Act: Signed into law in 2002, to establish and enhance the standards on public accounting firms, public company boards, and management firms in response to a series of serious corporate responsibility and accountability scandals that affected national security markets. This Act seeks to make information more secure and management requirements more stringent. (SEC, 2011).

4. GLBA (Gramm-Leach-Bliley Act or Financial Services Modernization Act): Signed into law in 1999, to allow for the consolidation of insurance companies, securities firms, investment banks, and commercial banks and essentially lessen the security and management standards for these systems established by previous legislation (The Federal Trade Commission, 1999).

5. DMCA (Digital Millenium Copyright Act): AU.S. copyright law that seeks to provide more protection of digital rights, manage these rights more strictly, and punish infringements more severely.

6. CCTV (Closed-circuit-television) Surveillance: The use of video cameras to record and transmit information (visual) in a specific place to a specific place with limited viewing monitors. It is not an open transfer and various government agencies are allowed to use CCTV in surveillance without consent. CCTV as a surveillance method makes our private "information" less secure.

7. Data Encryption: The Federal Information Processing Standard was created in 1976 based on a symmetric-key algorithm for protecting highly sensitive information more effectively making this information more secure and managing risks more effectively (Coppersmith, 1994).

These examples are important for establishing some perspective on the ways in which information and risk management may be viewed by different parties and the justification of some agencies for actually making information less secure and management strategies more broad to serve their purposes.

Comparative discussion

Compare and contrast

Jones (2007) states, "organizations need to deal with (treat) the management of information security risks in a manner that gives confidence to all parties that are involved" (p. 36). Jones (2007) believes that thorough processes of identification, assessment, investigation, analysis, modeling, testing, treating, monitoring, and reporting should be solidified in the fabric of any organization when it comes to information security and risk management. Jones (2007)

The model under Dempster-Shafer Theory of Belief functions is founded in an evidential reasoning approach (Sun, 2006). This approach focuses first on a plausibility analysis and then includes important components of cost-benefit analysis and sensitivity analysis (Sun). Sun (2006) is more interested in establishing the foundations for further research and development that particular focuses on an evidential reasoning approach to the analysis and management of ISS risk. Sun (2006) also insists that more research will always be welcome and necessary.