Emerald Group Publishing Limited
Copyright © 2004, Emerald Group Publishing Limited
Realizing benefits of an information security program
Realizing benefits of an information security program
Over the past decade concerns about information security have grown considerably. Although organizations have increased their spending on information security controls, the number and scope of security breaches have not been curtailed. Rather, there has been a sharp increase in the number of reported information security violations. This is resulting in an information security investment paradox, in that while companies are recognizing that ensuring logical security of their databases and information flows is important, and they are even agreeing to invest substantial amounts of money in protection mechanisms, there has been limited success in curtailing security breaches. In net effect this amounts to organizations failing to realize any benefits from their investments in information security protection. Inability to manage information security effectively begs the question whether we are addressing the security problem in the correct manner. Given the evidence, perhaps not. What can therefore be done to realize the benefits of a security program?
There are a number of issues that need to be considered in order to ensure adequate information security. First and foremost is an understanding of what is meant by information security. Traditionally, information security has been defined as maintaining the confidentiality, integrity and availability of data. It is useful here to pause and consider whether information security is indeed just the confidentiality, integrity and availability of data. What of considerations such as adequate responsibility and authority structures, the integrity of individuals dealing with data, the trustworthiness of employees and the general ethical nature of the business? I have argued elsewhere that in addition to being concerned about the confidentiality, integrity and availability of data, it is equally important, if not more so, to focus on responsibility, the integrity of individuals, trust and ethicality (Dhillon and Backhouse, 2000).
The second issue that needs to be considered to ensure information security relates to the current skewed technical orientation of information security controls. More often than not, the emphasis is either on controling access to computer-based information systems, or on secure communications. There is no doubt that access control and communication security are important means to protecting information. However, isn’t this too limited an approach when the majority of security breaches occur because some supposedly trustworthy employee has subverted the existing controls? Such an individual would already have access to the systems, so any amount of sophistication in controlling access and protecting networks is going to fall short of ensuring the overall security of the enterprise. What, then, is the alternative? Clearly it cannot be concluded that technical security measures should be overlooked; rather, organizations need to establish comprehensive information security programs that focus on training employees to be generally aware of wrongdoings. Whistle-blowing, in spite of some negative connotations attached to it, is a useful mechanism to have in place. There also needs to be a formal process and a structure that ensures information security enforcement, otherwise there will be limited follow-through.
The third important issue related to information security management concerns policy development and implementation. Although many organizations will have established security policies, few follow them or are even aware whether one exists. The inability of organizations to develop and implement practical policies stems from the reactive nature in which these are developed. Usually, an item is added to policy once a particular security breach has taken place. Although policies that take form of checklists are useful, they are certainly not foolproof mechanisms to ensure the information security of an organization. This is because they are based on the “what can be done” principle rather than “what should be done”. Many of the generic checklists and standards that have been developed to ensure information security have not been adopted for a similar reason. A good case in point is BS 7799, which is now ISO 17799. When the original standard took its form in the UK, nearly 20,000 copies were sold to businesses across the country. A follow-up survey revealed that only 2 per cent of organizations had implemented the standard. The reason for the lack of organizational enthusiasm to implement the standard stems not so much from the complacency of the enterprises concerned, but from the difficulty of implementing over-generalized hypothetical controls. What could, therefore, be a remedy? There is no doubt some baseline controls will be generic, and will perhaps be applicable in most situations. However, an overall information security policy is unique to individual organizations. In another related paper we have sketched out a method that could be used to establish a security policy (see Dhillon and Torkzadeh, 2001). What is evident is that information security goes well beyond maintaining the confidentiality, integrity and availability of data.
The fourth issue relates to understanding the behavioral and social aspects of an organization if information security is to be maintained, the inherent argument being that security is grounded in the context of the organization. Therefore, understanding the social processes and the ways in which people communicate with each other determines information security. Protection of information resources comes through maintaining the integrity of the social processes. In one of my earlier works I make this argument, and suggest how social processes and culture impact on security (Dhillon, 1997). A method for understanding culture and its relationship to information security is also presented.
Information security is a multi-faceted construct, and its management demands a considered approach that takes into consideration not only technical but also organizational, structural, behavioral and social aspects. Although a completely secure organization can never be designed, focusing on the issues identified above will go a long way to protecting the information resources of a firm.
Gurpreet DhillonVirginia Commonwealth University, Richmond, Virginia, USA
Dhillon, G. (1997), Managing Information System Security, Macmillan, London
Dhillon, G. and Backhouse, J. (2000), “Information system security management in the new millennium”, Communications of the Association for Computing Machinery, Vol. 43 No. 7, pp. 125–8
Dhillon, G. and Torkzadeh, G. (2001), “Value-focused assessment of information system security in organizations”, paper presented at the International Conference on Information Systems, New Orleans, LA, pp. 561-5