(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No.4, 2010
Challenges in Managing Information Security Froman Organization’s Perspective
Patrick Kanyolo NgumbiSchool of Science and EngineeringAtlantic International UniversityHawaii, USApkngumbi@yahoo.com
Abstract:
This study used purposefully selected employees to fillself-administered unstructured questionnaires to provide informationon aspects concerning information security at organizational level.The responses were subjected to non-probability analysis from whichunderstanding of challenges encountered and subsequent impact wereobtained. Six evaluation questions were used to gain insight intoinformation security components. The study documented fourcategories of challenges encountered, possible outcomes of challenges and consequential impact. These results are beneficial tobusiness end-users, information security managers, top and seniormanagement in organizations.
Keywords:
Information security management, organizationallevel, business information systems, challenges, outcome,impact
I.
I
NTRODUCTION
Information is very valuable business asset and it requiresbeing suitably protected [1]. Protecting this informationrequires implementing appropriate information securitymeasures. Measures are necessary tools to avoid occurrence of incidences from attacks.Information security is preservation of [1]: confidentialityto ensure information can be accessed by those authorized;integrity to safeguard information accuracy and completeness;and, availability to ensure authorized users have access toinformation and associated assets.The goal of information security is to provide effectivelevel of protection. To realize this level, an informationsecurity management is necessary. This context of “management” assumes the definition from Glossary of Commercial Real Estate Terms [2], that, “management is a jobof planning, organizing, and controlling business enterprise”.Through planning, organizing and controlling, effectiveinformation security is achievable.Information security management is concerned withmaking information protection more effective. Further,protecting business information effectively demandsunderstanding of challenges pertaining to managinginformation security. Studies reviewed following aspects of information security: (1) Lack of proactive actions oninformation security management [3], which means thatorganizations are ill-prepared for eventualities; (2) New andevolving technologies, research, tools and standards pose newchallenges to organizations [4], which means it is a source of difficulties in securing business transactions, infrastructureand information; and, (3) Four challenges identified asstructural, process, boundary and human, have challengesconcerning human resources least emphasized despite havingconsequences in threats from inside organizations [5].To advance understanding in the area of businessinformation protection, this study examines challenges ininformation security management through organizations’employees. The study uses the research question: “What aretoday’s organizational challenges constraining effectivemanagement of information security”.The understanding of challenges is beneficial toinformation security managers and decision makers inorganizations. The study scope entails reviewing relevantliterature on one hand and carrying out non-probability analysisof responses on the other hand, to obtain answer to the researchquestion. Uses of results of this study include securitymanagers determining threats and vulnerabilities in order tomaintain effective risk management and enabling interlink forstrategic, tactical and operational security levels.
II.
RELEVANT
WORK
2.1
Information Security ManagementInternational Organization for Standardization (ISO)17799 [1] provides three basic information security goals,namely, confidentiality, integrity and availability. To achievethe goals an organization needs to implement management andtechnical security measures. From management securitymeasures, the organization can attain physical and operationalsecurity as well as legal and ethical obligations. On the otherhand, from technical security measures an organization canattain following: access controls, system integrity,cryptography for security, audit and monitoring, and,configuration and security assurance.Today’s information security focus is to secure businessinformation systems [6]. Further, today’s businessenvironment is complex and sometimes it involves real-timetransactions, which can be prone to myriad of security attacks.This scenario necessitates a management approach which isinformation security management. Information securitymanagement is defined in Vermeulen and Von Solms [7] as“… the structured process for implementation and ongoingmanagement of information security in an organization”. It is aprocess that is structured – meaning, it is a prearranged set of procedures for information security to implement. It is also anongoing management – meaning that, it is a continuousactivity of planning, controlling, coordinating or organizinginformation security.
234http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No.4, 2010
Components of information security management are:security objectives, business requirements, risk management,identity and access management, security policies andprocedures, threats and vulnerabilities, security domainmanagement, and incident response [8]. Security objectivesinvolve confidentiality of information, integrity of informationand availability of resources. Business requirements entaillegal and operational requirements. Risk management involvesbalancing need for availability, integrity and confidentialityrequirements vis-à-vis selection of safeguards for threats andvulnerabilities. Identity and access management ensuresapplications distinguish users from non-users and provideservices appropriate to different users. Through securitypolicies and procedures, security management on threats areidentified and suitably implemented. Security domainmanagement entails limiting threats and vulnerabilities of organization information. Incident response is a requirementthat requires procedures to be in place to handle incidents asand when they occur.Information security standards can be used to providestandard mechanisms to protect information. Standards areused to develop and benchmark security managementprograms. Information security standards are managementstandards used to guide top executives and senior managersthrough issues and to develop potentially effective informationsecurity management program. Details of information securitystandards are found in ISO/IEC 27001 [9] and ISO/IEC 27002[10].Today, business information requires more than justtechnology-centered security approach for it to be effectivelymanaged. Kalkowska found individual and organizationalvalues are important when it comes to effective informationsecurity management, and further that, it is difficult toformalize behavior of employees by only rules, procedures oreven regulations [11]. Instead, to influence changes forinformation security one may need to target culture of organization as pointed out by Hofstede [12].Top and senior management information securitymanagement concerns are found in three organizationalsecurity levels, namely, strategic, tactical and operationalsecurity levels [13]. Information requirements for securitymanagement are policy-driven at the strategic security levelwhen management is guideline-driven at the tactical securitylevel and measures-driven at operational security level.Further, strategic level issues affect organization strategywhen tactical issues relate to processes and methodologiesused in managing security; operational level installation andoperation of security tools, and measures are prominentoperations of organization [13]. A further aspect of information security is that it requires integration with otherstrategic parts of business to make senior management agenda[14, 15].2.2 Information Security GovernanceThe need for information retention and privacy coupledwithsignificant threats of information system disruptions fromhackers, worms, viruses and terrorists have resulted in a needfor a governance approach to protecting information andreputation. Drucker [16] stated that, “The diffusion of technology and the comodification of information transformedthe role of information into a resource equal in importance tothe traditionally important resource of land, labor and capital”.Between then and now, this value escalated and dependenceon information increased exponentially [17]. Further, a largeportion of the task in protecting critical information resourcesfalls squarely on shoulders of executives and boards [17].Information security is a technical issue, business andgovernance challenge that involves adequate risk management, reporting and accountability [17]. An effectiveinformation security requires active involvement of executiveso that tasks such as assessment of emerging threats andorganization’s response to them have corporate support. Inorder to have an effective information security governance,boards and senior executives must have following: a clearunderstanding of what to expect from the information securityprogram and the need to know how to direct theimplementation of program; how to evaluate their own statuspertaining to existing program; and, how to decide on thestrategy and objectives of an effective program [17].Information security governance in essence involvesleadership, organizational structures, and processes [17].Information Technology Governance Institute (ITGI) [17]gives a summary for five basic outcomes of informationsecurity governance as:1.
Strategic alignment of information security with businessstrategy to support objectives.2.
Risk management by executing appropriate measures tomanage and mitigate risks and reduce potential impactson information resources to acceptable level.3.
Resource management through utilizing informationsecurity knowledge and efficient and effectiveinfrastructure.4.
Performance measurements through measuring,monitoring and reporting information security governancemetric to ensure that organization’s objectives areachieved.5.
Value delivery by optimizing information securityinvestments in support of organization’s objectives.
III.
RESEARCH
THESIS
AND
APPROACH
In line with recommendations from Dick [18] that researchquestion should be kept general, flexible and open with whatis happening, this study’s research question is: “What aretoday’s organizational challenges constraining effectivemanagement of information security?” To focus and seek insight from components of information security aspects, thestudy used six evaluation questions as follows: (1) Howorganizations are affected by change of focus to securingbusiness information systems; (2) What tools/securitymeasures are in use for information security; (3) Whatprocesses/systems are in use to manage information security;(4) What mechanisms are implemented to protect againstthreats/prevent vulnerabilities; (5) What challenges arehindering effectiveness of information security management;and, (6) What the impact from challenges are.
235http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No.4, 2010
Qualitative research approach was adopted in this study inaccordance with Denzin and Lincoln [19] definition thatqualitative research is the study of things in their naturalsettings aimed at making sense of or interpreting the meaningspeople bring to them. The study used research question to stateand focus on the understanding being sought as recommendedin Creswell [20].Purposeful sampling selection was used to identifyparticipants involved with either information securitymanagement or information security decision making. Thesample represents an indefinite population because it is notpossible to know the many organizations fitting this selection.There is, though, possibility of bias in this selectionconsidering that not every potential selection has equalpossibility of being selected. This study selection is smallsince the participants were fifty, which coupled withpurposefully selected Information and CommunicationTechnology (ICT) professionals, makes the sample tolerablyreliable and adoptable with an added advantage that time andmoney were saved [21].Fifty self-administered unstructured questionnaires weresent out and thirty two respondents returned theirs filled. Thisdata became the primary data for qualitative analysis. Resultsof this analysis coupled with relevant literature review resultsprovided study results. Interpretive research was adopted fordata analysis, where the meaning follows from explanation inWalsham [22] that, it neither predefinesdependent/independent variables nor sets out to test hypothesisbut instead aims to produce understanding of social context of phenomenon and process. Further, according to Orlikowskiand Baroudi [23], understanding social process involvesgetting inside the world of those generating it; hence the studyused responses of employees to obtain insight intoprocesses/systems in organizations.Analysis was carried out as follows: (1) scrutinizedquestionnaires for accuracy and consistency; [2] identified andcategorized main themes, topics or patterns; and, (3) interpretedby use of contents and commonalities coupled with relevantliterature review to give answers to evaluation questions andconsequently the research question of study.
IV.
DISCUSSION
AND
RESULTS
4.1 Discussion of ResponsesDiscussion of evaluation questions follows below.4.1.1
How organizations are affected by change of information security focus to securing businessinformation systemsFigure 1 shows that majority of organizations reacted tochange of focus by introducing new solutions commensuratewith new challenges. These are: “New solutions for newchallenges” which involve introducing new security toolsand/or technologies, upgrading networks and/or systems, and,implementing security measures to guard against internal andexternal threats. Other measures taken but by fewerorganizations are: “Awareness campaigns and/or skillsdevelopment” and “Introducing an information securityfunction”. Responses involving “Improved systemadministration” and “Focusing on effective team work andknowledgeable employees” were reported but appear theywere not common reactions.Figure 1: Organization’s reactions to information securitychange focusFigure 2 shows responses on what was affected ininformation security focus change. Responses indicate thatwhere information security focus changed there waspronounced change in internal/external user protectionfollowed by change in the approach to information protection.Internal/external information user protection affects accesscontrols and IT infrastructure technologies. These findingsagree with what is expected considering that a change inapproach to information protection would involveconsideration/adoption of following measures: (1)Minimizing chances for malicious hackers to succeed, (2)Users getting no more privileges than necessary to do their jobassignments, and, (3) Granting permissions to users basedupon separation of privileges.More organizations appear to have resulted to adoptingnew solutions for new challenges when few organizationsappear to have emphasized awareness and/or skillsdevelopment. Further, fewer organizations reacted byintroducing information security function. These changesappear to have centered on upgrading or acquisition of technologies for assuring security for business informationsystems. It appears therefore that these organizations adoptednew security measures coupled with new technology toprovide sufficient protection in this new environment underquestion.4.1.2
What security tools or measures are in place formanaging information securityTable 1 shows the security tools/measures present in theorganizations. At strategic security level, written securitypolicies were reported as more commonly available than
Business environment/savvy /threats
System administrationimprovedInformationsecurity functionintroduced
Awareness/ capacityincreasedNewsolutions fornewchallenges
236http://sites.google.com/site/ijcsis/ISSN 1947-5500
Search History:
Result 00 of 00
00 results for result for
p.
Challenges in Managing Information Security From an Organization’s Perspective
This study used purposefully selected employees to fill self-administered unstructured questionnaires to provide information on aspects concerning information security at organizational level. The responses were subjected to non-probability analysis from which understanding of challenges encountered and…
(More)
1.4K
Reads
11
Readcasts
0
Embed Views
More From This User
Notes
Load more
