Introduction
E-security issues and
policy development in
an information-sharing
and networked
environment
Alan D. Smith
The author
Alan D. Smith is in the Department of Management and
Marketing, Robert Morris University, Pittsburgh, Pennsylvania,
USA. E-mail: smitha@rmu.edu
Keywords
Electronic commerce, Data security, Criminals
Abstract
With the rapid growth of e-commerce, governmental and
corporate agencies are taking extra precautions when it comes
to protecting information. The development of e-security as a
discipline has enabled organisations to discover a wider array of
similarities between attacks occurring across their security
environment and develop appropriate countermeasures. To
further improve the security of information, there is a need for
conceptualising the interrelationships between e-security and
the major elements involved in changing a company’s
infrastructure. Organisations should act in an ethical manner,
especially when it comes to e-security and e-privacy policies,
procedures, and practices. The consequential theory of
utilitarianism is used and applied to a conceptual model to help
explain how organisations may develop better secured
information in an information-sharing and globally networked
environment.
Electronic access
The Emerald Research Register for this journal is
available at
www.emeraldinsight.com/researchregister
The current issue and full text archive of this journal is
available at
www.emeraldinsight.com/0001-253X.htm
Aslib Proceedings: New Information Perspectives
Volume 56 · Number 5 · 2004 · pp. 272-285
q Emerald Group Publishing Limited · ISSN 0001-253X
DOI 10.1108/00012530410560878
272
Public and private involvement in e-security
issues
Protecting the privacy of confidential information is
quickly becoming a measure of success in the business
world, because companies improve their reputation
when they take care to safeguard the personal data
people entrust to them (Parker, 2003, p. 47).
Computers and IT-networks have been part of
business organisations’ electronic infrastructure
for many years. These information systems are, for
the most part, self-contained and are used to
record financial and customer data, share
information with trading partners, and to enable
employees to carry out daily operational tasks.
However, since the mid-1990s, there has been an
explosion in e-commerce exchanges and sharing of
information over the Internet. Companies are now
connecting their self-contained IT infrastructures
to the Internet. Lower cost, opportunity and wider
reach are driving these changes:
In the brick and mortar days, time was money.
Now, information is money (Tuthill, 2001, p. 52).
Unfortunately, this phenomenal information
explosion has opened up opportunities for crackers,
hackers, disgruntled employees, corporate
adversaries, and terrorists to launch attacks against
corporations and governmental concerns. These
recent developments raise the question of how
governments and companies may better secure
sensitive information, especially client-related
information, in a globally networked environment?
A model is presented to illustrate the factors that
influence the security of information. Since, in
theory, people should act in a manner that causes the
greatest amount of good for the greatest number of
people, the utilitarianism theory is used and applied
to the model to explain how companies may better
secure both company and customer information in a
networked world of electronic information. Table I is
a listing of basic terms that are used throughout this
paper in exploring the theoretical aspects of
improved security and privacy issues.
E-security issues in an information-rich
environment
Model development associated with
improved security
The model in Figure 1 is an illustration of some of
the different elements that affect a company’s
Received 6 April 2004
Revised 8 April 2004
Accepted 10 April 2004
 E-security issues and policy development Aslib Proceedings: New Information Perspectives
Alan D. Smith Volume 56 · Number 5 · 2004 · 272-285

Table I Listing of basic terminology

AICPA American Institute of Certified Public Accountants is the national, professional organisation for all
certified public accountants
CPA Certified public accountants
DOS/DDOS – Denial of A form of network attack in which a site or network is flooded with so many fictitious requests or
service/distributed denial of packets simultaneously that it cannot respond to legitimate requests. DDOS hits multiple sites or
service networks at the same time
Firewall A device that uses hardware and software to protect a LAN from penetration attempts from the
Internet
IEEE Institute of Electrical and Electronic Engineers – provides the standard for electrical and electronic
devices
IP address Four 8-bit numbers used to uniquely identify every machine on the Internet or network
Local area network A network that is designed to span a small geographic area such as a single building
Network interface card (NIC) A hardware device that plugs into a computer and connects it to a network
Sniffers Another term for a network analyser a device that listens to a network in promiscuous mode and
reports on traffic
TCP/IP The protocol suit is the use for Internet communications
WEP Wired equivalent privacy – a security protocol for wireless local area networks

Figure 1 E-security model

information security infrastructure. Each element
on the model is dependent on another for the final
outcome of a more secure information system. The
theoretical framework that drives the model is the
consequential theory of utilitarianism (Ashein and
Buchholz, 2003; Wong and Beckman, 1992). This
theory represents the behaviour factors that link
the various elements together. The drawbacks of
this theory are that it is difficult to predict
consequences, it disregards motivation and
goodwill, and that the majority is always right. A
single criterion for corporate morality (as reflected
in the consequential theory of utilitarianism) is far
too simplistic, due to the complexity of emerging
business issues. However, the theory does set the
stage for model development and issues-driven
273
discussions. In general, this theory stresses the
importance of examining the implications of
corporate action. Ultimately, one cannot be sure
whether an action is right until one observes how it
has affected others in society. It is difficult to
estimate consequences and strategically weigh
them.
Information security threats
Information security threats are among the first
elements in the e-security model presented in
Figure 1. In recent years, the Internet has become
a potential market for businesses to sell products,
transmit or collect information, and offer services.
With the world becoming increasingly
interconnected, there are many different ways
 E-security issues and policy development
Alan D. Smith
people may misuse the Internet to cause damage to
a corporation’s image, obtain valuable
information, and promote sabotage of Web sites
through denial of social and information services.
The rate at which these attacks are occurring is
increasing substantially. For instance, according to
a report by the Defense Information System
(a division of the US Department of Defense), its
network experienced at least 250,000 attacks a
year (Cheng et al., 1999).
Different types of cybercriminals
One of a government and/or corporation’s biggest
fears is to be visited by hackers, crackers (criminal
hackers), and other forms of cybercriminals. As
suggested by Hopwood et al. (2000):
While it is important that managers broaden their
perspective of potential electronic commerce
criminals, the hacker is still a threat they must
evaluate (p. 48).
Cybercriminals often may intercept messages, sniff
programs, steal passwords and break codes.
Information security threats may come from both
inside and outside of a company. Outside threats
include script kiddies, competitors, extortionists,
and thieves. Script kiddies are usually teenagers to
young adults that break and enter into cyberspace
to gain respect and admiration from their fellow
peers. They usually do not understand the extent
of the damage they cause, nor are they interested in
the value of the information itself. It is estimated
that these intruders make up the largest group of
cybercriminals (Campbell and McCarthy, 2001).
On the other hand, thieves and extortionists
understand what a company’s information is
worth. Extortionists want to get a government/
company’s information so they may sell it back to
the victim as a blackmail scheme. Thieves just take
a company’s information and try to sell it to the
highest bidder. Thieves are a great way for a
company to obtain a competitor’s trade secrets.
Most criminals may be divided into two types,
simply as hackers or crackers. A hacker is someone
who masters the inner workings of an operating
system and various types of utilities to better
understand them and to have fun testing the
system’s limits. Some in the corporate world would
rather have a hacker find the vulnerabilities of a
system before customers do. Typically hackers do
not cause significant damage and many become
essentially unpaid consultants. Thus, not all
cybercriminals break into IT systems with
malicious intent. Many hackers get into systems
just to see if it is possible and often do not leave
traces of their mischief. In some cases, a hacker
may anonymously contact the company they have
just hacked and simply tell them about their
vulnerabilities – this would be the best-case
274
Aslib Proceedings: New Information Perspectives
Volume 56 · Number 5 · 2004 · 272-285
scenario. Crackers, on the other hand, are
criminals who use their knowledge of operating
systems and utilities to intentionally damage or
destroy data and systems and should be prosecuted
to the fullest extent of the law.
Security threats from inside the company
Many inside threats come from disgruntled
current employees, former employees with a
grudge, model employees who may need quick
cash, or employees that have left the company and
have gone to work for a competitor. In a company
not all employees have the same access to
information. This may help reduce the amount of
damage that an employee may do, but all it would
take is for one of them to gain administrative rights
via “cracking the SAM (security access manager)”
and the entire system is in jeopardy.
Internet security breaches
Most Internet security breaches may be classified
as: password-based attacks, IP spoofing, attacks
that exploit trusted access, network snooping, and
attacks that exploit technology vulnerabilities
(Cheng et al., 1999; Smith, 2002, 2003; Smith and
Offodile, 2002; Smith and Rupp, 2002a, b, c).
With these security breaches, the cracker may steal
confidential information, alter the integrity of
information and/or reduce/stop the availability of
the network to its users. Each of the previous
security breaches may be classified into three
broader categories. These categories include
annoyance and loss, breaking and entering, and
penetration and theft (Campbell and McCarthy,
2001; Smith and Rupp, 2002a, b, c).
The first category of general annoyance and/or
loss consists of denial of service (DOS) and
distributed denial of service (DDOS) attacks.
DOS attacks happen when a cybercriminal
bombards an individual Web site or network
segment with billions of simultaneous hits using
host or affected computers. DDOS-type attacks
are basically the same as a DOS attack, but it
affects multiple Web sites and network segments at
a time. These two attacks bring Web sites and
networks to a virtual stand still, causing some to
completely crash due to servers becoming
completely inundated with network traffic. This
prevents regular users from logging on to the
network or using the Web site for legitimate
reasons. Virtually all Web sites and networks are
susceptible to these kinds of security risks and all
governments and firms must be on constant alert
for their potential presence. Cybercriminals
launching these types of attacks are usually not
into privacy contravention, data corruption, or
data theft. They merely want to cause widespread
disruptions of services. Governments and
 E-security issues and policy development
Alan D. Smith
companies may suffer a gamut of tribulations from
DOSs- and DDOSs-related attacks. A company’s
customers may become frustrated because DOSs
prevents regular e-commerce activities from being
performed to their completion. One of the most
relevant disruptions is loss of reputation for
dependable and reliable service. This may cause
investors, partners, and customers to lose trust in
governmental and corporate agencies. This type of
damage could take a company many years to
recuperate from, if ever. Common examples exist
in online gambling and e-casino sites when DOS
attack extortions are threatening to prevent
customers from placing bets in a timely fashion.
Such attacks could come in the form of the latest
form of MS Blaster or Code-Red, which could
result in loss of service and serious damage to the
functionality of IT-based systems. Management
should be up-to-date with the constant evolution
of commercially available intrusion prevention
systems that can reduce or stop Internet attacks
that threaten a firm’s information assets and
productivity.
A significant category of serious security
breaches includes cyber-breaking and entering.
This occurs when an intruder has gained access to
a company’s network and completes some kind of
network snooping and/or tries to exploit
technology vulnerabilities. The hacker/cracker
usually gains access through security holes in the
network infrastructure. A particular avenue of
concern may be the backdoor accesses that Y2K
programmers left in many enterprise systems for
future quick access. These criminals use
sophisticated tools such as sniffers that were
initially intended as network analysers. Most
sniffers are portable, consisting of a laptop and a
network interface card (NIC) that is set into
promiscuous mode. This changes the NICs
hardware configuration to allow it to pick up all
network traffic and it does not do an
authentication check-sum test on the destination
address, which tells a NIC card if the message is
meant for it to receive. The information that is
recorded may be analysed by crackers and then
decoded. This is an excellent way for crackers to
gain password information. Most NICs and the
software that controls them do not allow regular
users to control their promiscuity, but it only takes
a few lines of code to change them. This means
that a cracker could make a simple sniffer out of
any PC with a NIC card. Messages sent over a
LAN are not guaranteed to be private. Another
way an attacker may gain access is by IP spoofing.
IP spoofing is when a cybercriminal obtains
internal IP addresses, then uses those addresses to
pretend that they have the authority to access the
network from the Internet. Cybercriminals’
missions are usually to compromise privacy, create
275
Aslib Proceedings: New Information Perspectives
Volume 56 · Number 5 · 2004 · 272-285
data loss or manipulation, and steal valuable data
(Smith and Rupp, 2002a, b, c).
Attracting the attention of security experts deals
with the category of penetration and actual theft.
In this category the attacks exploit trusted access.
Attacks may be password based or physical theft of
equipment that may contain information. This
occurs when a cybercriminal gains access by social
engineering or stealing a company laptop, as in
recent high profile cases of such stealing of FBI
assigned laptops. Such intruders may call a
company’s help desk and pretend to be an
employee that is not able to log onto the network or
may ask questions that allow them to gain
passwords and other valuable information. In
addition, other tactics include setting up
opportunistic scenarios that trick the average
employee into giving out their passwords. If a
laptop is stolen, it may contain not only passwords
and information about the company’s network, but
it may also contain confidential documents.
Viruses, worms, and Trojan horses
Other e-security threats to a company come in the
form of viruses, worms, and Trojan horses. A virus
may be defined as a program that replicates itself to
infect many computers. Viruses may be passed
from computer to computer via a network
connection, e-mail, and removable media such as
floppy disks. There are several different kinds of
viruses that may cause a loss of information in a
company’s network. For example, a network virus
utilises network protocols, commands, messaging
programs, and data links to spread itself across a
network. These viruses may destroy or damage
files, or may just cause an annoying pop up
message to appear. Another type of virus is a file-
infected virus. These types of viruses attach
themselves to executable files. These viruses may
infect many programs and files. To get rid of file-
infected viruses a computer will not only need to
be disinfected by an antiviral program, but also
may need its major software, such as operation
systems and applications, reinstalled.
Worms are not considered true viruses. They
are programs that travel between computers and
across networks, such as the dangerous W32/
Sobig.F virus. Worms are usually spread through
some form of file transfer or more commonly by
e-mail. A worm may contain and launch viruses if
they are executed. Worms may cause massive file
damage. On the other hand, Trojan horse viruses
are not viruses at all. They are programs that
appear to do one thing that is useful, but instead
they harm the computer or system they have
infected. A Trojan horse may be easily recognised
since it is usually an executable file for a program.
They may cause wide spread damage to files and
 E-security issues and policy development
Alan D. Smith
systems. They have also been used to launch
programs that scan a computer’s hard drive and
look for personal information such as network IDs,
passwords, and telephone numbers. They
eventually send this information via e-mail to the
attacker. In general, with all these threats to
security, a governmental or corporate agency
needs to have a clear set of rules and policies on
how to deal with these problems. This comes in the
form of a security policy, which is the next element
in the e-security model in Figure 1.
Exploring security policies
Goals for a successful security policy
The first step in securing an entity’s electronic data
and system is to design and implement a security
policy. Security policies are important because
they define what is being protected and what type
of restrictions should be put on those controls. A
security policy should define (Barman, 2002):
.
company goals for security;
.
security risks to a company and its systems;
.
the levels of authority (designate a security
coordinator and security team members);
.
responsibilities of all employees in regards to
security; and
.
procedures for handling security breaches.
A company’s security policy should be at the centre
of all security issues, both inside and outside the
company. Of course, taking a proactive approach
for a security policy is to develop it before the first
security issue arises. It is much easier to develop a
security policy for a developing IT-infrastructure
rather than trying to fit it to something that already
exists in the business environment with add-ons
and/or security patches.
In addition, security policies are important to
assure proper implementation of control. A
security policy should have several universal goals,
no matter what the size of the company. The first
goal is ensuring authorised users have the correct
access to resources (Barman, 2002; Swanson,
1994). On the other hand it should also have
measures for preventing unauthorised users from
getting to the network, systems, programs, and
data warehouse/databases. An e-security policy
should help prevent both accidental damage and
intentional damage to the associated hardware and
software systems. It should also help in creating an
environment where the network and system can
withstand, quickly respond to and recover from
any type of threat. An e-security policy should
provide a conceptual framework on the type of
product selection that will go into a company’s
information security systems and guidelines on the
276
Aslib Proceedings: New Information Perspectives
Volume 56 · Number 5 · 2004 · 272-285
development process for expanding and
maintaining a security system. Security policies
also help to avoid liability and legal problems.
E-security policies define who has ownership of the
responsibilities for security and by what means to
set up action on what to do with violators of these
security policies. A good security policy will ensure
the entire company is consistent in its security
practices and will avoid having fragmented efforts.
Since a single document for all security policies
may be unmanageable, security policies should be
made up of multiple documents. In many cases,
employees would just disregard the policy without
reading it because it is too hard to follow. Multiple
documents would make it much easier to train
employees and would make distributing the policy
much easier. An e-security policy with multiple
documents is also much easier to modify. It may be
modified one policy at a time and only an addendum
needs to be distributed. The policies should be short
and to the point, but at the same time these policies
should cover the scope and objectives a company
has determined would fit its needs.
Security policies should be defined by a firm’s
customers
An e-security policy content should be determined
by the company’s needs. As previously stated, a
security policy should be made up of several
documents. Each department, and its customers
with associated documents, should have its own
policies: such as policies on passwords, software
installation, confidential and sensitive data,
network access, Internet use, remote access,
customers’ and vendors’ networks, laptops, and
computer room and closet access (Barman, 2002;
Smith and Rupp, 2002a, b, c). Passwords are
usually the first item that crackers will try to obtain
or break. A security policy on passwords should
clearly define the length and what type of criteria
an employee’s password should follow. A password
should not be simply any word or combination of
words out of the dictionary. Passwords should
never be something that is obvious about the user
or information that is easily obtainable, such as
birth date or name of a family pet that a cracker
through simple social engineering techniques may
find. Good passwords are the first line of defence.
The security policy on software installation
should clearly define the employee’s software
installation rights. It should define the correct
procedures for obtaining permission to have
programs installed and the security criteria each
piece of software must meet. Too many times IT
managers use the default settings that are current
at the time of installation, which usually grants
access rights equally to all users. Policies on
Internet use, network access, and remote access
 E-security issues and policy development
Alan D. Smith
should clearly define how each is supposed to be
used. For instance, the policy may limit what is
considered business use and personal use for the
Internet (Smith and Faley, 2001). It may also
define what groups have rights to use certain
services on the network. In addition, due to their
portability and lack of direct organisational
control, there should be strict policies on the use of
laptops. There should be clear guidelines as to
what is acceptable company information that may
be stored on a laptop. The security policy must
state what procedures need to be carried out in
case a laptop is stolen. A well thought out security
policy will also cover physical security in company
buildings as well. There should be documents on
the types of security levels and policies on
employee ID use.
A security policy may be developed in a number
of stages. One obvious first step involves scope and
objectives for the policy document, which must be
established early in its development. Next,
defining what policies need to be written, followed
by a risk assessment and analysis, typically
performed by an outside auditor. Provisions
should be made for effective review, approval, and
enforcement procedures (Barman, 2002; Smith
and Rupp, 2002b). A security policy should not
define any specific detail about the actual network
security that has been implemented in a company
– that is it should not disclose any detail about the
type of hardware that is being used or how it is
configured; this also holds true for the security
software. The security policy may have guidelines
for what types of network protocols may meet their
needs, but it should not specifically state which
ones are being used. The company’s network
architecture should not be defined in order to
minimise the information available to potential
crackers. Organisations should not advertise that
they are easy and available targets.
Security policies should ensure that state and
federal regulations are being followed with
reference to handling private and personal
information. The team members should come
from all parts of an organisation. The results of the
plan should be reported to an executive in charge
of privacy. The team generally has four phases of
responsibility. The first phase is to perform initial
assessments of privacy policies and procedures. In
this phase the team must document the types and
location of all customer/client data, review
compliance deadlines, investigate the current
security policies, and conduct a gap analysis. The
team also uses data mapping to track the flow of
personal information within a company. The
information is usually classified and the parties
who are responsible for its security are specifically
identified. A designated team member should also
277
Aslib Proceedings: New Information Perspectives
Volume 56 · Number 5 · 2004 · 272-285
identify the risks that are involved for not following
policies or failure to protect personal information.
The second phase typically requires the
designing of a strategic plan for achieving
compliance. In this phase the team evaluates the
organisation’s legal and technology resources
(Parker, 2003). To do this the team may bring in a
consulting firm to make sure that the company’s
computer network complies with regulatory
requirements in security. The team also creates a
security policy, appoints a privacy officer, creates a
consent mechanism, and makes sure that privacy
policies on the forms for the customer are clear and
concise. The team will also evaluate who needs the
private information, for how long, and what kind
of authentication is needed.
The next phase deals with implementing
planned changes (such as changes in systems,
procedures, forms, brochures or other elements
related to privacy), and monitoring systems and
procedures (Parker, 2003). The team must set up
procedures to verify company adherence to the
policies, track new regulations, document
complaints and identify and solve chronic
complaints. These approaches will help ensure
that a governmental or corporate security policy
follows legal requirements. Hence, a security
policy is only effective if it has the support of both
management and customers. Management
support, as demonstrated in Figure 1, is a major
force in understanding e-security and privacy
issues.
Managerial support issues
Management support for a security policy is
crucial. Management must participate in and fully
support the security policies that have been put in
place. The problem in most companies today is
that security is looked upon as an overhead
expense that may be cut or downsised, especially in
times of economic hardships. For example, an
Internet Security Alliance commissioned survey
found that 39 per cent of senior executives at the
companies surveyed were not involved in
cybersecurity decisions (Roberts, 2002).
Management’s goal should be to make employees
and customers an integral part of the solution.
Governmental and corporate agencies must
understand that people may be the greatest asset to
security, but are a potential weak link as well. In
many companies, managers make everyone
responsible for their own security. If different
departments use different standards then this
could lead to interoperability problems between
departments. A company’s security must start at
the top of the company, this means from the CEO
on down to the lowest level employee.
 E-security issues and policy development
Alan D. Smith
Management should be responsible for making
people part of the solution, which means that
management must be made an integral part of
security. Management should understand that
security requires them to show the same leadership
initiatives as they do with other parts of the
business that have a direct bearing on profitability.
Unfortunately, many managers cringe at the
thought of having to deal with the technology,
especially when dealing with e-security issues, but
they must realise that they do not need to have a
detailed working knowledge of how the technology
works to effectively management it. Management
needs to ensure that the business processes are
protected, not hindered by e-security measures, in
order to pursue sound business procedures,
practices, and policies. They should also should
ensure any e-marketing policies the company may
have are protected (McGivern et al., 2002; Smith,
2002). Managers must be able to closely work with
IT personnel in conveying such needs to
implement an Information Security Management
System (ISMS).
ISMS may be used to bridge the gap between
management and IT-security personnel. This team
should be made up of management representatives
from both the business and technical sides of the
organisation. They should be able to effectively
deal with and certify that the planned security
policies will support any changes to the strategic
business plan. The team may also assign
ownership to data and its control. Each owner is
responsible for defining access to data and how the
controls are set. Owners are also responsible for
determining how sensitive the data is. The security
management team is then responsible for making
sure that the owner follows the guidelines outlined
in the security policy. Management must be
leaders in making security part of a company’s
culture. This ensures that the entire company is on
the same wavelength when it comes to enforcing
information security. Managers should understand
that the systems and data security have real costs.
If management does not understand these costs
then they are not going to be able to effectively
implement governmental and corporate security
policies and will not approve the necessary budget
requirements for e-security resources. This makes
the budget for security in Figure 1 extremely
dependent on management’s support of e-security
policies, procedures, and practices.
Effective budgeting for e-security
Many companies do not initially allocate enough
capital for information security, primarily due to
underestimating its final costs and maintenance.
Most companies are more interested in spending
more for technology and software that will directly
278
Aslib Proceedings: New Information Perspectives
Volume 56 · Number 5 · 2004 · 272-285
boost productivity rather than e-security.
Unfortunately, many governmental and corporate
agencies feel that “IT investments are unrelated to
business strategy” (Bensaou and Earl, 1998,
p. 119). These same entities often complain,
“there’s too much technology for technology’s
sake” (p. 119). However, budgeting for e-security
is very important to an entity’s long-term survival
and competitiveness. Managers must understand
that the total cost of ownership for e-security
solutions is an equally long-term expense.
Governmental and corporate agencies spend most
of their IT security budgets on firewalls and virtual
private networks that provide secure connections
between remote users and central corporate
networks (Roberts, 2002). These are merely quick
fixes to a few immediate problems, but it does not
provide a long-term strategy and solution that
provides a layered security barrier against
cybercriminals.
There are many factors that go into
understanding and calculating the total cost of
ownership in e-security systems. Effort should be
taken to identify all-important assets, both tangible
and intangible. Important IT assets may include
firewalls, e-mail, Web and data servers, routers,
and other types of hardware that go into creating
an IT infrastructure. A company’s budget should
also include funds for equipment warranties,
annual subscription for perimeter scans, salaries
for IT personnel, training, and analysis and audit
tools (Campbell and McCarthy, 2001). Actual
costs for maintaining offsite data storage should
also be calculated. The company should also
allocate resources to ensure proper backup for the
IT infrastructure in more of a redundant capacity
(like maintaining an additional hot site) in case
part of the security hardware fails and it does not
leave the system wide open for attack. It is also a
good idea for companies to invest in insurance
coverage due to losses attributed to malicious
attacks.
Another important factor in creating a security
budget is to identify the costs of rectifying
vulnerabilities and comparing them to the costs to
repair the network or Web site from a successful
attack that has destroyed data, stolen data or
rendered the network inoperative. This not only
includes the damage done to the infrastructure,
but also the possibility of a negligence lawsuit due
to loss of customers or partners’ data and/or
service. A negligence lawsuit could cost
governmental and corporate agencies considerable
sums in legal fees and retribution. It may also cost
organisations similar amounts in lost revenues/
profits due to the tarnishing of their reputation. In
fact, all forms of cybercrimes have major security
and financial consequences (Murphy, 2001; Smith
 E-security issues and policy development
Alan D. Smith
and Rupp, 2002b). Budget needs should include
funds for upgrading system hardware and software
systems as well. Also, even though much IT work is
being outsourced globally, enough funds must be
made available to attract talented IT professionals
that understand the technology and are able to
configure and upgrade it effectively and efficiently.
In order to help in budgeting and reducing
costs, management may choose to allocate
expenditures across the entire enterprise. This may
help in network planning by allowing
governmental and corporate agencies the ability to
monitor the usage rates of the network by various
users, workgroups, or departments. The costs for
maintaining, upgrading, and security are then
distributed within departments across the entire
enterprise. In a well-defined budget, which is
supported by the e-security policies and
management, IT personnel may purchase
technology and software that have sufficient
security features built into them.
Hardware and software issues in e-security
Hardware and software in a company’s
information infrastructure go hand in hand (as
illustrated in Figure 1). They are on the front line
for information security and it takes a combination
of both to make a network fast, reliable, and
secure. Together, they should also create an
infrastructure that is capable of protecting assets as
described within the security policy and
procedures. The drive to make Internet technology
more compatible, economically attractive, and
more scalable, has made most of the new
technology and software conform to more open
standards, such as IEEE and network protocols
such as TCP/IP. This increased standardisation is
making it easier for cybercriminals to use the
various standards and exploit them to hack into
systems. To help defuse these types of problems,
governmental and corporate agencies’ IT
personnel should be familiar with various types of
e-security defence strategies and associated tools.
The IT personnel are also responsible for taking
the security policy concepts that are mandated by
management and translating them into network
schematics and detailed configurations for the
entire network.
In order to identify vulnerabilities in the
hardware and software, companies must do
periodic vulnerability scanning. Vulnerability
scanning will help reveal weaknesses in firewalls,
routers, e-mail, Web, data, and e-commerce
servers. An example of hardware vulnerability is
the exposure of routers and switches, which have
the same internal software and hardware
configurations, to attack. These devices are
generally used to control the traffic on a network.
279
Aslib Proceedings: New Information Perspectives
Volume 56 · Number 5 · 2004 · 272-285
They may be used as firewalls by being able to filter
out various types of traffic over the Internet. This
adds an extra layer of hardware protection to a
network. However, routers’ and switches’ user
name and password security features that allow
remote access for configuration may be
compromised if IT personnel forget to change the
default user name and password. A cracker only
has to know the default password for a particular
brand of device to go in and reconfigure the device
to allow them access.
Security issues with hardware and network
design
There are many other threats that may affect the
various types of hardware on a company’s network.
It is a combination of hardware and network
design that may either make a network more or less
secure. Every piece of hardware in a network has
potential avenues of attack. A network that uses
leased public lines, such as a T1 cables or ISDN to
connect to the Internet, are vulnerable to
eavesdropping. Unused hub, router, or server
ports should be disabled. It they are not disabled,
an attacker could exploit them to gain access to the
network. If a router is used to hide an internal
network from an external network, such as the
Internet, and is not properly configured, it could
leave governmental and corporate agencies’ entire
network exposed once an attacker gained an
internal private IP address. With these internal IP
addresses, attackers could log on as a legitimate
user using IP spoofing. If a network server that is
used for storing and accessing sensitive data is
configured improperly, by having it exist on a
network segment that is open to the general public,
it could lead to lost or stolen data.
Hence, a network’s infrastructure must be
designed to be fault tolerant. It should have
redundant hardware and software that is able to
keep the network and electronic information
stored on it safe. This is important since data that
are not backed up properly could result in a
complete loss if a disaster was to occur or an
attacker was able to shut down the network. It is
also important to have fault tolerance built in to
gateways to the Internet and hardware firewalls. If
these fail, it could leave the network open to attack.
Security issues with software
Software will continue to play a dominant role in
e-security. Software controls hardware’s functions
along with providing the services for an
organisations’ networks. An enterprise should use
a configuration management program to maintain
system configurations. This may include operating
systems, off-the-shelf software, and security
controls. Companies often create insecure network
 E-security issues and policy development
Alan D. Smith
environments because of insecure software. All
types of software may cause a potential security
threat. The most vulnerable software is the
network operating systems that are being used to
run the various servers in a company’s network
(Campbell and McCarthy, 2001; Smith and Rupp,
2002b). Organisations may have several network
operating systems, such as Windows 2000 Server,
Unix, Novell Netware, and Linux running on their
networks simultaneously. Very rarely do business
entities use only one network operating system for
their entire network. Network operating systems
include software that enables network servers to
share resources with clients. They also handle
things such as, communications, security, and user
management within a network infrastructure.
Network operating systems may also be
responsible for data storage, file and print sharing,
and data backup and recovery. Each type of
operating system has its own set of defaults when
installed. In general, these default settings are
available to the public. In many cases it is these
default settings that a cracker will exploit to gain
access to a network. It is up to network
administrators to pick operating systems that
provide security features and services as suggested
in the security policy; and they must have a clear
understanding of how the operating systems work
in order to configure them properly. Another
possible security flaw is combining more than one
network operating system on a network. Network
administrators must ensure that the services
running on the networks that provide
interoperability among the various network
operating systems are secure.
Essentially all software, whether it is the
network operating systems application software or
embedded in network protocols, should be
installed in accordance with governmental and
corporate agencies’ security policies. IT personnel
should be aware of published security flaws, such
as back doors, in the programs and keep the
programs up to date with patches or software fixes
supplied by the software vender. As stated earlier,
an outside auditor should audit a company’s
network regularly to ensure that there are no flaws
in its security features. Every computer in a
network should have antiviral software installed on
it. The antiviral software should fit the network
environment it routinely operates in. An antiviral
program should be updated on a regular basis to
ensure that its virus definitions are current, so that
it is configured correctly in order to balance the
need for protection against the need for network
performance. For instance, if a file server is
scanned continuously throughout the day the
network would significantly be impaired, since the
server could not handle both the scanning and the
280
Aslib Proceedings: New Information Perspectives
Volume 56 · Number 5 · 2004 · 272-285
traffic trying to access it at the same time. Antivirus
software should not be able to be altered by users.
Governmental and corporate agencies’ network
should be audited by outside sources on a regular
basis to ensure that it is secure. Outside auditors
are not as familiar with the network and will be
able to pick up on flaws that are overlooked by
regular network personnel.
With this in mind, a company must have a good
security policy in place, manager support, and an
appropriate budget to keep the hardware security
measures and system software up to date, as
portrayed in Figure 1. Governmental and
corporate agencies should also have
knowledgeable staff that are able to properly
configure and maintain the hardware and software.
Even with good hardware and software security in
place, employees must be properly trained how to
use it and understand the security procedures
outlined in the security policy.
Employees as instruments of e-security
As illustrated in Figure 1, the contributions of
employees are essential to the overall effectiveness
of an e-security program. Governmental and
corporate agencies’ security policies, procedures,
and practices should clearly outline employee
rights and proper guidelines for using information
systems. Employees must be empowered with
proper training and resources to be able to know
what to do in case of an attack or threat. In any
organisation, human capital is the key to security,
not just the leverage of technology and physical
assets. An enterprise may have all the latest
security technology in place, but it must still rely
on its employees to identify security events and
appropriate corrective action. Unfortunately,
many major system breaches are due to the actions
of a few employees that inadvertently give out their
password to the wrong party. Training
programmes should be integrated into human
resource standard procedures. The training
programmes should be made part of orientations
and on going training programmes. It is
management’s responsibility to set aside time and
resources for the employees to be trained. These
training initiatives should consider the needs of its
employees. Regular employees that use the
electronic information systems to carry out their
daily job functions have different needs than IT
personnel that are responsible for keeping the
information infrastructure available to the users
and making sure that it is secure.
The regular employees usually do not have
expert computer training in terms of e-security
matters. They may only know just enough about
an electronic information system to get their daily
work done. They may not be technically familiar
 E-security issues and policy development
Alan D. Smith
with how network protocols work, what methods
crackers may use to gain access to the company’s
networks, or how viruses may be spread. Every
employee needs a basic awareness of security and
its use in order to understand what information
needs protection and be held responsible through
information ownership.
In many organisations, security policies
specifically state that the company has the right to
use electronic surveillance techniques to monitor
an employee’s use of their electronic information
system (Smith and Faley, 2001). Governmental
and corporate agencies must be prepared to deal
with disputes concerning ethical issues over
employee privacy, especially in the use of e-mail
and other e-materials that are readily shared
amongst employees. Employees do have the right
to fair information practices that include
notification prior to the collection of data, access
to the data collected about them, and the company
keeping the information secure and only using it
for business purposes (Arnett and Liu, 2002).
Many managers claim that the surveillance of
electronic information may be the key to sustaining
a firm’s competitive advantage. Many companies
are dependent on communication devices for
keeping the information flowing and providing
metrics for operational effectiveness. With the
overwhelming amount of computers in the
workplace some “type of automatic identification
and data capture system is necessary to ensure the
level of accuracy needed to support managerial
decision-making systems” (Smith and Faley, 2001,
p. 8). Many governmental and corporate agencies
claim the need for surveillance is to be able to
monitor its products in terms of both the employee
and the customer to enable better delivery of
products and services. For example, “Companies
may gain significant advantage by utilising their
information infrastructures for communication
purposes” (Smith and Faley, 2001, p. 9). One of
the primary reasons for monitoring employee
activity is to ensure that the employees are using
the network infrastructure for work purposes only.
There have been a number of cases in recent
history were employees have access to illegal Web
sites from their company computers. Employees
could also be using company resources to
download programs and other questionable
material that could possibly contain viruses. There
have also been cases where employees have used a
company’s e-mail system to send company secrets
to competitors. Therefore, employees need to be
properly trained on how to identify security threats
and propriety information. They should know
what to do in case a virus attacks the system. With
mandatory training, employees will learn how to
interpret the security policy guidelines by using
281
Aslib Proceedings: New Information Perspectives
Volume 56 · Number 5 · 2004 · 272-285
passwords correctly, be able to discriminate
between the types of programs allowed to be
installed, where to get permission for installation
of programs needed to do their jobs, and what to
do in case of an attack. If the employees view the
e-security infrastructure and procedures as a
nuisance, then they will be more apt to work
around it or subvert it. It is designed to help them
protect the information they are responsible for.
They should also be made aware of the penalties
for not following procedures.
IT personnel, on the other hand, have the
greatest employee responsibility for implementing
successful e-security measures. The IT
department should be staffed with high-
performing information technology professionals
(Burke and Witt, 2000). They must have excellent
problem solving skills and should be very intimate
with the electronic infrastructure’s environment as
implemented. It is the IT staff who are responsible
for configuring the hardware and software of
network devices to ensure that they function
properly and do not leave any security risks
unattended. They are also responsible for making
sure that the regular employees have the correct
permission for network resources. Help desk
personnel should be trained to distinguish the
difference between an attacker trying to gain
information by pretending to be an employee and a
legitimate employee – that is they must
understand the e-security policies and procedures.
IT professionals should constantly be updating
themselves on the latest security threats and
countermeasures. They are responsible for
scheduling hardware and upgrades for security by
having a clear understanding of what should be
done in the case of a security threat. In many cases,
IT personnel will work closely with management to
develop and revise security policies as needed. IT
personnel must also be able to work with and
monitor the employees. They must be empowered
to enforce proper security procedures and policies.
In many cases, this may lead to a poor relationship
between the users of IT technology and personnel
(Bensaou and Earl, 1998).
Secured information outcomes
More secured information is the ultimate
outcome, as demonstrated in Figure 1. With the
transferring of electronic information becoming
more automated, faster, and cheaper than more
traditional modalities of information transfer,
more governmental and corporate entities are at
risk from e-security breaches. Each one of the
elements of the model presented in Figure 1
should work together to create layered security
barriers to the ever-constant threat of
cybercriminals. Although it is impossible to totally
 E-security issues and policy development
Alan D. Smith
secure information, information is money and a
business entity cannot afford to take short cuts
when it comes to e-security. To understand the
driving force behind the major forces presented in
Figure 1, an understanding of consequential
theory is necessary.
In general, consequential theories of ethics
emphasise the consequences or results of
behaviour. Consequential theory basically states
that the moral right of an action may be
determined by looking at its consequences. This
means if the consequences are good, then the act is
right and is justified; if the consequences are not
good, then the act is wrong. The behaviour itself
has no moral status, but the moral worth is
attached to the consequences. There are two types
of consequential theories, egoism and
utilitarianism. These two theories were derived
from theology. Egoism theory focuses on an
individual’s long-term interest. Under this theory,
the best way of promoting the common good is to
promote individual good and well being. This
essentially means that it is always good to pursue
one’s best interest, since it is “rational and always
right to aim at one’s own greater good” (Knyght
et al., 2000, p. 77). There are a number of
weaknesses to egoism in that it does not take into
account blatant wrongs. This means that even if
the outcome is right to the individual, it does not
mean that the outcome is moral or just for others.
Also, egoism may be incompatible with the social
role of most organisations. Most governmental and
corporate agencies do not pursue interests or
perform actions solely for the good of the
individual, since it is inconsistent with its moral
guidance. Yet many actions of cybercriminals seem
to follow this line of reasoning.
In terms of utilitarianism, a person should
always act so as to produce the greatest ratio of
good to evil for everyone concerned with the
individual’s decision. Utilitarianism is rooted in
that an action is right if it leads to the greatest good
for the greatest number or the least possible
balance of bad consequences (Beauchamp and
Bowie, 1983); in other words the greatest good for
the greatest number. Utilitarian theory essentially
proposes that an individual should evaluate all
outcomes of an action/inaction and weigh them
one against another to determine what is best for
society in terms of its social consequences
(Reidenbach and Robin, 1990). The two types of
utilitarianism include act utilitarianism and rule
utilitarianism. Act utilitarianism contends that in
every situation one ought to act to maximise the
total good, even if the rules are violated. Rule
utilitarianism contents that a person will act
consistently in different situations based on a set of
rules. Utilitarianism does have weaknesses in its
282
Aslib Proceedings: New Information Perspectives
Volume 56 · Number 5 · 2004 · 272-285
application to e-security behaviourisms. Both act
and rule utilitarianism ignore actions that appear
to be morally wrong and the principle of utility
may come into conflict with that of justice. Lastly,
it is very difficult to formulate satisfactory rules for
rule utilitarianism. Utilitarianism also has some
major strength in evaluations success of programs
in e-security. It provides a good basis for
formulating and testing polices and can be used as
a guiding principle for legislation. Utilitarianism
may also be used to provide an objective way of
resolving conflicts of self-interest, especially
among primary claimant groups of clients and
customers, organisations, professions, and society.
Essentially, with every model there is a theory or
behaviour that must drive it – something that
forms the cohesion between the elements within
the model. Specifically, for the model of e-security
displayed in Figure 1, rule utilitarianism may be
the driving force behind the process of a business
entity obtaining more secure information
concerning B2B or B2C environments. Rule
utilitarianism will represent what occurs in the
arrows between the elements in the model.
Utilitarianism is well suited for understanding the
need to make policies, procedures, and practices
that lead to appropriate decision-making activities
that affect a group or organisation. Among the
elements of the model, there is a struggle that takes
place. In other words, should actions to secure
governmental and corporate agencies’ information
be for the greater good of the entire organisation or
should it benefit the individual elements
separately? By breaking down each transition in
the model, perhaps some insight in the decision-
making process is possible.
Information security threats, as displayed in
Figure 1, are what drives the need for an
e-governmental and corporate agencies’ systematic
and widespread security policy. When
implementing a security policy, there needs to be a
clear understanding of what types of policies need
to be communicated and how are they going to be
enforced. Each section in the security policy must
be carefully considered. For instance, when
writing a security policy concerning the use of
e-mail, employees may want to use the e-mail
system for personal business. This, however, may
be determined as a major security threat, so the
security policy may be written to deny employees
these rights for the security of the organisation.
Security policies should be constructed so that it
provides a set of effective guidelines that will
provide security that will benefit the company as a
whole, even if it means the employees do not get to
use the e-mail system for personal use. This
provides the greatest good for the greatest amount
of people in the organisation and the various
 E-security issues and policy development
Alan D. Smith
clientele it services (clients and customers,
organisation, profession, and society).
When creating an e-security policy, there should
be checks and balances in place that would prevent
one department from swaying the policy in their
favour over other parts of the organisation.
Without proper checks and balances in place, a
weakened e-security policy would result, since the
other departments would be less willing to accept
the policy under the grounds it did not either
benefit them or was considered unreasonable if it
was not applied to all departments in an equal and
equitable fashion. Information security threats do
not work towards the benefit of the organisation.
The cybercriminals do not work towards the
greater good of the company – they do just the
opposite. Organisations need to work together
toward a common goal of eliminating such threats.
Governmental and corporate agencies need to be
part of the solution in stopping cybercrime, not
part of the problem. They should work toward a
common goal that benefits not only them, but also
society as a whole.
The link between the security policy and
management support elements are also crucial.
Management must fully support the security
policy in order for it to be effective. With the
security policy in place, management needs to use
it to make decisions on how to enforce the policy.
In many organisations, management may be
unaware of the implications of e-security policies.
Management should understand that it is their
responsibility to create an environment that fully
supports the security policy, regardless of
individual inconveniences. Security plans have
been put in place not just to protect individuals,
but also to protect the entire organisation from
attacks. Management needs to create a company
culture that benefits the entire company.
Therefore, they are acting towards the greater
good of the company.
The relationship between the constructs of
management support and the budget plays a very
important role in what direction a company may
go in when spending on its e-security measures, as
portrayed in Figure 1. It is important that
management understands the risks in losing the
organisations and customers’ private information
in terms of lost revenue and the damage to
reputation. Proper management of an organisation
allows for the understanding of guidelines set forth
in the e-security policy and the ability to set a
budget that will cover the needs of the
organisation. If the management treats e-security
as an overhead cost that may be cut, then they may
not be working toward the greater good of the
organisation. Management should be the leaders
in enforcing e-security policy rules for their
283
Aslib Proceedings: New Information Perspectives
Volume 56 · Number 5 · 2004 · 272-285
employees. It is in the organisation’s best interest
that all employees are on the same level when it
comes to strategic thinking of e-security issues.
This means management should budget resources
for extensive employee training in the area of
security. Therefore, management is setting a
budget that is able to work for the greater good of
the company.
Once the budget is approved, IT personnel with
appropriate input for all interested parties may
determine what type of hardware and software is
needed to maintain and upgrade a company’s
electronic information infrastructure. The IT
department needs to work with individual
departments in an organisation to determine the
type of technology that is needed to allow the
employees to perform their daily job
responsibilities and still provide the security
mandated by sound policies, practices, and
procedures. Hardware and software should not
only fit within the budget constraints, but should
also add value to the company by improving
employees’ performance, streamlining production
processes and providing security to the company’s
electronic information. Many governmental and
corporate agencies make the common mistake of
trying to integrate the newest and fastest
technology into its business structure without
regard to a needs assessment. This situation is
identical for e-security initiatives. It takes more
than just a few firewalls and antiviral programs to
stop attacks on organisational information and
delivery systems. Implementing new technology
requires planning and the cooperation of many
departments in order to ensure success. In
addition, the cost of hardware and software
systems should be contained within the company
budget and it should benefit the company as a
whole. Establishing and maintaining proper levels
of e-security for an organisation’s electronic
information have become one of the most
important aspects driving configurations and
budget allocations to many IT departments. If
hardware and software systems cannot provide the
required safety, it will not be purchased and
implemented. That is why many IT departments
perform extensive research before they make the
decision on what hardware or software they
recommend that the company should purchase.
The links between hardware and software and
employees in Figure 1 are important due to the
dependency that successful implementation of
e-security measures has on employees’ basic
understanding of the strategic fit of hardware and
software systems. It benefits the company as a
whole if employees are trained how to use the
technology and have a basic understanding of their
role in a company’s information security.
 E-security issues and policy development
Alan D. Smith
Employees may either make a decision to follow
the security policy guidelines and benefit the
company as a whole or they may try to subvert
them and employ what specific actions that they
think will best benefit them. This is where
management needs to use the security policy to
enforce the rules and make employees understand
that they are the key to a company’s information
security infrastructure. They are not just working
for the greater good of the company, but also for
themselves because it is also their information and
jobs that are at stake if an attacker hits the
company. More secured information is the end
result of the e-security model presented in Figure 1.
Information may never be fully secured from
attacks, but with the elements of the model
working together for the greater good of the
company, e-security will continually improve and
adjust to the evolution of cyberattacks as a whole.
General conclusions and implications
As stated earlier, the purpose of this paper was to
develop a conceptual model that illustrated the
basic elements and processes governmental and
corporate agencies need to achieve for a more
secured information environment. The struggle
for protecting company data will eventually come
down to who is more motivated to win the battle
for information, the organisation or the attacker.
Information security in a networked world takes
much more than just technology and a few written
policies. It takes many elements working together
in harmony to form a layered security blanket in
governmental and corporate agencies’ information
infrastructure. A company should look at
electronic information security as a valuable
strategic asset that is valuable, imitable, and non-
substitutable. Security should be integrated into an
organisation’s culture, not simply placed as an
add-on. It should hold the same importance that
every other business decision entails. The ethical
side of electronic security is an evolving field that
has many applications that may lead to a better
understanding of how electronic surveillance
methods may affect employee performance and
trust in an information sharing and globally
networked environment. In addition, more
research is needed in understanding the
mechanisms associated with hardware and
software systems integration with e-security
development and policy formation. As stated
earlier, many network devices and software are
conforming to open standards, which may cause
an increase in cyberattacks.
Legal structures for detection and successful
prosecution of offenders in promoting an
284
Aslib Proceedings: New Information Perspectives
Volume 56 · Number 5 · 2004 · 272-285
e-security environment are another growing
IT-related field. Unfortunately, there is a gap
between laws defining computer offences and
associated issues of how to investigate cybercrimes
as compared to the fast pace of changing
technology and social acceptance of these
technologies. Along with this, further research may
be done to better understand how countries that
have not yet adopted computer crime statutes
affect the security of those that have (Karsten,
2002; Murphy, 2001). The growth of cybercrime
has caused this problem to span across countries.
It has become impossible for any one government,
business or country to develop successful systems
to solve it. In the future, more governments and
companies will be forming alliances and sharing
security information threats and techniques,
similar in structure to the sharing of information
concerning terrorist threats after September 11,
2001. This information sharing is already evident
in non-profit organisations such as the Information
Sharing and Analysis Centre for Information
Technology (IT-ISAC). This organisation brings
many high technology companies together along
with government agencies to help collaborate and
share information on common threats and how
they may be effectively prevented (McGivern et al.,
2002).
As systems become more complex, there will be
a greater need for hardware and software systems
to counter more rapidly e-security threats in a
more concerted and global fashion. New hardware
and software for monitoring systems will have to be
developed in order to enhance the user-friendly
interface so that adoption rates will increase
security prevention and awareness efforts. Wireless
technology will also play a big part in the future.
How may a company secure something that is
invisible and is broadcast over the air? It may add
more convenience and cost saving to the company
in network cabling and overall network design, but
it could cost the company millions if not secured.
Even with 256-bit WEP encryption, wireless is still
extremely vulnerable to attacks. In essence,
governmental and corporate agencies need to
focus less on technology and more in managing
e-security. In the future security will have to
become part of the culture of a company, rather
than just being something that is bolted on and
does not fit. Information managers must work with
various elements of the model to enhance e-
security to deliver a ROI by allowing organisations
to reduce business risk in real time. As suggested
by Hopwood et al. (2000), Web servers operate as
an extension of the operating system and any
failure in operating system security is likely to spill
over into Web server security – the administrator’s
primary task is to seek a secure operating system.
 E-security issues and policy development
Alan D. Smith
References
Arnett, K.P. and Liu, C. (2002), “Raising a red flag on global
WWW privacy policies”, Journal of Computer Information
Systems, Vol. 43 No. 1, pp. 117-28.
Ashein, G.B. and Buchholz, W. (2003), “The malleability of
undiscounted utilitarianism as a criterion of
intergenerational justice”, Economica, Vol. 70 No. 279,
pp. 405-23.
Barman, S. (2002), Writing Information Security Policies,
New Riders Publishing, Indianapolis, IN.
Beauchamp, T.L. and Bowie, N.E. (1983), Ethical Theory and
Business, 2nd ed., Prentice-Hall, Englewood Cliffs, NJ.
Bensaou, M. and Earl, M. (1998), “The right mindset for
managing information technology”, Harvard Business
Review, Vol. 76 No. 5, pp. 119-28.
Burke, L.A. and Witt, L.A. (2000), “Selecting high-performing
information technology professionals”, Journal of End
User Computing, Vol. 14 No. 4, p. 37.
Campbell, S. and McCarthy, M.P. (2001), Security
Transformation, McGraw-Hill/Irwin, Boston, MA.
Cheng, H., Chou, D.C., Lin, B. and Yen, D.C. (1999), “Cyberspace
security management”, Industrial Management & Data
Systems, Vol. 99 No. 8, pp. 353-64.
Hopwood, W.S., Sinason, D. and Tucker, R. (2000), “Security in a
Web-based environment”, Managerial Finance, Vol. 26
No. 11, pp. 42-57.
Karsten, R. (2002), “An analysis of IS professional and end user
causal attributions for user-system outcomes”, Journal of
End User Computing, Vol. 14 No. 4, pp. 51-73.
Knyght, P.R., Korac-Kakabadse, A., Korac-Kakabadse, N. and
Kouzmin, A. (2000), “The impact of information
technology on the ethics of public sector management in
the third millennium”, Global Virtue Ethics Review, Vol. 2
No. 1, pp. 77-84.
McGivern, E., Saban, K. and Saykiewiez, J.N. (2002), “A critical
look at the impact of cybercrime on consumer Internet
behaviour”, Journal of Marketing Theory and Practice,
Vol. 10 No. 2, pp. 29-37.
Murphy, S.D. (2001), “Adoption of convention on cybercrime”,
The American Journal of International Law, Vol. 95 No. 4,
pp. 889-91.
285
Aslib Proceedings: New Information Perspectives
Volume 56 · Number 5 · 2004 · 272-285
Parker, R. (2003), “How to profit by safeguarding privacy”,
Journal of Accountancy, Vol. 195 No. 5, pp. 47-52.
Reidenbach, R. and Robin, D. (1990), “Toward the development
of a multidimensional scale for improving evaluations of
business ethics”, Journal of Business Ethics, Vol. 9 No. 8,
pp. 639-53.
Roberts, M. (2002), “Guarding the electronic gates”, Chemical
Week, Vol. 20 No. 27, pp. 41-2.
Smith, A.D. (2002), “Loyalty and e-marketing issues: customer
retention on the Web”, Quarterly Journal of E-commerce,
Vol. 3 No. 2, pp. 149-61.
Smith, A.D. (2003), “Surveying practicing project managers on
curricular aspects of project management programs: a
resource-based approach”, Project Management Journal,
Vol. 34 No. 2, pp. 26-33.
Smith, A.D. and Faley, R.A. (2001), “E-mail workplace privacy
issues in an information- and knowledge-based
environment”, Southern Business Review, Vol. 27 No. 1,
pp. 8-19.
Smith, A.D. and Offodile, F. (2002), “Information management of
automated data capture: an overview of technical
developments”, Information Management & Computer
Security, Vol. 10 No. 3, pp. 109-18.
Smith, A.D. and Rupp, W.T. (2002a), “Application service
providers (ASP): moving downstream to enhance
competitive advantage”, Information Management &
Computer Security, Vol. 10 No. 2, pp. 64-72.
Smith, A.D. and Rupp, W.T. (2002b), “Issues in cybersecurity:
understanding the potential risks associated with hackers/
crackers”, Information Management & Computer Security,
Vol. 10 No. 4, pp. 178-83.
Smith, A.D. and Rupp, W.T. (2002c), “Examination of the
interrelationships between the Internet and religious
organisations: an application of diffusion theory”, Services
Marketing Quarterly, Vol. 24 No. 2, pp. 29-41.
Swanson, E.B. (1994), “Information systems innovation among
organizations”, Management Science, Vol. 40 No. 9,
pp. 1069-92.
Tuthill, M. (2001), “E-risk is a manageable beast”, AFP
Exchange, Vol. 21 No. 3, pp. 52-6.
Wong, A. and Beckman, E. (1992), “An applied ethical analysis
system in business”, Journal of Business Ethics, Vol. 11
No. 3, pp. 173-9.