MANAGEMENT

INFORMATION & CONTROL

SYSTEM

INFORMATION SECURITY IN THE

EXTENDED ENTERPRISE

Presented by
Aditya ahuja (054)
Anshul pachouri (6503861)
Pooja bagga (085)

14/10/2010 1
Information Security In the Extended Enterprise
INTRODUCTION
 Each firms security decisions have an impact
on the overall security of the information
infrastructure.

 Managing the security of the sensitive

information flowing across the extended
enterprise is a significant and under
researched topic.

14/10/2010 Information Security In the Extended Enterprise 2

 Three research efforts that address the core
information security issues pertaining to the
efficacy of economic and other potential
drivers of information security are:

1) To understand how firms adapt information

security capabilities.
2) To access interdependency risk magnitude.
3) To evaluate the information security gap.

14/10/2010 Information Security In the Extended Enterprise 3

METHODS
 Interviews with security and supply chain
executives and manager at a ‘host’ firm and
four of its direct suppliers.
 Interviews were designed to elicit the
knowledge and belief of the interviewed
individuals.
 The host firm is a Fortune 500 manufacturing
firm with plants and sales worldwide.
 13 individuals were interviewed, duration
was 30 mints to 2 hrs,

14/10/2010 Information Security In the Extended Enterprise 4

THE CRITERIA USED TO CHOOSE
THE CANDIDATES WERE:
 Candidates had to use some form of
electronic communication to manage their
supply relation with the host.
 Candidates would be a range of sizes in
terms of their annual revenue.
 Candidates would provide products directly
used in the host’s products.
 Candidates should be close to a small set of
geographic locations.

14/10/2010 Information Security In the Extended Enterprise 5

RESULTS
Drivers of adoption of information security
1) InfoSec managers protecting their firm’s
internal network and data.
2) Government regulation and customer
requirements

 Hence ,as a group the interviewed firms made

few or no demands on their suppliers for levels
of information security, although Supplier b said
that they would start having requirements in the
near future.

14/10/2010 Information Security In the Extended Enterprise 6

 RISK TO EXTENDED ENTERPRISE FROM
RELIANCE ON THE INFORMATION
INFRASTRUCTURE
 Information security risk: The risk
associated with the internal IT system and
information due to integration of supply
chain systems.
Examples: E-Mail, VPN, Web-applications
 Supply Chain Continuity Risk: The firm’s
ability to produce a product due to
disruptive supply chain caused by
information infrastructure events.
Use of Phone and Fedex is preferred to avoid
the risk.
14/10/2010 Information Security In the Extended Enterprise 7
DRIVERS OF THE INFORMATION
SECURITY
 Technology
 Market Conditions
 Government Regulations
 Government Spending
 Litigations
 Cost-Benefit
 Standard Setting
 Best Practices

14/10/2010 Information Security In the Extended Enterprise 8

 CATEGORIES OF SECURITY
COST
 Most of the executives who were interviewed focused purely
on the cost trade- off of security, disregarding the possibility
of increased revenue. These costs can be broken into two
major groups:
• Costs of avoiding security failures.
• Cost of security failures.
Cost of avoiding security failures Cost of security failures
Cost of prevention Cost of internal failure
Firewall/ Antivirus Lost productivity
Training IT services- restoration
Cost of appraisal Cost of external failure
Audits Lost Confidence/ revenues
Monitoring Litigations
Intrusion detection Fines
14/10/2010 Information Security In the Extended
Enterprise 9
EXAMPLES
 Costs of avoiding security failures such as on-going
security appraisals and investments in preventive
measures like installing a firewall.
 Costs associated with security failures either internal
failures that are not observed by customers or
external failures which are observed by those outside
the firm
 Internal failures are security problems that are
discovered internally, resulting in costs such as lost
productivity (for example lost worker productivity
and restoring information services).
 External failures, such as exposing confidential
information can lead to many costs including
litigation, fines, and brand damage.
14/10/2010 Information Security In the Extended Enterprise 10
•According to one of the clients even when information security
does not increase revenue there can still be a positive business
value for increasing information security.
•This client felt that even though increasing information
security would likely not increase profits directly, the processes
put in place would take costs out of the business.
•As an example the client talked about single sign-on: while this
was being done for reasons of information security, it would
reduce her costs as well as increase the efficiency of her staff.

14/10/2010 Information Security In the Extended Enterprise 11

 CONCLUSION
This study examined how firms identify and manage information
security risks internally and within their supply chains.
Our initial results are from a sample size of 5 industry specific, which
lead us to believe:
• Firms are adopting levels of information security that are appropriate
for their internal operations.

•Market forces, in the form of customer requirements or qualifications,

are the primary driver for additional information security measures.

•The interviewed firms were reactive in their approach to information

security.

•Firms need to pay more attention to the risks they are exposed to as a
result of using the information infrastructure to manage their extended
enterprise.

14/10/2010 Information Security In the Extended Enterprise 12

THANK YOU

14/10/2010 Information Security In the Extended Enterprise 13