Verified Document

Information Security Research Proposal

¶ … Security A broad definition of information security is given in ISO/IEC 17799 (2000) standard as:

"The preservation of confidentiality (ensuring that information is accessible only to those authorized to have access), integrity (safeguarding the accuracy and completeness of information and processing methods), and availability (ensuring that authorized users have access to information and associated assets when required" (ISO/IEC 17799, 2000, p. viii).

Prior to the computer and internet security emerged as we see it in different dimensions of today, the basic focus regarding security within majority of organizations was to protect physical assets. Those organizations where computers were being used in the initial years of computing, the security included protection of data from natural disasters or malevolent actions. With the introduction of the personal computer, computer security became the focus of the organizations.

Business organization and other institutions which hold intensive information require tenable management of information and it has become a major issue for them. There is intensive use of security technologies for information security among these organizations. In recent times, it is being realized among practitioners and academics that information cannot be made secure by just using technological tools and software but to effectively manage information security within organizational setting there is need to focus on three components, specifically: people, processes and technology.

As the information and computer security technology have become much advanced, many computing attitudes for example patch management and antivirus updates are now being computerized to decrease the job knowledge and time loads on customer or buyers. Though, attitudes for instance proper use of computer and network resources, sufficient and appropriate password habits etc. that can only be addressed by employees themselves rather than by security technologies are mostly managed with the help of organizational computer security policies. Many security violation occurrences (2005b) reveal that staff neglect and disobedience frequently outlay organizations millions of dollars in losses. Mishra and Dhillon (Mishra and Dhillon 2006) challenge that failure rates in managing information security and rise in the occurrences of breach of security that are caused by end-users noncompliance are the proof that of unsuccessful IS security control programs which do not deal with the resources that assist employee in conventionality with policies. Even though, organizations have adopted appropriate computer use strategies and consider these policies to be important for a long time, the empirical research on this topic is still sprouting.

2. Background Theory and Application

Information security problems impact negatively almost all the aspects of an organization's operations, and this is an issue in not only private but also public sector firms. Some of the customary security matters that today's organizations are facing comprise, "identity thefts, security of transactions over the Internet, viruses, Spyware, security breaches of confidential information, securing networks and databases, corporate accountability through Sarbanes-Oxley Act, internal controls through COSO (Committee of Sponsoring Organizations), information technology (IT) governance through COBiT (Control Objectives for Information and related Technologies), etc. Within business firms, security architectures are present at the operational levels for networks, data, databases, applications, infrastructure, and web services. Yet, there is incomplete or nonexistent awareness about the information security architecture for enterprise security supremacy.

For the past many years, the focus related to information security has developed from the concept of physicaly securing computer centers to the security of information technology systems and networks and to safeguarding business information systems. Computer centers have since developed into data centers that house more than a few servers and databases. These databases restrain data and information that is significant to the economic endurance and productivity of the organizations. After a while, computer architecture developed from stand-alone settings to networked systems. Before this, there was no concept that computer can communicate with each other. The arrival of networked computer systems escorted in a new age in computer communications.

The development of computer networks and the arrival of the Internet has further broadened the scope of information security. Now, by using internet, computers have facility to communicate and share information with other computers exterior an organization's networks and further than its computer center. This new method of communication predestined that the previously used security model was not enough to convene the intimidation and confronts intrinsic in this new technology infrastructure. With the widespread communication among computer users through internet and sharing of information needs a new model of information security management so that today's security challenges be handled. The purpose of this new model will be to protect the business information systems in the enterprise, and to secure the business...

As a part to meet this new challenge, it would also be needed to take in the renaissance of risk management as a key element of information security management.
3. Purpose of Research

Through this research study the researcher aims to explore the positive and negative attitudes among managers and employees regarding security of the information systems in their organizations. The researcher will attempt to decide how information security management can be improved as a repeatable management process. The researcher will use survey questionnaires for staff and information security professional particularly managers to explore their behaviors such as password habits and computer use and will also develop a suitable framework and methodology, which may facilitate addition of information security management with other enterprise business processes.

4. Research Problem

There have been incidents where organizations secure information was disclosed because employees were no careful and it caused a loss for organizations. Much attention and focus is being observed on computer network security using latest technologies but less is emphasized on policy making and training of staff in information security of the organization. To some extent research has been conducted evaluating organizational security practices and their efficiency but attention has been mostly given on IT administrators or top-level managers (e.g.,(Choi et al. 2006; Dhillon and Torkzadeh 2006; Knapp et al. 2005b; Loch et al. 1992; Ma and Pearson 2005; Straub and Collins 1990)), and there is need to conduct a study about the computer use and password habits of workers

5. Research Questions

Relevant to the research problem declaration are the subsequent research questions. These questions will cover up major aspects of information security management, i.e. main beliefs, policy structure, incorporation with management procedures, and its importance to enterprise planning process.

Question 1:

1: How do various information security related beliefs, attitudes and perceptions mold end user behaviors?

Question 2:

How can the employee security behaviors be influenced? How do the various incentive mechanisms, more specifically penalties, social pressures and perceived contributions, influence the employee security policy compliance?

Question 3:

Do the end-user perceived organizational security values play a role in security behavior?

General Review of the Research Field

Generally, organizations have been able to accomplish specific security goals and objectives, based on their history of security incidents, together with the skills and experience of internal staff, using internally developed security practices. Most of these security management activities have been focused at the technical and operational levels. Hong (2003) suggest that even at these levels, there seems to be an absence of a formal framework and methodology for security management, which they attribute to a lack of security management theory (Hong et al., 2003). The lack of security management theory that Hong et al. (2003) alluded to could also be the reason for the absence of a consensus on what constitutes an information security framework in the broader sense. Perks & Beveridge (2003) define framework as

…a reasoned, cohesive, adaptable, vendor-independent, technology independent, domain-neutral, and scalable conceptual foundation for detailed architecture representation (Perks & Beveridge, 2003, p. 437).

It could be argued that ISO/IEC 17799 (2000) or COBIT 4.0 (2005) can be viewed as a framework. However, ISO/IEC 17799 (2000) is a standard that provides general guidance about how to deal with information security issues. It was designed, as a guide, to appeal to a wide variety of organizations in various industries, and it does not seem to have the theoretical foundation for information security management. As von Solms (2005) noted, additional work is required by users to integrate ISO/IEC 17799 (2000) into specific organizational security framework (von Solms, 2005). COBIT is a tool for information technology governance (COBIT 4.0, 2005), and it is not specific to information security management. This lack of specificity, in information security governance, therefore makes it difficult to use COBIT as a framework or methodology for information security management. If, on the other hand, information security is managed as part of IT governance, then COBIT would be useful in that respect, but only in managing total IT governance, that includes information security. Rungta et al. (2004) argued in favor of a new approach to information security management, and their study concluded that existing enterprise security management structures are inadequate (Rungta et al., 2004, p.304). The reason for such conclusion could be due to the maturing aspect of information security as a discipline, as information security management continues to evolve.

The nature of information security management in the past made it possible for senior management to adopt a hands-off approach to information security. This meant that IT departments became the de facto authority on all information security management…

Sources used in this document:
References

Bennet, C.J., and Regan, P.M. "Editorial: Surveillance and Mobilities," Surveillance & Society (1:4) 2004, pp 449-455.

Choi, N., Kim, D.J., and Goo, J. "Managerial Information Security Awareness' Impact on an Organization's Information Security Performance," 12th Americas Conference on Information Systems, Acapulco, Mexico, 2006.

Dhillon, G., and Torkzadeh, G. "Value-Focused Assessment of Information System Security in Organizations," Information Systems Journal (16:3) 2006, pp 293-314.

Dutta, A., & McCrohan, K. (2002), Management's role in information security in a cyber economy, California Management Review, Fall, Volume 45, Number 1, 67-87.
Cite this Document:
Copy Bibliography Citation

Related Documents

Security Information Security Is a Primary Concern
Words: 809 Length: 2 Document Type: Essay

Security Information security is a primary concern for consumers and businesses. In "IT security fails to keep pace with the rise of cloud computing," the author claims that in spite of the advancements in cloud technology, information security has not kept pace. This assessment is rooted firmly in fact and best practices in the information security industry. Although their analysis is thorough, the authors would do well to point out the

Information Security Management
Words: 549 Length: 2 Document Type: Essay

Security Management Information Security Management Managing the information security at a major university is never an easy task, and especially with a team of only ten the complexities and the resource demands can sometimes make the situation seem all but impossible even on the best of days. When the former head of information security management suddenly departs as the result of an FBI arrest -- and when that arrest stems from the

Security Information Security and Risk Management in
Words: 1322 Length: 5 Document Type: Term Paper

SECURITY Information Security and Risk Management in IT This essay is designed to present and discuss both an assessment of information security and risk management in IT systems and a comparative discussion of important academic theories related to security and risk. In the first section, An assessment, a conceptual framework will emerge including reference to important terminology and concepts as well as an outline of legislation and authorized usage examples. In the

Security at Work Information Security Within the
Words: 576 Length: 2 Document Type: Essay

Security at Work Information Security within the nursing fraternity With the advent of consolidated information storage within the nursing fraternity, there has grown the need to have better security and controlled access to such information that may be considered confidential and for the use by the nurse and the patient alone. When anyone wants therefore to have access to the documents I will always need to verify several details just to be

Information Security and Employees
Words: 1440 Length: 4 Document Type: Term Paper

Information Security The discussion below provides answers to questions raised with regard to a case at Greenwood Company A forensic plan of readiness comes with several advantages. If there arises a situation that forces a company to be engaged in litigation, and there is need for digital evidence, e-discovery is of central importance. The laws and rules that govern the e-discovery, such as the Federal Rules of Civil Procedure or the Practice

Information Security
Words: 2352 Length: 8 Document Type: Term Paper

Security An institution of higher learning is one of the most vulnerable places to cyber-attacks available to hackers due to the number of units operating, lackadaisical security measures and the ability of hackers to hide in plain sight. The fact that these are vulnerable systems and individuals has made it a top priority of most institutions to ensure that the people who attend the school at least have a policy

Sign Up for Unlimited Study Help

Our semester plans gives you unlimited, unrestricted access to our entire library of resources —writing tools, guides, example essays, tutorials, class notes, and more.

Get Started Now