A FRAMEWORK FOR RESEARCH IN INFORMATION SECURITY MANAGEMENT Sindhuja Parakkattu, University of Toledo, (419)-530-5644, menon.sindhuja@gmail.com Dr. Anand. S.

Kunnathur, University of Toledo, (419)-376-5391, AKunnat@utnet.utoledo.edu

ABSTRACT Information security is a critical issue concerning organizations round the globe. All organizations involve in information-handling activities and therefore it becomes increasingly important to organize, manage and disseminate information in a useful and secured manner. Extant research in information security has been mostly focused on technological controls to protect information from threats and vulnerabilities. The information security literature widely discusses the role of information systems (IS) and information technology (IT) in secured management of information. However, practitioners and academicians have started to realize that effective organizational information security lies in the coordination of people, processes and technology. This motivates the development of a research framework for information security management that ensures the selection of adequate and proportionate security controls that protect information assets and give confidence to business stakeholders. As organizations become more and more interconnected, an effective information security management will help to build trust and commitment in interorganizational activities.

AN OVERVIEW OF INFORMATION SECURITY RESEARCH In todays dynamic and competitive business environment, an effective information system is part of the essential infrastructure of most organizations. Information systems include not only the hardware, software, data and other information assets, but also the people, policies, and procedures associated with the gathering, distribution, usage and maintenance of the information. As organizations rely more and more on information systems to perform most of their business operations, concerns about controlling and securing information become paramount. Increased organizational dependence on information systems has led to a relative increase in the impact on the organization of compromised information security [1]. In this context, information security management (ISM) is a critical issue that is beginning to attract the attention of the communities of research and practice. ISM focuses on streamlining the management activities that creates an organizational framework within which the information system operates and mainly aims at protecting the information assets of the organization [2]. It includes ensuring the security of information through proactive management of information security risks, threats and vulnerabilities. This necessitates the need for ISM to be built into the daily business operations and alignment with the overall business objectives of the organization. The real challenge of information systems is to ensure that the information is of highest quality in terms of timeliness, completeness, accuracy, confidentiality, reliability, readability and appropriateness [3, 4, 5]. As organizations experience unacceptably high levels of security abuses, they seldom provide consistently high quality information resources to meet managers requirements [6]. The cost of compromising the information for any reason is extremely grave in terms of the damages caused due to monetary losses, disruption of internal processes and communication, loss of potential sales, loss of competitive advantage, wastage of time, efforts and

manpower and even business opportunities, while it also damages the reputation, goodwill, trust and business relationships [7,8]. Most of the past studies on ISM focused on the technological [9] and administrative [10, 11] issues from an IS or IT perspective. However, the challenges faced by ISM stem from those related to the management of organization as a whole. In spite of the vast resources expended by organizational entities attempting to secure information systems through technical controls and restrictive formal procedures, occurrences of security breaches and the magnitude of consequential damage continue to rise. The weakest link in the security chain appears to be the absence or inadequate emphasis on the behavioral and organizational aspects of ISM. Effective organizational information security depends on managing the three components, namely; people, process and technology. Werlinger et al., [12] tried to provide an integrated view of human, organizational and technological factors that contributed to the complexity of security related challenges. The study aimed at providing suggestions for improving the security tools and processes. Though they have identified and described 18 challenges that can affect the ISM within an organization, the paper is silent on implications on organizations performance. Hagen et al., [13] tried to assess the effectiveness of implemented organizational information security measures and suggested that awareness creating activities should be encouraged in organizations where security measures are implemented. Though the authors looked at the effectiveness of such measures from a technical and administrative stand point, the study has not taken into consideration other critical factors of management. Further, implications of assessed effectiveness of security measures on organizational output are not dealt with. Studies have been done to measure the effectiveness of ISM from various individual dimensions. Chang and Lin [14] examined the influence of organizational culture on the effectiveness of ISM implementation. Authors suggested that human dimension of information security cannot be resolved by technical and management measures alone. They proposed a research framework relating organizational culture traits with the principles of ISM. Ashenden [15] addresses the human challenges of ISM and pointed out that information security management depends on technology, processes and people. Author suggests that organization should look into the skills that are needed to change the culture and build effective communication between all members of the organization, with regards to information security. It is evident from the available information security literature that while ISM is a multidimensional phenomenon, reflecting technical, management and institutional perspectives [16], most of the research emphasis has been on the technical and formal aspects of ISM. Effective ISM seems to be an organizational challenge and no longer merely a technical commitment. In this regard, the research framework we propose to develop, examines the challenges of ISM by exploring the objectives, practices and other management factors that could influence the organizational performance and competitive advantage. ISM Objectives and Practices To safeguard organizational information assets from internal and external security threats, variety of information security standards and guidelines have been proposed and developed. The phrase security framework has been used in a variety of ways in the security literature over the years, but British standards (BS 7799) promoted the term information security management system (ISMS) and came to be used as an aggregate term for the various documents and architectures, from a variety of sources, that give recommendations on topics related to information systems security, particularly with regard to the planning, managing, or auditing of overall information security practices for a given institution. BS 7799/ISO 17799 deals with ISMS requirements and is used within companies to create security requirements and objectives. The Generally Accepted System Security Principles (GASSP) is a joint international attempt to develop a protocol to achieve information integrity, availability and confidentiality. However, ISO 17799:2005 (ISO 27001) is the

widely accepted and suitable model for ISM, as it adequately addresses various security issues in organizations [17]. Qingxiong Ma et al. [18] examined the objectives of ISM and management practices used to achieve the same, as well as the relationship between information security objectives and practices. They identified four objectives which are most frequently considered for ISM. They are confidentiality, integrity, availability and accountability. Therefore, this proposed framework proposes to use these objectives for its purpose. ISO 17799 (ISO 27001) code of practice covers 10 control areas such as security policy, organizational security, asset classification and control, personnel security, physical and environmental security, communications and operations management, access control, systems development and maintenance, business continuity management and compliance. The authors refined these practices and obtained 8 commonly used practices by the ISM professionals. The framework also considers those 8 practices which is in alignment with ISO 17799 code of practice for ISM, as the basis for ISM practices. Other critical organizational factors Identification and addressing of other critical organizational factors that has practical significance to ISM will give a comprehensive perspective to the organizational view of information security management. As most of the operational, procedural and technical part of ISM is covered by the ISM objectives and practices, other factors that drive the need for ISM need to be considered. Based on the literature, some of the factors identified are top management support, organizational culture and structure, self-efficacy, and awareness creation [19]. Top Management Support: According to an Auburn University study, sponsored by the International Information Systems Security Certification Consortium ((ISC2), obtaining senior management support is one of the most critical issues influencing information security effectiveness in organizations today [20]. The survey found that 62% of their daily tasks require the exchange of information or cooperation with others. And so implementing information security programs requires exceptionally high levels of task interdependence, which warrants greater levels of executive support to be successful. Knapp et al. [21] examined the impact of top management support on organizations security culture and security policy enforcement. An organizational culture with less tolerance to good security practices is found with low levels of support and also retard the enforcement of security policies. Considering top management support to be an important driver for ISM, the study proposes to include top management support as one of its dimensions. Organizational Culture: Culture is considered as the operating system of an organization, as it directs how employees think, act and feel [22]. It is also evident from the literature that culture paradigm is associated with the existing practices and roles in an organization [23]. Consequently, exploring the various cultural traits that facilitates an organization to perform ISM is of utmost importance from an organizational perspective. Hall [24] identified 10 streams of culture useful for addressing security issues that might emerge in any given setting. Later, Dhillon [25] named it as the web of culture consisting of 10 streams namely; interaction, association, subsistence, gender, temporality, territoriality, learning, play, defense and exploitation. Chang and Lin [14] used two dimensions, internal/external orientation and flexibility/control orientation, in their study on influence of organizational culture on ISM. The four constructs of organizational culture that emerged out these two dimensions were cooperativeness, innovativeness, consistency and effectiveness. The research framework proposes to use the Chang and Lin cultural constructs to measure organizational culture. Self-efficacy: The eventual success of information security depends on appropriate information security practice behaviors by all who are associated with the system, and especially by the end

users. Rhee et al. [26] explored the antecedents of individuals' self-efficacy beliefs in information security and tested relationships among self-efficacy in information security, security practice behavior and motivation to strengthen security efforts. This study also considers self-efficacy as an important construct for ISM in an organization. Awareness Creation: Hagen et al. [13] pointed out that awareness creating activities have greater impact on ISM compared to technical and administrative measures applied by organizations. Increasing the awareness of security issues is the most cost-effective measure that any organization can envisage [25]. This framework considers awareness as part of the ISM dimensions. Organizational Performance Organizational Performance is a broad construct which captures what agencies do, produce, and accomplish for the various constituencies with which they interact. However, there is no universally recognized measure of organizational performance. Venkataraman [27] studied the perception of the respondents regarding organizational performance with respect to market and financial performance. This measure was used in many studies that examined the organizational performance [28, 29]. Competitive Advantage When a firms sustained profit pattern exceeds the industry average, the firm is said to possess a competitive advantage over its competitors. From a resource based perspective, a firm is said to have a competitive advantage when it is implementing a value creating strategy not implemented or not simultaneously being implemented by any current or potential player. It defines capabilities that differentiate an organization from its rivals. Suhong Li et al. [29], in their study used price, quality, delivery dependability, product innovation and time to market as the dimensions of competitive advantage construct. Research Agenda We represent the framework using the conceptual model given in figure. 1. The model depicts organizational factors to be the drivers of information security management. ISM objectives and practices are dimensions to assess ISM. Further, the influence of ISM, driven by the organizational factors, on the performance and competitive advantage is represented in the model. The research framework proposes to: Develop a comprehensive framework for ISM, reflecting, in addition, the organizational dimensions of security concerns. Examine the role of each dimension towards effective ISM. Examine the influence of ISM dimensions on Organizational performance and Competitive advantage Top management support Organizational Culture Self-efficacy

ISM Objectives ISM Practices Awareness Creation

Organizational performance

Competitive advantage Figure 1: The Conceptual Model

Deliverables Every business, big or small, faces major financial consequences due to loss of data or a breach of security. Out of the various types of security breaches happening in US, 47% accounted for the security incidents involving corporations and businesses [30]. At the bottom line, a business cannot afford to take the risk of ignoring data loss and security breach exposure. Therefore it is imperative that an organization give due consideration to the information security management aspects. This conceptual framework aims at providing a better understanding of the information security objectives and practices, considering other organizational factors, for an effective information security management. Information security management plays a vital role in addressing the security, compliance and efficiency needs of an organization. This provides a vast range of benefits which includes a holistic understanding of organizations security status of the assets, prioritizing security occurrences, evading security breaches and demonstrating conformity with regulations in a much more efficient fashion than in the past. We envision the developed framework to help: Explore approaches to integrate ISM within the organization Develop an information security strategy for the organization Create a pervasive information security culture Build trust and confidence in inter-organizational activities and processes to strengthen the supply chain. References 1. Kankanhalli, A., Teo, H-H., Tan, B.C., Wei, K-K. An integrative study of information systems security effectiveness,. International Journal of Information Management, 2003, 23(2), pp. 139-154. 2. Karyda, M., Kiountouzis, E., Kokolakis, S. Information Systems security policies: a contextual perspective,. Computers & Security, 2005, 24, pp. 246-260. 3. Wang, R. Y., Strong, D.M. (1996), Beyond accuracy: what data quality means to data consumers,. Journal of Management Information Systems, 1996, 24(4), pp. 5-34. 4. Caby, E. C., Pautke, R. W., Redman, T. C. Strategies for improving data quality,. Data Quality, 1995, 1(1), pp. 4-12. 5. Miller, H. The multiple dimensions of information quality,. Information systems management, 1996, 13(2), pp. 79-83. 6. Garg, A., Curtis, J., Halper, H. Quantifying the financial impact of information security breaches,. Information Management and Computer Security, 2003, 11(2), pp. 7483. 7. Dhillon, G., Moores, S. Computer crimes: Theorizing about the enemy within,. Computers & Security, 2001, 20(8), pp. 715-723. 8. Bruce, L. Information security key issues and developments,. 2003, available at:www.pwcglobal.com/jm/images/pdf/Information%20Security%20Risk.pdf. 9. Siponen, M.T., Oinas-Kukkonen, H. A review of information security issues and respective research contributions,. The Database for Advances in Information Systems, 2007, 38(1), pp. 60-81. 10. Kraemer, S., Carayon, P. Computer and information security culture: findings from two studies, In the Proceedings of the 49th Annual Meeting of the Human Factors and Ergonomics Society. Human Factors and Ergonomics Society, Orlando, Florida, 2005, pp. 14831487. 11. Mouratidis, H., Jahankhani, H., Nkhoma, M. Z. Management versus securit y specialists: an empirical study on security related perceptions,. Information Management & Computer Security, 2008, 16(2), pp. 187-205.

12. Werlinger, R., Hawkey, K., Beznosov, K. An integrated view of human, organizational and technological challenges of IT security management,. Information management & Computer Security, 2009, 17(1), pp. 4-19. 13. Hagen, J. M., Albrechtsen, E., Hovden, J. Implementation and effectiveness of organizational information security measures,. Information Management & Computer Security, 2008, 16(4), pp. 377-397. 14. Chang, S. E., Lin, C. Exploring organizational culture for information security management,. Industrial management and Data Systems, 2007, 107(3), pp. 438-458. 15. Ashenden, D. Information Security Management: A human challenge?. Information security technical report, 2008, 13, pp. 195-201. 16. von Solms, B. Information security the third wave?. Computers & Security, 2000,19(7), pp. 615-20. 17. Dhillon, G., Backhose, J. Current directions in IS security research: towards socioorganizational perspectives,. Information Systems Journal, 2001, 11(2), pp. 127-53. 18. Qingxiong Ma, Johnston, A. C., Pearson, J. M. Implementation security management objectives and practices: a parsimonious framework,. Information Management & Computer Security, 2008, 16(3), pp. 251-270. 19. Siponen, M. A conceptual foundation for organizational information security awareness, Information Management and Computer security, 2000, 8(1), pp. 31-41. 20. "Managerial Dimensions in Information Security: A Theoretical Model of Organizational Effectiveness," available at http://www.isc2.org/auburnstudyAbout (ISC)2 21. Knapp, J. K., Marshall, E. T., Kelly Rainer, R., Nelson Ford, F. Information security: managements effect on` culture and policy,. Information Management & Computer Security, 2006, 14(1), pp. 24-36. 22. Hagberg, R., Heifetz, J. Corporate Culture: Telling the CEO the Baby is Ugly, . Hagberg Consulting Group, San Mateo, CA, 1997, available at: www.hcgnet.com/research.asp. 23. Allen, D.K., Fifield, N. Re-engineering change in higher education, Information Research, 1999, 4(3). 24. Hall, E. T., The Silent Language, 2nd ed. New York, Anchor Books, 1959. 25. Dhillon, G., Principles of Information systems Security, NJ, John Wiley & Sons, 2007. 26. Rhee, H., Kim, C., Ryu, Y. U. Self-efficacy in information security: Its influence on end users' information security practice behavior,. Computers & Security, 2009, 28. 27. Venkatraman, N. Strategic orientation of business enterprises: the construct dimensionality and measurement,. Management Science, 1989, 35(8), pp. 942-962. 28. Croteau, A., Bergeron, F. An information technology trilogy: business strategy, technological deployment and organizational performance,. Journal of strategic information systems, 2001, 10, pp. 77-99. 29. Suhong Li, Ragu-nathan, B., Ragunathan, T. S., Rao, S.S. The impact of supply chain management practices on competitive advantage and organizational performance, Omega, 2006, 34, pp. 107-124. 30. Bennet, K. The real risks of business, retrieved from http://www.connecticutbusinesslitigation.com/tags/security-breach/.