Background

The security of information systems has always held a relevant position in CIO’s agendas. However, in the past years, information security related issues have been brought to the public fore as a consequence of media attention to such incidents as the collapse of Barings Bank, Enron and WorldCom, and the security lapses at ChoicePoint, Bank of America, T-Mobile, and LexisNexis. The consolidation of IS security as an important topic in today’s business world results from the interaction of several technological and social factors.

First has been the increased dependence of individuals, organizations, and societies on information and communication technologies. As individuals, we rely on these technologies to execute a wide spectrum of tasks, from communicating with other people, improving our job performance, accessing various sources of information, booking flights, or buying a book. For organizations, information and communication technologies are not only a major component of basic operational systems and an enabler of productivity improvements, but also a means for gaining competitive advantage, developing new businesses, and promoting new management practices. As a society, it is enough to consider the role played by these technologies in the working of critical infrastructures, from transportation to energy supply and financial services, as well as in the provision of public services to citizens and companies.

Second, resulting from the exploitation of information and communication technologies’ capabilities in the business arena, the whole business model for many organizations has been transformed. In the past, companies could rely on staying in a particular geographical area to conduct their activity. However, developments such as global scale interconnectivity, distributed processing, explosive growth of the Internet, open architectures, liberalization of telecommunication markets, and e-commerce diffusion have dramatically changed the business landscape. Today, employees experience increasing mobility, which results in the need to access information by diverse means, in different situations, and from distinct places, many of these outside their own organization. As an implication of this increasing location independence, companies are finding themselves to be strategically disadvantaged if they are confined to a particular place.

Advances in information technologies and the changing boundaries of the firm have stressed the importance of information. It is information that helps companies realize their objectives, keeping them in touch with their environment, serving as an instrument of communication, helping managers to take adequate decisions and providing support for the exchange of employee knowledge (Chokron and Reix 1987).

In the past, information to a large extent was confined to a particular location and it was relatively easy to preserve its confidentiality, i.e. restricting access to those authorized. Because information was usually processed in a central location, it was also possible, to a reasonable level of certainty, to preserve its integrity, i.e. ensuring that its content and form were not subject to unauthorized modification, as well as maintaining the availability of information and related resources, i.e. preventing their unauthorized withholding.

Maintaining confidentiality, integrity, and availability were the three main goal of managing security. Today, considering the transformed nature of organizations and the expanded scope of information processing, managing information security is not just restricted to preserving confidentiality, integrity, and availability. The emphasis should move to establishing responsibility, integrity of people, trustworthiness, and ethicality (Dhillon and Backhouse 2000)

Yet, the protection of IS assets is not an easy task. There is often a lack of a unique and well-defined purpose to protecting these assets. Besides the preservation of confidentiality, integrity, and availability, among other immediate goals that an organization may pursue in securing its information system may be the maintenance of privacy of the data related to their employees, customers, and partners; the minimization of the effects resulting from the dependence on non trustable or non reliable systems and entities, and the resilience to technological malfunctions (Neumann 1994b).

The achievement of many of these goals raises significant difficulties for organizations because they may be conflicting. An organization must be closed to intrusions, fraud, and other security breaches, and at the same time it needs to remain open in order to share information with its partners and customers (Erwin 2002). As well firms face –the continuous development of new forms of attacks, the discovery of new vulnerabilities in technologies and business processes, and the increased need for organizational flexibility.

In order to manage IS security, organizations have to encompass a broad set of factors, ranging from the technical ones, to the consideration of the business environment, organizational culture, expectations and obligations of different roles, meanings of different actions, and related patterns of behavior. This means that IS security can be understood in terms of “minimizing risks arising because of inconsistent and incoherent behavior with respect to the information handling activities of organizations” (Dhillon 1997, p. 1). These inconsistencies and incoherencies in behavior may lead to the occurrence of adverse events. Besides losses from natural causes, such as fires and floods, the majority of adverse events can be traced back to deliberate or non-deliberate inappropriate behavior of individuals, whether in the form of human error, systems analysis and design faults, violations of safeguards by trusted personnel, system intruders or malware, such as viruses, worms and Trojan horses (OTA 1994).

In order to prevent, detect, and react to the occurrence of these events, organizations may apply a set of measures usually know as security controls. Because information handling in an organization can be undertaken at three levels – technical, formal, informal (Liebenau and Backhouse 1990) – information systems security can be achieved only by coordinating and maintaining the integrity of operations within and between those three levels (Dhillon 2007). This implies that an organization should adopt a holistic posture in managing IS security, namely by implementing a set of security controls that as a whole support the integrity of the organization’s IS.

At the technical level, an organization may adopt security controls such as anti-virus software, firewalls, intrusion detection systems, access control devices, and cryptographic controls.

To be effective, the deployment of technical controls requires adequate organizational support. Consequently, formal controls need to be put in place. These controls take the form of rule-based formal structures that assist on determining how specific responsibilities are allocated and define the consequences of misinterpretation of data and misapplication of rules. Security policies, structures of responsibility and contingency plans are examples of formal controls.

The previous two levels need to conform to the normative schemes prevalent in the organization. At the informal level, measures such as awareness programs, adoption of good management practices, and development of a security culture that fosters the protection of information assets are illustrative of security controls.

In recent years organizations have fallen short of developing adequate security controls to deal with information security problems. Various studies have reported significant losses in explicitly reported security breaches (Garg 2003; Gordon et al. 2006) and as a consequence of computer crimes because of violation of safeguards by internal employees of organizations (Dhillon 1999a). Not only are organizations suffering from a ‘policy vacuum’ to deal with information security problems, as well authorities have been experiencing a certain inability to establish an adequate basis to deal with such cyber crimes.

Consider the case of Randal Schwartz, a well known programmer and author of programming books, in which it was difficult to establish whether illicit use of computers by Schwartz amounted to a computer crime (Dhillon and Phukan 2000). In 1995, Schwartz was brought to trial for illegally bypassing computer security in order to gain access to a password file while working as a consultant for Intel. According to Schwartz, he was only trying to show that Intel employees were selecting weak passwords that could be easily guessed by crackers who then could compromise information security. Schwartz was convicted on three felony counts, but in 2007 his arrest and conviction records were sealed through an expungement action.

Advances in information technologies have introduced another kind of problem for organizations which many classify as ‘input crimes’ (Dhillon 1999b). In one case, a former employee of a wholesaler was convicted under the UK Computer Misuse Act when he obtained for himself a 70 percent discount when the regular staff of the wholesaler was otherwise engaged.

Given the increased dependence of companies on information systems, one would assume that most firms would have well established contingency and disaster recovery plans. Unfortunately research seems to suggest otherwise (Adam and Haslam 2001). Many managers tend to think that contingency and disaster recovery planning is an irrelevant issue and hence prefer to concentrate on projects that generate direct revenues.

It emerges from the prior discussion that IS security management is a complex task that poses a number of challenges for maintaining the integrity of information handling activities in an organization. The challenges

In a climate where incidents of computer crime, information security problems, and IS enabled frauds have been on the increase, any attempt to deal with the problem demands an adequate understanding of the four challenges that organizations must confront, namely

Several authors such as Dhillon (1997), Dhillon et al. (2004) and Siponen (2001) have noted the There is a major problem in managing information security, especially with respect to regulating the behavior of internal employees (Dhillon 1997; Dhillon et al. 2004; and Siponen 2001). Internal employees frequently subvert existing controls to gain an undue advantage because either an opportunity exists or they are disgruntled (Audit Commission 1994; Backhouse and Dhillon 1995). This problem gets compounded even further when an organization is geographically dispersed, and it becomes difficult to institute the necessary formal controls. This was evidenced in the case of Nick Leeson, who brought about the downfall of Barings Bank in Singapore. Barings collapsed because by its reliance on information technology for IS security, Leeson was able to successfully conceal the positions and losses from the Barings management, internal and external auditors, regulatory bodies in Singapore, and the Bank of England. Leeson’s case is illustrative of breaches of control, trust, confidence, and deviations from conventional accounting methods or expectations.

The management of Barings had confessed in internal memos that clearly its systems and controls were distinctly weak. However, there was nothing new in this confession, and it has long been known that lapses in applying internal and external controls are perhaps the primary reason for breaches in information security (Audit Commission 1990; 1994). Failure of management to curtail Leeson's sole responsibilities, which empowered him to create an environment conducive to crime, lack of independent monitoring and control of risk, communication breakdown between managers, and the believe that IS can overcome basic communication problems in organizations were other reasons that created an opportunity for Leeson to deceive many.

There is also the challenge of establishing appropriate security policies and procedures that adequately reflect the organizational context and new business processes. This challenge is present at two levels. First, at an internal organizational level, businesses are finding increasingly difficult to develop and implement appropriate security policies. Second, at a broad contextual level, it is becoming less effective to rely on traditional legal policies to regulate behavior.

At an internal organizational level, there is a problem with respect to establishing security policies. This problem stems directly form a general lack of awareness within organizations that such a need exists. Based on a longitudinal study of information security problems within the health services sector and the local government councils, Dhillon (1997) advances two reasons that explain this state of affairs. One of the reasons is the lack of commitment from top management in the security policy formulation process. The other reason is that security policies are conceived in a formal-rational manner. Indeed, the assessment of security problems is characterized as ‘acontextual’ and the organizational responses to address the security issues are at the best superficial.

At a broad contextual level, although a number of regulations have been enacted in recent years, sometimes their nature and scope seems to be at odds with the reality. Clearly there are a number of situations where it is important to institute punitive social controls in order to curtail criminal activities and in some cases to recover stolen money or goods. There are perhaps a number of other computer crimes where severe punitive control may not be the best option. In many cases monetary gain is not the prime motive, but the intellectual challenge of tearing apart computer systems. In such cases it would perhaps be counter-productive to institute severe punitive controls.

Another challenge in managing information system security is the establishment of correct structures of authority and responsibility. The inability to understand the nature and scope of such structures within organizations or to specify new ones aligned with organizational routines and goals are a source of information security problems. One example of this kind of problems comes from Daiwa Bank. When this Japanese bank fell short of understanding the patterns of behavior expected of businesses operating out of the USA and allowed Japanese normative structures to dominate, it resulted in a bond trader, Toshihide Iguchi, accruing losses to the tune of $1.1 billion. At the same time, it also allowed Iguchi to engage in at least 30,000 illicit trades. The drama ended in Iguchi being prosecuted and Daiwa’s charter to conduct business in the USA being suspended.

Situations such as the one illustrated by Daiwa pose a challenging issue of managing access to information processing facilities. It is insufficient to merely stating ‘read only’ or ‘write only’ accesses according to an organization’s hierarchical structure, especially in light of the transformation in organizational forms. Modern enterprises are in a constant state of ‘schizoid incoherence,’ and there are very short periods of stability in organizational forms (Dhillon and Orton 2000). This is especially true for businesses structured in a ‘networked’ or ‘virtual’ manner. As a consequence of the evolving nature of organizational forms, the applicability of formal methods for instituting access control is open to debate.

The last challenge concerns dealing with contingency plans, namely information technology disaster recovery plans and policies. These plans have a central place in today’s technological dependent business world. However, their success is not only a function of the ability of an organization to recover its technical infrastructure capability, but also of its capacity to replicate and apply business process knowledge and to reshape communications circuits between key organizational members. In other words, organizations need sound competencies in business continuity management.

Often, disasters occur because of staff complacency . An illustrative case is the disabling of Northwest Airlines’ backup system. The investigation of this incident showed that a sub-contractor laying new lines in Eagan, Minnesota bored through a cluster of cables cutting 244 fiber optic and copper telecommunications lines. Airline passengers nationwide were stranded since those communications lines linked the Northwest’s Minneapolis-St. Paul hub to the rest of the nation. Situations similar to the Northwest Airlines incident are usually prevented by the use of redundant lines, but apparently that airline’s redundant communication lines ran alongside those used for backing up its system (Lehman 2000).

In a 1996 survey on business continuity practices conducted by IBM, 293 of the 300 surveyed companies had suffered security incidents in the previous year (IBM 1996). The estimation of loss of system capability due to these incidents was calculated as 500,000 man-hours. This study suggested that 89 percent of the responding organizations believed their computer systems to be critical. Nearly 25 percent of the companies stored 60 percent of their data in PCs and 76 percent were not aware of the cost of back up. A study of Irish experiences in disaster recovery planning presents a similar scenario (Adam and Haslam’s 2001). Even after highly publicized terrorist attacks, recurrent distributed denial-of-service attacks, and of the forecasts about climate change, a quarter of U.K. companies do not store backup data off-site, two-fifths have no recovery plan in place and of those that do, less than half of the plans had been tested within the last year (ISBS 2006). Overcoming this challenge gets even more complex when one observes that today’s professionals, knowledge workers, can leave an organization anytime, taking with them their, and the firm’s, means of production (Drucker 2001).