In the final analysis, the security of an information system is dependent on the people that form that system. People design, implement, apply, and execute security measures (Schultz et al. 2001). In the same vein, people access, use, manage, and maintain the IS resources of an organization (Henry 2004). As a consequence, the security culture shared by organizational members plays a critical role in ensuring IS security. Central to developing and fostering a security culture is the need to understand context. Research has shown the importance of the broader social and organizational issues that influence the management of information security.
An analysis of prescription fraud in the British National Health Services (Pouloudi 2001), suggests that by carefully interpreting issues and concerns of the various stakeholders, it is possible to understand the interaction between technical and social aspects of an IS implementation, thus facilitating fraud prevention. Similarly, an evaluation of the unethical computer use practices by Joseph Jett at Kidder Peabody & Co (Dhillon and Backhouse 1996), shows that it is important to create a culture of trust, responsibility, and accountability. It is evident that organizations need to develop a focus on the pragmatic aspects in managing IS security.
Principle 1: Education, training and awareness, although important, are not sufficient for managing information security. A focus on developing a security culture goes a long way in developing and sustaining a secure environment.
Education, training and awareness have long been suggested as important measures for improving the IS security level of an organization. However, unless or until an effort to inculcate a security culture exists, the desired organizational integrity will not be achieved. Clearly, issues such as lack of human centered security controls (Hitchings 1994), mismatch between the needs and goals of the organization, poor quality of management and inadequate management communication (Dhillon 1997), can be considered as precursors of an unethical environment, thus endangering the health of an organization and making its information systems vulnerable to abuse or misuse.
Although managers are aware of the potential problems related with a disaster, they tend to be rather complacent in taking any proactive steps (Adam and Haslam (2001). Such an attitude can be explained considering the relative degree of importance placed on revenue generation. Hence, while automating business processes and pursuing optimal solutions, backup and recovery issues are often overlooked. Failing to recognize that organizational processes such as communications, decision making, change, and power are culturally ingrained is an attitude that can lead to problems in IS security .
To minimize the potential adverse events arising because of inability to appreciate human and social factors, normative or informal controls should be established (Dhillon 1999a). These security measures should instill and sustain a security culture and contribute to the protection of information assets.
Besides personal factors, work situations and opportunities available leverage the engagement in computer crimes (Backhouse and Dhillon 1995). Monitoring employee behavior is an essential step to maintain the integrity of an IS. Although such monitoring may be formal and rule based, informal monitoring, comprising the interpretation of behavioral changes and the identification of personal and group conflicts, can play an important role in establishing appropriate checks and balances. In the end, what an organization should seek is the establishment of an ethical environment among collaborators.
Principle 2: Responsibility, integrity, trust, and ethicality are the cornerstones for maintaining a secure environment.
In the beginning of this chapter, it was argued that the traditional three tenets for managing information security – confidentiality, integrity and availability – were too restrictive to develop secure environments in current organizations. Although this set of fundamentals was enough when organizations were structured hierarchically, its application falls short in networked organizations. This situation becomes clear as we consider the following facts. Confidentiality mostly concerns restricting data access to those who are authorized. However, information and communications technologies developments are pulling in the opposite direction, aiming at making data accessible to the many, not the few. This trend gets stressed if we consider the new configurations organizations are adopting, characterized by less authoritarian structures, more informality, fewer rules, and increased empowerment. Conventionally, integrity regards the maintenance of the values of the data stored and communicated. Equally important, however, is the way those values are interpreted. A secure organization not only needs to ensure that data do not suffer unauthorized modification, but also to guarantee that data get interpreted according to the prevailing norms of the organization, something that has been termed “the maintenance of interpretation integrity” (Dhillon and Backhouse 2000, p. 127). Although availability may be less controversial than the previous two tenets, the reality is that system failure is an organizational security issue.
In face of this new organizational paradigm, characterized by loosely coupled organic networks, cooperation instead of autonomy and control, intense sharing of information and high level of interpersonal and inter-organizational connectivity, a new set of fundamentals is required. In response to this quest, Dhillon and Backhouse (2000) suggest the RITE (responsibility, integrity, trust, and ethicality) principles. These principles were inspired by an earlier period when extensive reliance on technology for close supervision and control of dispersed activities was virtually non-existent. The RITE principles are:
- 瀏覽次數:2415
