Components of IS/IT security 36

In this section, relevant components of IS/IT security will be described. The components are divided into four aspects based on the work by Yngstrom (2006) and Solms (2001). IS/IT security is a multi-dimensional discipline which requires a balanced attention between these four aspects, identified as, technical, organisational, human and legal. It does not concentrate on a single aspect. These four aspects will now be examined.

2.7.1 Technical aspect

Predominantly, before the advent of the IS/IT security management era, the IS/IT security literature was focused on the technical context (Siponen, 2007; Yngstrom, 2006). IS/IT security issues like operating systems, access to computer resources, the design and development of IS/IT and internet security were considered to be the major technical challenges in organisations.

Siponen (2007) conducted a survey, analysing the IS/IT security literature up to early 2001, secondary data were taken primarily from various conferences and journals across disciplines. The analytical framework was established in Siponen’s work, four main issues were identified in the study, namely, 1) access to IS, 2) secure communication, 3) secure management and 4) development of secure IS. Siponen (2007) has shown that IS/IT security research was mainly concentrated on two major issues; access to IS and secure communication. The technical issues surrounding access to IS were

authentication methods (e.g., password and token-based authentication), access control and information-flow control models, memory protection of operating systems, anti-virus techniques, watermarking, imagesecurity, audit/intrusion detection, firewalls (Siponen, 2007, p 71). Whilst, the

secure communication issue was focused on technical issues like Cryptographic techniques, including message encryption, digital signatures, steganography, watermarking, hash, virtual private networks, electronic cash, Intranet security, anonymity techniques” (Siponen, 2007, p 71).

It was found in Siponen’s work (2007) that technical issues had dominated security problems. This occurred due to many factors; it is believed that the mutual interaction between formal and technical, formal and informal, and technical and informal were missing and less taken care of. For example, the implementation of the technical component, such as intrusion techniques, was rather a stand-alone approach. The implementation of technical component, intrusion technique, might not have had an adequate interaction with the formal and informal components, e.g., the implementation of the intrusion technique might not align with IS/IT security risk management (formal component) and might get insufficient support from employees (informal component).

However, in more recent years, non-technical aspects have received greater attention as discussion has come to focus on information and the governance process (Mishra et al. 2007).

2.7.2 Organisational aspect

The organisational aspect is part of the formal component (formal procedures) that needs to be implemented in organisations. The successful implementation of the formal component is, though, still dependent on the mutual relationship with the technical and informal components. In IS/IT security, the organisational aspect covers components like organisational structure, job responsibilities, mutual communication between related roles and the involvement of senior management (Solms, 2001). To operationalise those components, organisations may apply strategies and approaches at each level, such as IS/IT security policy (Lineman, 2002-2005), policies regarding strategic vision, IT and business alignment, competition and legal prescriptions (Solms, 2006). Security researchers have addressed the need for the organisational aspect for several years to minimise the IS/IT security incidents and threats.

It has been discussed earlier that security risk is a business risk which needs to be taken into consideration within the formal risk management procedures of the corporation.

However, IS/IT security is not only an organisational problem but also a social problem (Dhillon et al, 2000).To resolve IS/IT security problems, Dhillon et al incorporated some additional human aspects; responsibility, human integrity, trust and ethicality into IS/IT security principles. Therefore, the human aspect also needs to be considered.

2.7.3 Human aspect

The human aspect of the informal component is often neglected by organisations. This could happen because organisations might have inadequate internal controls and risk management plans over informal aspects. Internal controls can be used by organisations to measure the efficiency and effectiveness of informal component operations such as the interaction between formal component (e.g., policy implementation) and informal component (e.g., the level of policy acceptance among employees) and between technical (e.g., security procedures such as firewalls implementation) and informal (e.g., poor culture practices).

In the literature, the informal component has been shown to be relevant to IS/IT security. Informal component relates to people (Torres, 2006) and may deal with people’s integrity (Wood, 2002), culture and commitment (Gaunt, 2000; Hone, 2002a; Wood, 2002), education level (Solms,

2004; Whitman, 2003; Wood, 2002) and user behaviours (Stanton, 2004). Clearly, the informal component is a critical success factor in addressing security problems, where a greater understanding and mutual interaction between informal and technical/formal components exist.

A failure to address human aspects may expose organisations to business risks if not properly managed. For example, the case of Enron and its auditors (Andersen) in the US will illustrate this. Both companies shocked the stockholding public in the USA by their corporate fraudulent behaviour (Wood, 2002). In Wood’s paper, senior management were allegedly involved in destroying/shredding documents required by the federal investigator, the Securities and Exchange of Commission. According to Wood, such fraudulent behaviour may bring losses to businesses including business reputation and business continuity. Wood (2002) claimed the incident of Enron and its auditors should have been brought to the attention of CEOs in organisations for future development and implementation of IS/IT security policies. The reason for this concern is because the boards of directors and senior management have responsibility to ensure employees need to be trained, educated and acquainted with IS/IT security policy. In some companies, the security solution is mainly focused on adopting IS/IT rather than understanding security concerns. It is important to highlight that the paper by Wood was rather a technical opinion, the paper was based on the perspective of a consultant’s experiences in IS/IT security and policy development.

Dhillon (2000) underlines that security concerns are not only about the confidentiality, integrity and availability of data but also about human responsibility, integrity, trust and ethicality. Human aspects such as ethical (integrity), ignorance and stupidity are seen to be a serious threat to organisational IS/IT and might expose information assets to risks and vulnerabilities.

This section has illustrated how useful a multi-dimensional discipline is in dealing with security risks caused by human behaviour, human ethics (integrity), human ignorance and human stupidity and organisational IS/IT. Facing pressures of organisational cost containment and external competition, many companies are rushing headlong into adopting IT without carefully planning and understanding the security concern (Dhillon, 2000, p 127). There are some solutions to be found through empowering

human capital, which can be broken into two approaches; providing education, training and awareness and developing a security culture.

2.7.4 Legal Aspect

The legal aspect is an external factor to organisations. A legal factor is an input that needs to be considered by the Board and senior management in the development process of IS/IT security policy, standards and procedures. For example, governments have increasingly enacted laws relating to IS/IT security practices to be effected by small to large organisations (Posthumus, et al. 2004). Up to date, several laws have been enacted and used by organisations to minimise and deal with IS/IT security threats such as the Sarbanes Oxley Act, the Health Insurance Portability and Accountability Act, the Malaysian Code of Corporate Governance.

The increased number of IS/IT security incidents has encouraged organisations to take legal actions against internal employees and external users who misused or falsified business information with the use of IS/IT applications. An earlier section, 2.5.3, reviewed the four sequence line of actions that can be implemented to reduce computer abuses which are deterrence, prevention, detection and remedy. Legal, which falls into remedy, needs to be put into action if the first three lines are ignored by internal and external users. This shows that the legal aspect is still needed for governing IS/IT security practices in organisations today. For example, the ease of access to business information and services has encouraged the board and senior management to implement regulations relating to IS/IT security to minimise security incidents (Posthumus et al., 2004).

The involvement of the board and senior management is needed because they are able to create a security culture where the compliance with regulation or law works through a top-down approach (Solms, 2001).