Making an argument for Information Security Service Management

Section 1.5.3 discussed the concepts of argument and argumentation, particularly Toulmin’s layout of an argument. The section highlighted the role of argumentation in reasoning about the theory that results from theory building. In Toulmin’s layout of an argument (see Figure 6.3), an argument links grounds or data to claims, with the support of warrants. This section applies Toulmin’s layout of argument to establish the veracity of the claims made in this thesis.

Information Security Service Management's assumptions regarding

end-users as customers (assets)

End-user friendly information security policies and controls

and support system

Increasing end-user involvement and

commitment to information security Increasing compliance to

information security policies and controls

Figure 6.2: The virtuous circle of Information Security Service Management

This thesis essentially makes two claims – the first one establishing the problem and the second one establishing a solution; these claims are as follows:

• C1: The present-day approach to information security management (ISM) alienates end-users and fails to achieve the commitment and loyalty of end-users to information security in the organization; it creates a digital divide between end-users and information security managers and, thereby, fails to obtain end-users’ compliance to information security policies and controls in the organization;

• C2: Information Security Service Management (ISSM) will overcome the short-comings of the present-day approach to ISM and will lead to improved compliance of end-users with information security policies and controls in the organization.

In Toulmin’s layout of an argument, it is important to state the strength of the assertion regarding the claim of the argument. Following this, and before really launching into the process of argumentation, this thesis asserts that it makes ‘strong’ claims, i.e. these claims are highly probable given the grounds and warrants which are presented later.

The process of argumentation for establishing the two claims made above follows a two-step process. Step 1 establishes claim C1 regarding the failure of the present-day approach to ISM.

Step 2 uses the claim C1 as ground or data and establishes claim C2 regarding the effectiveness of ISSM as a service-management approach to information security management.

Step 1: For this step, the layout of the argument A1 is as follows. The claim is C1 stated above, i.e. that the present-day ISM is leading to non-compliance of end-users rather than resolving this issue. The ground or data G1 for this claim is that end-users exhibit non-compliance with

Grounds

(or Data) Claim

Warrant

Backing

Reservations and Rebuttals

Qualifier

Figure 6.3: Toulmin’s layout of argument (based on UNL, 1998)

information security policies and controls in the organization. The warrants for this argument are as follows:

• W1: End-user behaviour is complex and influenced by the circumstances prevailing in the organization.

• W2: A managerial style based on the principles of scientific management and bureaucracy leads to an unmotivated and uncommitted work-force and a deterioration of the worker-management relationship.

• W3: The present-day approach to ISM is based on the principles of scientific management and is bureaucratic in nature.

The backing to the argument and the warrants is provided by the literature overviews contained in Chapter 2 (W1 regarding end-user behaviour), Chapter 3 (W2 regarding the influence of managerial style) and Chapter 4 (W3 regarding the nature of present-day approach to ISM). The literature overviews present results from the works of various researchers who may be regarded as experts.

One of the possible reservations regarding the claim C1 can be that the present-day approach to ISM may not be the sole or major cause of the non-compliance of end-users with information security policies and controls in the organization; rather the non-compliance may be caused by other factors. In rebuttal to this reservation, it may be stated that the managerial style prevailing in an organization wields an over-arching influence over conditions prevailing in the organization; and that instead of denying the existence of other causal factors, this ‘macro’ factor incorporates and subsumes other ‘micro’ factors that may have influence over end-user behaviour.

Step 2: For this step, the layout of the argument A2 is as follows. The claim is C2 stated above, i.e. ISSM will lead to improved compliance of end-users with information security policies and controls in the organization. The ground or data G2 for this claim is claim C1 (i.e. G2=C1) which asserts that the present-day approach to ISM is proving unsuccessful in meeting the challenge of end-user non-compliance. The warrants for this argument are as follows:

• W4: An employee-centric managerial style which is based on the principles of Theory Y of McGregor leads to a motivated and committed work-force and improved worker-management relationship.

• W5: Service management is a philosophy focused on customer satisfaction; it can be applied to internal services focusing on employee satisfaction; ITSM applies the service management approach to IT management in the organization and delivers substantial benefits to the organization.

• W6: Information security shares the IHIP characteristics of services and the concept of service management is applicable to information security management; information security

managed as an internal service with end-users as customers will lead to end-user centric information security and thus to improved levels of compliance.

The backing to the argument and the warrants is provided by the literature overviews contained in Chapter 3 (W4 regarding managerial style), Chapter 5 (W5 regarding service management) and this chapter (W6 regarding information security as a service). The literature overviews present results from the works of various researchers who may be regarded as experts. This chapter further motivates the applicability of service management to information security management.

One of the possible reservations regarding the claim C2 can be that the service management approach may not deliver improved end-user compliance and might consume extra resources for its implementation. In rebuttal to this reservation, it may be stated that argument A2 makes a strong claim C2. As for any other managerial style, the results cannot be guaranteed for ISSM also; however, ISSM is an improvement upon the present-day approach to ISM as it mitigates its shortcoming of not focusing on the end-users.

This section has framed an argument in favour of ISSM. This argument utilizes Toulmin’s layout of an argument. The argument consists of claims and supporting grounds and warrants. As stated above, the literature overviews in the previous Chapters 2 to 5 discuss material that can be used to reason towards making a case for ISSM. The next three sections present a firmer reasoning for the argument and discuss the drive towards ISSM in greater detail.