What is meant by AIS security?

Reviewing the literature concerning the security issue indicates that there is no clear agreement on the m eaning o f security. There is some confusion am ong academ ics and practitioners regarding the term s “Security”, “Information Security”, “IT Security”, and “IS Security” . M ost o f the previous studies used them - to a great extent - as synonymous terms.

Security

The term “Security” m eans different things to different people. To some o f them, it is concerned with preserving data integrity, whereas to others it is concerned with securing privacy for proprietary and restricted inform ation (G ranat 1998). Security is defined as “traditional m ethods (security officers, fences, alarm s) used to increase the likelihood o f a crime-controlled, tranquil, and uninterrupted environm ent for an individual or organisation in pursuit o f objectives” (Purpura 2002, p.7). In more detail, security is “any m ethod (e.g. security officers, safety, auditing, insurance) used by an individual or organisation to increase the likelihood o f preventing and

controlling loss (e.g. o f people, money, productivity, materials) resulting from a host of adverse occurrences (e.g. crime, fire, accident, error, poor supervision or management, bad investm ent)” (Post et a l 1994, p. 10).

On the other hand, m any security definitions focus only on information. According to the IF AC International Inform ation Technology Guidelines (IFAC 1998, p.4),

“Security relates to the protection o f valuable assets against loss, disclosure, or damage. In this context, valuable assets are the data or inform ation recorded, processed, stored, shared, transm itted, or retrieved from an electronic medium. The data or information m ust be protected against harm from threats that will lead to its loss, inaccessibility, alteration or wrongful disclosure” . In addition, the KPMG Information Risk M anagem ent Group (KPMG 1998) stated that “ Security” is the practices and procedures that ensure that information, generally held in electronic format, is safeguarded from unauthorised access, m odification or accidental change and is readily available to authorised users on request.

Moreover, according to the International Organisation o f Standardisation (ISO/IEC 15408-1 1999), the concept o f “Security” refers to the capability o f a software product to protect data and inform ation in order to avoid unauthorised individuals or systems being able to read and m odify them (Villarroel et a l 2005). The Inform ation Security Glossary also defined the term “ Security” as “the protection o f information availability, integrity and confidentiality” (Abu-M usa 2002b, p. 150). Furthermore, Hong et a l (2003) indicated that security is to combine systems, operations and internal controls to ensure the integrity and confidentiality o f a com pany’s data and operational procedures.

From the above, it is clear that there are different meanings for security; however, most o f the definitions focus only on one dim ension that is data and information security, which indicates the importance o f com panies’ data and information in today’s business environment.

Information Security

Similarly, there are many definitions for information security. The Technology, Media

& Telecommunications Security Survey (DTT 2006b) stated that inform ation security

is commonly considered to revolve around three fundam ental principles:

confidentially, integrity, and availability o f information and m any information security definitions can support this fact.

Information security is defined as “all the aspects related to achieving and maintaining confidentially, integrity, availability, auditability (accountability), authenticity and reliability” (ISO/IEC TR 13335-1, 1996, p .l). The Information Security Governance Guidance (ISACF 2001, p.9) stated that information security is “protecting the interests o f those relying on inform ation and the systems and com m unications that deliver the inform ation from harm resulting from failures o f availability, confidentiality and integrity” . In addition, both the DTI Inform ation Security Policy Team (DTI 2004a, p.6) and the National Institute o f Standards and Technology (NIST 2005) indicated that inform ation security involves the preservation o f confidentiality, integrity and availability o f information. Moreover, Ekenberg et al. (1995, p.709) stated that information security includes IT security i.e. the protection o f IT systems (computers, com m unication systems, etc.) and their data. They also stated,

“Information security is the protection o f proprietary knowledge and data against any accidental or deliberate com prom ise to their integrity, confidentiality or availability”.

However, other definitions for inform ation security address other dim ensions or principles. Peltier (2001, p.266) stated that “inform ation security encom passes the use of physical and logical data access controls to ensure the proper use o f data and to prohibit unauthorised or accidental m odification, destruction, disclosure, loss or access to automated or m anual records and files as well as loss, dam age or misuse o f information assets”. A nderson (2003, p.310) proposes a definition for information security addressing im portant dim ensions o f security such as assurance, risks and controls and refers to it as “enterprise information security” which means “a well- informed sense o f assurance that information risks and controls are in balance”. In addition, the International Organisation o f Standardisation (ISO/IEC 17799 2005) addresses other im portant dim ensions, and indicated that inform ation security is the protection o f inform ation from a wide range o f threats in order to ensure business continuity, minimise business risk, and maximise return on investm ents and business opportunities.

It can be concluded that there is no wide agreement on the m eaning o f information security given that it is som etim es referred to as IT security or com puter security.

AIS Security

Reviewing the literature reveals that the majority o f academ ics and practitioners have used the term “IS security” equivalent to “com puterised IS security” or “computer security”. Jenkins and Pinkney (1978, p.393) stated “security is usually defined as meaning that the com puter facilities are available at all required times, that data is processed completely and accurately and that access to the data in com puter systems is restricted to authorised people”.

According to the N ational Inform ation Systems Security G lossary (NSTISSI 4009 2000, p.30), IS security is “the protection o f information system s against unauthorised access to or m odification o f information, whether in storage, processing or transit, and against the denial o f service to authorised users, including those m easures necessary to detect, document, and counter such threats” .

Moreover, Tryfonas et al. (2001) indicated that IS security is a set o f principles, regulations, methodologies, techniques and tools established for protecting an IS or any o f its parts, from potential threat. In addition, from the definition m entioned by Theoharidou et al. (2005, p.473), it seems that IS security is a broader term which includes IT and non-IT elem ents as well. They stated that IS security refers to “the protection o f all elem ents constituting IS (i.e. hardware, software, information, people and processes)”.

From the above, the researcher concludes that IS security is a broad term that includes all activities - IT and non-IT - that aim to protect com panies’ IS and to minimise exposure to risks.

However, a review o f the literature reveals that there is no agreed definition o f the term “AIS security” . However, since AIS is a m ajor element o f com panies’ whole IS, AIS security should be regarded as an integral part o f the overall IS security o f those companies. Consequently, the researcher suggests that the term “AIS Security” should refer to the protection o f all com ponents that collect, store and process accounting data for end-users.