Article Preview
TopIntroduction
In an era where use and dependence of information systems is significantly high, the threat of incidents related to information security that could jeopardize the information held by organizations is becoming critical. As evidenced by the Federal Bureau of Investigation (FBI), by the end of 2011, there were 726 pending corporate fraud cases in the United States (U.S.) involving accounting schemes designed to deceive investors, auditors, and analysts regarding the true financial condition of a corporation. Through the manipulation and abuse of corporations’ financial information (e.g., share price, valuation measurements, etc.), financial performance remains artificially inflated based on fictitious performance indicators.
In line with the above, in a study performed by Bedard, Graham, and Jackson (2008), about 21 percent of all deficiencies detected in selected audited organizations were related to information security. Particularly, Bedard et al.’s (2008) study noted that there were no adequate information security controls (ISC) in place within the organizations examined, and the ones in place were not operating effectively. To further emphasize the significance of security over organizations’ information, a 2008 survey conducted by Chief Information Officer Research on 173 Information Technology executives revealed that information security is by far the single largest potential barrier to organizations (Mather, Kumaraswamy, & Latif, 2009).
The alarming facts and figures just presented point to existent inadequacies in regards to information security practices, while also serve as motivation for finding innovative ways to assist organizations improve their capabilities for securing valuable information. To this end, it is imperative that ISC in organizations be evaluated and, most importantly, accurately prioritized so that only the best ISC get implemented. Adequate selection and implementation of ISC reduce opportunities for information system failures. Simultaneously, the effective operation of ISC assists organizations in maintaining a well designed and controlled information system environment.
Research efforts have resulted in various approaches and methodologies developed to deal with the ISC assessment problem. A closer look at these approaches and methodologies highlights various opportunities to create new or additional methodologies for ISC evaluation to improve the overall information security in organizations. For instance, there have been weaknesses and inadequacies identified in current/traditional ISC assessment methodologies that can prevent the effective assessment and prioritization of ISC in organizations. To mention one, the selection of ISC in organizations using traditional methods has been mainly determined based on crisp or dichotomous values (yes or no type answers). That is, organizations base their selection process on whether the ISC is either relevant or not. ISC that are determined to be relevant will be selected and implemented. There are other reasons that cause current ISC assessment methodologies to prompt for improvement. For example, some methodologies do not adequately account for organization constraints (e.g., costs, resource availability, scheduling of personnel, etc.). Other methodologies leave the identification of ISC to users, resulting in the potential inclusion of unnecessary ISC and/or exclusion of required ones. Furthermore, traditional ISC assessment methodologies may be based solely on the decision maker’s preference, thereby lacking in producing precise evaluation values when assessing ISC. These weaknesses not only affect the ISC selection process, but also impact the overall protection of the information’s confidentiality, integrity, and availability (Saint-Germain, 2005).
The aim of this research is to develop an assessment methodology using Grey Relational Analysis (GRA) that will adequately address the weaknesses identified in traditional ISC assessment methodologies, resulting in a more accurate selection of ISC. Consistent with the above, the following research question (RQ) is posted: