This chapter presents an Information Systems Security Management Framework (ISSMF) which encapsulates eleven Critical Success Factors (CSFs) along with a set of 62 indicators to properly manage and track the evolution of security management models. These CSFs have been identified as the most cited key factors published in the current information security literature. The set of indicators has been strictly designed for organizations seeking simple and fast alternatives to estimate current information systems security status. Furthermore, the authors have found that current organizations, particularly small and medium size enterprises, use reactive and irresponsible security strategies due to the scarcity of human and economic resources. Therefore, this chapter approaches security from a managerial perspective allowing systems administrators, especially those with a more technical profile, to build their personal balanced security scorecard choosing the CSFs and indicators that fit best in every case.
For how long can an organization survive without efficiently working information systems (IS)? Although the answer varies from one organization to another, undoubtedly information has become the main resource for current organizations. They no longer compete based on tangible resources, but rather base their competition on intangibles such as innovation and knowledge where information is an indispensable ingredient (Sveiby, 1997). We have reached a point where a few hours or even seconds of IS unavailability could represent large economic and reputation losses. We are also facing a situation where insecure IS acquisitions, connections or networks can become as deadly as a backpack full of explosives (Sherman, 2005).
The urgency to correctly manage and secure IS has been triggered by two main factors. Firstly, the rapid acquisition of IS across all business sectors, reflected by the average IT operational budgets growth from 2.5 percent in 2005 up to 4.1 percent in 2006 (IT Spending, 2006), has increased IS dependency and complexity. On the one hand, IS dependency compromises business continuity since large amount of critical data gets digitally stored and it can be found, modified or stolen if it is not properly secured. On the other hand, connectivity among departments as well as with external agents such as customers, suppliers, information sources, administration, and so on, creates new security holes making systems vulnerable and hard to manage.
In addition, lack of awareness and human resources cause security design and implementation tasks to fall behind schedule because security is perceived as a non-functional requirement1. As a result, the gap between IS acquisition and IS Security implementation leaves the system exposed to potential risks.
The widespread use of automated attack tools has caused the incident rate to increase exponentially (see Figure 1). The increment has been so drastic that security incident response centers such as CERT-CC2 has stopped counting them since 2003. Such indicator not longer provides relevant information to assess the scope and impact of attacks.
Reported incidents by CERT-CC
Therefore, if we combine the factors mentioned above with new hacking trends, no longer based on fame but based on money making endeavors, it can be concluded that organizations are presently significantly exposed to higher risks. Information security is no longer a choice but a necessity if organizations want to keep enjoying acceptable IS performance that enables them to accomplish their business objectives.
Now, knowing the road towards information security and finding it are two different stories. Information security has traditionally been approached by managers and researchers as a merely technical issue. For instance, in a recent information security conference, the 9th ISC 2006 (ISC, 2006), approximately 77 percent of the papers accepted to the conference touched technical issues, while 18 percent touched policies or procedures issues and only 5 percent addressed human-related security issues. In fact, it has been found that security management’s prominence is surprisingly decreasing into the research community (Botha & Gaadingwe, 2006) showing strong evidence that technical research and improvements still prevail over organizational ones.
Initiatives such as the ISO 270023, CE Directives4, Basel II5, the Sarbanes-Oxley Act6 and the new Companies Act7 are trying to align technical and organizational discrepancies by offering sets of business-oriented solutions. Curiously, organizations have not reacted to this challenge in the same way. Some organizations still rely on technical equipment and technological solutions while others, with higher degree of awareness, have made some progress. Despite the progress made on awareness, there is still confusion and uncertainty, especially in small and medium size enterprises (SMEs), about the needed security level.