A number of academic studies that focus on various aspects of information security management (ISM) have emerged in recent years. This body of work ranges from the technical, economic, and behavioral aspects of ISM to the effect of industry standards, regulations, and best practices. The purpose of this chapter is to review the current state of ISM research, while providing an integrative framework for future studies. Using the proposed framework as a guide, we identify areas of depth within current ISM literature and areas where research is underdeveloped. Finally, we call for a more comprehensive approach to ISM research that considers multiple dimensions of our framework and their interrelationships.
Dimensions Of Information Security Management
Information security is described in terms of confidentiality, integrity, availability, privacy, identification, authentication, authorization, and accountability of information (Whitman & Mattord, 2005). This description points to the multifaceted nature of ISM and the fact that it involves far more than technical solutions. We propose that ISM can be conceptualized in terms of the five dimensions depicted in Figure 1. Three of the ISM dimensions are organizational in nature: financial/economic impact, strategy and best practices, and behavioral issues. The other two dimensions are external to the organization in the sense that managers have less control over them: standards and regulations and available information security technology. As depicted by the arrows in Figure 1, the three organizational dimensions are interrelated. In addition, both external dimensions have some affect on the organizational dimensions. For example, standards and regulations may impact organizational strategy and best practices, or the financial impact of ISM, or the expected behavior of users. Similarly, the external dimensions are interrelated. For the sake of brevity and clarity, we do not illustrate all possible relationships between the five dimensions. However, we do acknowledge that alternative interrelationships may exist.
Framework for the study of information security management
In the following sections, we describe the current state of ISM research and identify gaps in our knowledge. Our objective is not to provide an exhaustive review of the literature, but rather to outline existing research streams within each of the proposed dimensions. We also identify future research opportunities based on the interrelationships between the dimensions.
Key Terms in this Chapter
Sarbanes-Oxley Act: A U.S. law designed to enforce accountability for the financial record keeping and reporting at publicly traded corporations. Publicly traded organizations are responsible for the security, accuracy, and reliability of the systems that manage and report their financial data.
Systems Security Engineering Capability Maturity Model (SSE-CMM): Describes the essential characteristics of an organization’s security engineering process that must exist to ensure good security engineering. The model focuses on the requirements for implementing security in a system (specifically an IT system), the processes used to achieve IT security, and their level of maturity. More information available at: http://www.sse-cmm.org/docs/ssecmmv3final.pdf.
Multiplexed Information and Computing Service (MULTICS): A time-sharing operating system developed by MIT, General Electric, and Bell Labs in the early 1960s. MULTICS was the first operating system to be designed as a secure system from the ground up.
Federal Agency Security Practices (FASP): An initiative by the U.S. National Institute of Standards and Technology (NIST) Computer Security Division to identify, evaluate, and disseminate best practices for information security. This best practice information is available on the FASP website at http://fasp.nist.gov.
Denial-of-Service (DOS) Attack: Attack that attempts to make a computer resource (e.g., Web servers, DNS servers, routers, and so on) unavailable to its intended users. Hackers run a program, such as a string of ping commands, that requires considerable amounts of the target’s resources, resulting in degradation or complete loss of services.
National Institute of Standards and Technology (NIST) 800 Series: A set of documents that describe U.S. government information security policies, procedures, and guidelines. The series was developed by the National Institute of Standards and Technology and is available for free at: http://csrc.nist.gov/publications/nistpubs/index.html.
Health Insurance Portability and Accountability Act (HIPAA): Federal regulations establishing national standards for the confidentiality and security of health care data.
Information Security Management (ISM): Administrative and managerial activities designed to implement an organizational information security program. These activities include setting the information security mission, vision, and policies, implementing technical and procedural controls, business continuity and disaster recovery planning, analyzing the economic effectiveness of implemented controls, and compliance with relevant regulations.
Information Security Ecosystem: The IT ecosystem is defined by Forrester Research and others as “the network of organizations that drives the creation and delivery of information technology products and services” and includes customers, suppliers, and influencers (key stakeholders). Similarly, one can define the information security ecosystem as the network of entities that drives information security products and services, and includes information security hardware and software vendors, consultants, digital forensics experts, standardization agencies, accreditation and education facilities, academic conferences and journals, books, magazines, hackers, and their paraphernalia.
Generally Accepted System Security Principles (GASSP): Developed by the International Information Security Foundation (http://www.infosectoday.com/Articles/gassp.pdf).