Article Preview
Top1. Introduction
With the continuous evolution of information systems, organizations depend on them more than ever before, and the risks to information security are gradually increased. Keen (2001), and Dhillon and Backhouse (2000) suggested information security events may do serious damage to trust relationships between organizations and users in organizations which are highly dependent on information systems. Loch, Carr, and Warkentin (1992) also pointed out that information security events result not only in money losses but also have a severe impact on the competitiveness of an organization. There are a large number of issues regarding the reliability, security and standardization of information especially after the information systems are networked, facing higher risks of threats to the information system and even resulting in international conflict (Seyal, 2011). For example, the SWIFT banking system was hacked and many national central banks suffered great losses in February 2016. In April 2016, German nuclear power plants were forced to shut down because of a malicious program. WannaCryptor, a ransomware, spread all over the world in May 2017. These information security incidents usually have a negative impact on the competitive power of the organizations affected. As a result, information security is important for every industry without exception. Meanwhile, each unit of a company should re-examine the security of its own information system.
Information is a business asset with significant value for corporations, something that must be protected properly from being attacked so as to minimize possible losses and maintain the corporation’s ongoing operations (Hall & Chapman, 2002; Schweizerische, 2013; Siponen & Willison, 2009). With the ever-changing development of technology, issues of threats and the protection of information security is also a challenge for corporations nowadays (Webb, Ahmad, Maynard, & Shanks, 2014). In general, the basic goals that information security should reach are to defend the Confidentiality, Integrity and Availability of data storage in an information system. This is the so-called “C.I.A” of information security (Schweizerische, 2013). Although digitalization means that data can be easily transmitted and accessed, yet it also makes it vulnerable to systemic risks. Systemic risks mean that computer assets such as software, hardware, data, and services are modified, destroyed, stolen or made unavailable (Straub & Welke, 1998). Meanwhile, risks and threats also bring about practical and potential losses financially, legally and prestigiously for companies (Culnan, Foxman, & Ray, 2008). Therefore, the security of information systems involves protecting the inner data of the information system so as to increase confidentiality. In addition to preventing intrusions, security can ensure the integrity of an information system and assure its availability under the premise of safety and efficacy.
Since there is now considerable compliance with information security management standards, introducing and authenticating compliance with them has become a common and convenient way to ensure information security for industries. Currently the information security management standards industries in frequent use include ISO 27001 (International Organization for Standardization 27001), COBIT (Control Objectives for Information and related Technology), TCSEC (Trusted Computer Systems Evaluation Criteria) and SAS 70 (The Statement on Auditing Standards No. 70). Take ISO 27001 for example. Its control measures, including access control, information system acquisition, development, and maintenance can enhance the safety of information system development. However, if corresponding information security programs are neglected when information systems are updated, there may be serious consequences when threats occur. It is difficult, though, to estimate the subsequent costs of recovery and the impact of a negative image on the organizations. As a result, information security issues ought to be taken into comprehensive consideration to make systems sufficiently safe when information systems are updated. To reach the goals of information security, scholars have also proposed practical approaches in their research in recent years. The three key categories are as follows: