Article Preview
TopAccess to collections of information in organisations, whether mandated or not, attracts risk which can be categorised in a number of ways. The applicability and severity of security risk depends on the purpose and the aims of the organisation. For organisations with a strong research and development component, for example the pharmaceutical, technological and scientific innovation industries, there is risk to their intellectual property. For organisations whose main interactions are with clients or customers (retailers, government agencies), the risk to user or customer data is paramount, as is the legal requirement to protect such data (Data Protection Act, 1998). Within all organisations, there are vulnerabilities relating to sensitive data, which cause risk to their legal or financial position.
The potential impact on organisation’s ability to function and to maintain its position highlights the importance of information security as an element of corporate governance (von Solms & von Solms, 2004), with the Chief Information Security Officer (CISO) role now part of the executive suite. Many organisations recognise the business case for, and are working towards, fully developed information security policies. In these policies, organisations use technology and processes to enforce information security. Technological aspects include infrastructure layers, firewalls, user authentication and protection. The use of company policies, codes of practice, sanctions, password policies, accreditation to standards (ISO 27001) and employee terms and conditions provide the procedural framework. People involved include the CISO function and dedicated Information Security staff (such as those in secure operating centres and internally employed ethical hackers) - all of whom are employed to maintain information security. An organisation’s other employees should also be included, and trained to recognise that they are also part of the defences.
The human factor introduces vulnerabilities. Technological and procedural protections can be compromised by the people who use them. There is a danger of overreliance on technical solutions and on dedicated information security staff on the part of the organization’s employees (e.g. Furnell and Clarke, 2012; Sadok and Bednar, 2015). The social and behavioural aspects of information security have been attracting greater attention in recent years (Crossler et al., 2013), and this paper goes on to explore some of the issues.