The Risks Associated With ITIL Information Security Management in Micro Companies

Introduction

Information is nowadays a key element for the competitiveness of organizations. As studies (Chung et al., 2016; Grander et al., 2021; Phillips-Wren et al., 2021) demonstrate, information satisfies the needs of organizations to recognize the characteristics of a given context and support the decision-making process. Information can be materialized in many different formats. Not all media are digital, although the increasing role of digitization processes is recognized (Ellström et al., 2021; Kraus et al., 2022). Managing all this information effectively has become essential for the sustainability of a business (Etzion & Aragon-Correa, 2016; Serban, 2017). Consequently, information security, as a potentially valuable asset, should no longer be seen as a minor activity in the context of organizations. The protection of these valuable assets associated with information is referred to as information security.

Information security is the protection of information, the systems and devices that use, store, and transmit that information (Kim & Solomon, 2021). Therefore, the goal of information security is to adequately protect information assets to ensure business continuity or operation, minimizing potential losses and maximizing the return on investment. To achieve this purpose, the literature reveals the need to protect three critical aspects of information: confidentiality, integrity, and availability (Qadir & Quadri, 2016; Yee & Zolkipli, 2021). Confidentiality ensures that only authorized people have access to the data; integrity looks at protecting the information from unauthorized changes; and availability seeks to ensure that all information is accessible when it is required. The correct presentation of these three aspects of information ensures credibility and trust in organizations and businesses and can be achieved through the application of controls. Controls can be more or less sophisticated and are the result of a combination of policies, procedures, and organizational structures.

Since it is not possible to ensure total protection of information from all current and potential threats, it is necessary to perform an information security risk analysis to determine the potential threats and vulnerabilities. Furthermore, this knowledge is important for defining the necessary countermeasures to be applied to mitigate the impact of these risks to an acceptable level. In this way, risk analysis is seen by Eling et al. (2021) as a process of identifying the assets, the risks to those assets, and the procedures to mitigate the risks to those assets. It is from the risk analysis that management can make proper decisions regarding information security.

Information security management (ISM) is currently an indispensable element in the various silos of corporate and business management. The Information Technology Infrastructure Library (ITIL), created with the goal of increasing maturity in the management of its processes in information technology, offers a set of best practices for project management in areas such as support, services, infrastructure management, application management, and security management (Soomro & Wahba, 2011). This last component concerning security management only emerged explicitly in 2018 with the publication of ITIL v.4. Furthermore, ITIL v.4 states that organizations must ensure that security aspects are integrated into all other IT Service Management (ITSM) processes. Because it is an IT service-oriented methodology, based on market best practices, the ITIL methodology has been widely used by companies with this focus and business.