What factors can positively and negatively impact the implementation and use of information security?
Information cyber is on the rise, and it is affecting the operation of the company and the decision which the top management is going to make. We will explore the factors which will positively or negatively impact information security.
Information security according to NIST (2009) could be viewed as a protection of the organization’s data or its information from any unauthorized access, disclosure, modification, use, disruption, or destruction with the aim of enhancing confidentiality, availability as well as integrity.
One of the critical subjects of having a positive or negative impact in implementing information security comes to the subject of “individual users”. According to Scholtz (2006); ISO (2005) and Wood (2002), people are the chief aspects to either failure or success of the information security execution or application within an entity. Each and every security issues or breach or is mainly connected or linked with people, not just with the technological advancement.
It is clear too, Mitnick and Simon (2003), that any firm willing to mitigate or alleviate information security threats via purely technological countermeasures would end up as a failure. Supported by, Ashenden (2008) & Williams (2008), in any form of an entity, every person ought to be taught and convinced to comply with as well as contribute to information security regulations, executions as well as controls so as to accomplish effective and successful information security control.
Studies and research conducted by, Lacey (2009) & Gehringer (2002), show that in order to gain positive outcome, individuals should be carefully subjected to appropriate awareness learning as well as other awareness tools and mechanisms regularly.
We can also understand from, Shedden et al. (2006), those Information security threats valuations are both costly and complicated to execute and calls for a specialist to manage the practices properly. Dimopoulos et al. (2004), also argues there are three key factors which people can positive or negative affect the implementation of information security.
It is believed that trust is one of the chief aspects and defending or safeguarding the confidentiality of external customer’s information is a chief means for an organization to gain trust from these customers, and consistent delivery of quality products increasing the level of trust shown towards them. This high level of trust might be as a result of its adjacent link with organization’s reputation, making the clear connection between information security and trust.
Companies are mostly affected culture as well as standards within sector while executing information security programmes. Basically, Nguyen and Leblanc (2001) argued that the reputation and image of an organization are significant in maintaining and developing loyalty clients. This, in case a firm is viewed untrustworthy, its image and reputation are adversely affected. Nonetheless, organizations operated on the basis of knowledge and understanding of few chief employees.
Two areas of consideration: one involves compliance with the myriad laws, regulations or even contractual requirements which are part of the fabric of every institution; the other is compliance with information security policies, standards, and processes.
Some common compliance measures include:
Observance of statutory regulations;
Intellectual property rights (IPR);
Protection of Personally Identifiable Information (PII);
Protecting data and the confidentiality of personal data;
Protection of data records;
Compliance with security policies and standards (eg. ISO, NIST, ANSI);
Personnel can also be regarded as business assets. People with their knowledge and skills are valuable assets, and measures are necessary to protect this value.
The organization must have rigorous procedures when personnel leave and enter employment, or when they change jobs within the organization. It is important to change or remove access rights when deeming fit, and to collect equipment and passes that are expired - thus making access rights control a regular process in the information security.
Key personnel is in-line with corporate's strategy and is usually eager to alleviate the information risks. This is motivated by the fact that external parties like their potential or existing clients, rate their forms in terms of reputation, quality of the products as well as trustworthiness.
Many organizations execute base basics in establishing their operations off the field and mainly place their focus on developing their operations. Once the organizations develop, these particular processes and systems become insufficient in supporting the business growth.
An organization’s reputation is usually viewed as invaluable assets. This is due to the fact that reputation could take several decades to build and could be impacted within a short period through a security breach. According to Cavusoglu, Huseyin et al. (2004) announcing a security breach is adversely linked with a market value of an organization. Such simple fact would make a good number of the clients shift to other specific service providers. Other areas of Organization of Information Security includes the use of mobiles devices and teleworking. With the exponential growth in smartphone users, leading to an increase in thefts and frauds, adopting a clear security policy is essential. Some of these policy techniques include zero footprints, tunneling, malware protection, access control, and restriction of software installation, registration of devices, encryption, back-ups, patching, hardening and user training.
Author: Tan Kian Hua, student LIGS University
Ashenden D. Information security management: a human challenge? Elsevier Information Security Technical Report 13; 2008.
Australasian Conference on Information Systems, Melbourne, Australia: Monash University. 2009.
Bandyopadhyay, K; Mykytyn, P; Mykytyn, K (1999) "A framework for integrated risk management in information technology,"
Briney, A., & Prince, F. (2002). Does Size Matter.Information Security,
Cavusoglu, H., B. Mishra, and S. Raghunathan (2004): “The effect of internet security breach announcements on market value:
Dimopoulos, V., Furnell, S., Barlow, I. and Lines, B. (2004), “Factors affecting the adoption of IT risk analysis” in Proceedings of 3rd European Conference on Information Warfare and Security, Royal Holloway, June 2004.
Gehringer EF. Choosing passwords: security and human factors. In: ISTAS’02 international symposium on technology and society; 2002.
Gerber, M. and von Solms, R (2005). "Management of risk in the information age,"
ITGovernance Institute. Information security governance: guidance for information security managers. ITGI Publishing; 2008.
International Organization for Standardization. ISO/IEC 27001: 2005. ISO; 2005.
Johnston, A.C. & Warkentin, M., 2010. Fear Appeals and Information Security Behaviors: An Empirical Study.
Lacey D. Managing the human factor in information security: how to win over staff and influence business managers. 2009.
Nguyen, N. & Leblanc, G. (2001), “Corporate image and corporate reputation in customers’ retention decisions in services,”
NIST. (2009). "Recommended Security Controls for Federal Information Systems and Organizations."
Mitnick KD, Simon WL. The art of deception. John Wiley & Sons, Inc.; 2003.
Sasse MA, Brostoff S, Weirich D. Transforming the ‘weakest link’ a human/computer interaction approach to proper and adequate security. July 2001
Scholtz T, Byrnes FC, Heiser J. Best practices and common problems for information security programs. Gartner; 2006.
Shedden, P., Ruighaver, A.B., Ahmad, A., (2006) Risk Management Standards ‐ The Perception of Ease of Use.
Shedden, P, Scheepers, R., Smith, M., Ahmad, A. (2009) Towards a Knowledge Perspective in Information Security Risk Assessments
Siponen, M. & Vance, A.O., 2010. Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations.
Tipton HF, Krause M. Information security management handbook. Auerbach Publications; 2007.
Williams P. In a ‘trusting’ environment, everyone is responsible for information security; 2008.
Wood CC. Information security policies made easy. PentaSafe Security Technologies; 2002.