A Theory on Information Security: A Pilot Study (original) (raw)

A Theory on Information Security

Australasian Conference on Information Systems, 2016

This paper proposes a theory on information security. We argue that information security is imperfectly understood and aim to bring about an altered understanding of why efforts are made to engage in information security. The goal of information security is widely recognised as the confidentiality, integrity and availability of information however we argue that the goal is actually to simply create resources. This paper responds to calls for more theory in information systems, places the discussion in philosophical context and compares various definitions. It then identifies the key concepts of information security, describes the relationships between these concepts, as well as scope and causal explanations. The paper provides the theoretical base for understanding why information is protected, in addition to theoretical and practical implications and suggestions for future research.

An Holistic View of Information Security: A Proposed Framework

International Journal for Infonomics, 2011

This discussion paper focuses on an holistic framework proposed that includes the following clusters of ideas: purpose and role of information security, societal trends, human elements, changing technologies, information security management, and complexity and interactions. These multiple views of information security provide a more complete framework in which to embed much of the global research in information security. Future directions and possible research projects are considered that would apply this holistic framework to what is considered to be a 'difficult' problem to solve. 3. Analysis of Findings The factors that determine the information security framework within this paper are classified under six clusters: purpose and role of information security, societal trends, human elements, interaction and complexity, information security management and changing technologies. 3.1. Purpose and Role of Information security As the internet has outgrown its original purpose and role so has the purpose and role of information security.

Information systems security: A managerial perspective

International Journal of Information Management, 1992

Information security has bmn recog&ed as drte &the major issues af importance in the management of organizational information systems. Losses resulting from computer abuse and errors ~8 substantial, and information systems managers continue to cite security rend control as a key management iwue. This paper presents the various dimensions of the problem, suggests specific steps that can be taken to improve tha management of information security, and points to several research directions. The rapid progress in ~on~puter and ~mmuu~~atious te~hno~ogjes in the fast two decades has rendered most organizations vulnerable to misuse or abuse of computer-based information systems QS)." While information systems provide opportunities to improve an organization's functioning and enhance its products or services, they can &XI expose organizations to significant risks as organizations become increasingly dependent on information resources.* Therefore, important concerns that accompany the use of information technology arc how much security is needed to protect computing facilities and information resources and how to obtain this level of security." Evidence for the ~n~~~~ta~~~~ of IS security is provided by the frequency with which security and control are cited as a key management issue by IS rnanag~~s.~~ Sptague and ~~~~nrljn further suggest that security and integrity are one of the six hjgh-priority concerns of IS managers in the future." Information security can be viewed from two aspects: technological and managerial. While much attention is given to the technological isues, only little attention is given, both in literature and the real world, to the managerial side," The purpose of this paper is to review the managerial aspects of information security, and to point to practical recommendations in these aspects. The f&owing sections provide a brief overview of IS security, discuss the di~~~~ltje~ of managing ~nformatjon security, and address the i,ssues of attack and defence. managerial issues ~~n~er~ing 1S security are then defined and some basic recommendations are drawn. 'The paper concludes with a summary of managemen~~s security. What is information security? Information security is concerned with the protection of role in IS computing _L. facilities from deliberate or accidental threats that may exploit vulnerabilities of a computing system. ' The target of a crime involving computers may be any portion of a computing facility: hardware, /nformation systems security continued from page 105 WILKES. M.V. (1990). Conmuter security in the husks world.'Communications ofthe

A Philosophical Analysis of the Perception of Information Security

This paper will look at the philosophy of technology as well as its effects on user’s perception in regards to the fundamentals behind securing technology. A review of the current state of breaches will be undertaken as well as a postmodernistic influences preview of user’s reactions to technology. Finally, the concept of Frankenstein’s other monster will be examined and married with Heidegger’s phenomenological theory of uncovering hidden things.

Understanding Information Security Strategy in Organisations

The University of Melbourne, 2018

The research topic under investigation in this thesis is information security strategy in organisations and I offer a novel substantive theory for understanding this phenomenon under varying environmental and internal conditions. My original contribution to knowledge includes a definition for information security strategy, criteria for organisational environment and information assessment, a conceptual model of information security strategy, a substantive theory on information security strategy, and a descriptive set of benefits that can be adopted after strategy selection and approval. Organisations are progressively undertaking digital transformation of their products and services to reduce costs, improve customer relationships, and consolidate operations. Information is the “lifeblood” of any organisation and is increasingly being used to support this digital transformation across the entire organisation. Yet, the boundaries of information, its value, and importance in supporting organisational goals are frequently overlooked, creating security exposures and vulnerabilities. One reason for this is a lack of attention paid to cataloguing and controlling valuable information being used as a business resource. Others are that usage of emerging disruptive technology such as cloud-based applications can create porous network borders, that security controls used to protect information can be expensive and complex, and that organisational leaders may resist the implementation of security controls due to a perception that they impede productivity. This then leads to increased risk to information, affecting organisational leaders in the governing body, who currently have no consistent guidance available to help them in selecting a strategy or setting a strategic direction for information security. To address this problem, I examine a range of concepts when adopting a strategy to secure information, by interviewing security leaders in organisations. In a qualitative study, I interviewed twenty-five participants and used grounded theory methodology and techniques to analyse the transcripts and their organisation’s information security strategy documents when permitted, to understand significant information security concepts and their relationships in an organisational context. The results show that organisational leaders choose from four main strategies when making decisions to secure their organisation’s information. Their choice depends on (1) consideration of organisational factors including constraints on outsourcing decisions and (2) the value of information held within the organisation. This facilitated the development of a conceptual model of information security strategy and a substantive theory on information security strategy. The implications of this are that organisations can continue business operations towards the achievement of strategic goals using information as a resource, and that the selection of an information security strategy can lead to a more complete understanding of the comprehensive strategic plans required to implement operational security controls throughout an organisation, making them more applicable and cost effective.

Protecting Information in a Connected World: A Question of Security and of Confidence in Security

2011

The infrastructures and services related to information and telecommunications are crucial constitutive elements of our society. These elements require not only ICT security but also confidence in that security. This paper explores at a macroscopic and integrated level the main challenges, obstacles and constitutive elements that contribute to building confidence in information security. The aims of this paper are to identify some key technological elements and impacts that drive the development of information security from a long-term risk management perspective, point out the complexities in applying security to vulnerable ICT environments, clarify the need to master indicators and methodologies that contribute to identifying and applying good risk and security management practices and confidence in these, show how legislation can contribute to limiting or enhancing information security effectiveness, analyse the relationships, differences and interactions between security, confidence and compliance, and discuss how the audit process and the input of auditors can help in building confidence.

Information security is information risk management

Proceedings of the 2001 workshop on New security paradigms - NSPW '01, 2001

Information security is important in proportion to an organization's dependence on information technology. When an organization's information is exposed to risk, the use of information security technology is obviously appropriate. Current information security technology, however, deals with only a small fraction of the problem of information risk. In fact, the evidence increasingly suggests that information security technology does not reduce information risk very effectively.This paper argues that we must reconsider our approach to information security from the ground up if we are to deal effectively with the problem of information risk, and proposes a new model inspired by the history of medicine.

Information security management objectives and practices: a parsimonious framework

Information Management & Computer Security, 2008

Purpose-As part of their continuing efforts to establish effective information security management (ISM) practices, information security researchers and practitioners have proposed and developed many different information security standards and guidelines. Building on these previous efforts, the purpose of this study is to put forth a framework for ISM. Design/methodology/approach-This framework is derived from the development of an a priori set of objectives and practices as suggested by literature, standards, and reports found in academia and practice; the refinement of these objectives and practices based on survey data obtained from 354 certified information security professionals; and the examination of interrelationships between the objectives and practices. Findings-The empirical analysis suggests: four factors (information integrity, confidentiality, accountability, and availability) serve as critical information security objectives; most of the security areas and items covered under ISO 17799 are valid with one new area-"external" or "inter-organizational information security"; and for moderately information-sensitive organizations, "confidentiality" has the highest correlation with ISM practices; for highly information-sensitive organizations, "confidentiality", "accountability", and "integrity" are the major ISM objectives. The most important contributor to information security objectives is "access control". Research limitations/implications-This study contributes to the domain of information security research by developing a parsimonious set of security objectives and practices grounded in the findings of previous works in academia and practical literature. Practical implications-These findings provide insights for business managers and information security professionals attempting to implement ISM programs within their respective organizational settings. Originality/value-This paper fulfills a need in the information security community for a parsimonious set of objectives and practices based on the many guidelines and standards available in both academia and practice.

The Relationship Between Information Systems Resources and Information Security

2017

Information is an asset crucial for the survival of any organizations. Because of its importance, information needs to be safeguarded and protected, normally termed as information security. The ISO 27001:2005 defines information security as “the preservation of confidentiality, integrity and availability of information”. Hence, information security is designed to protect the valuable data of the organization and it is importance in safe-guarding all organization's data from unauthorized access or modification to ensure its availability, confidentiality, and integrity. Realizing the importance of information security, researchers have studied and proposed various models for an effective implementation of information security. To further adds to this body of literature, this paper reports the findings of a study examining information systems resources and its effect on information security. Using the survey research method with questionnaire as the instrument for data collection, ...