Analysis of Academic Research in Information Security

Introduction

With the increasing number of computer networks and the pervasiveness of the Internet, exchange of data and information has reached a whole new high in today’s world. However, that progress has brought with it the need for security. Organizations need to protect data from Information Security (IS) threats like viruses and unauthorized persons (Humaidi & Balakrishnan, 2015). This has led to the eventual development of information security management systems or ISMS. Not only does ISMS intend to protect IT assets in an organisation, it also safeguards the organisation by minimizing the business impact of untoward security breaches and thus ensuring business continuity. Information security is, therefore, one of the major concerns in organizations today (Toosarvandani, Modiri & Afzali, 2012). Assignment Studio has the best qualified and experienced team of experts to provide students help with information security assignments.

The need for an ISMS emerged strongly in the late 90’s and the first standard of ISMS was the BS7999, which was published in England in 1995. Through the years and through revisions, finally the International Organization for Standardization (ISO) emerged in 2000 (Toosarvandani, Modiri & Afzali, 2012), which standardized a framework for managing organizational information security in a continual cycle of implementing, operating, monitoring, reviewing, maintaining and improving it (Varanasi & Gupta, 2012). Since then, ISMS has been a topic of significant study among organizational researchers and management scholars.

Studies indicate that ISMS has many aspects that has interested academicians from the time it began to be practiced. Starting with its risk assessment to control through technical enhancements and standardizations, there are several approaches to information security across the many types of organizations and industries. The area of focus in ISMS studies has also been found to have shifted from being technical and process-oriented in the 90s to behavioral and people-oriented after 2000. Individual and organizational perspectives have occupied the center of ISMS research in recent years (Bulgurcu, Cavusoglu & Benbasat, 2010). This report analyses about 30 research papers on ISMS studies and delves deep into another five academic works to understand why and how the subject shift in ISMS research has taken place since 2000. If you ever need Essay Help, always get in touch with us.

Information Security

 

Review & Analysis by Topic

The primary aim of ISMS is to protect the confidentiality, integrity, and availability (CIA) of information stored in systems and to mitigate the different risks to that information (Chang, et. al., 2011). Apart from adhering to an appropriate ISO standard for ISMS, organizations can approach information security management in more ways than one. Many academicians have tried to propose theoretical models and have made psycho-social analyses to understand what best serves to secure information in organizations. There can be theoretical approaches, behavioral approaches, technical and technological approaches and other socio-political and strategic approaches too.

 

Theoretical

Hong, et. al. (2003) felt that there was a lot of studies on security technologies, but theories on information security management were quite scant. Hence, they combined five related theories of information security to develop an integrated theory of information security management (ISM) that may further help organizations to protect their enterprise assets and manage the risks to them.

Stahl, et. al. (2008) lends support to Hong, et. al.’s claim in that there is a need for ISM theories to facilitate better managerial control in organizations. The authors approach information security from a critical research standpoint, whereby ISM should be established on an ideological and hegemonic basis. They enforce the idea that in organizations, the individual rights to privacy must be overridden by the group’s or company’s need for security, which covers the “greater good” (p. 10).

Tu & Yuan’s (2014) study also provides a theoretical model for effective ISM. These authors studied various ISM standards and prior research on information security to identify six critical factors that can lead to successful ISM. These socio-organizational factors are: business alignment of IS objectives, IT competence, organizational awareness, security control development, organizational support, and performance evaluation.

 

Technical / Technological

Some ISMS research are purely technical in nature, discussing and understanding effective IS technologies in business contexts. Tomhave (2004), for example, analyzed thirteen IS technology domains in light of their business viability and security aspects. Each technology area was discussed in terms of organizational needs, while also catering to the CIA requirements.

Speaking of CIA compliance, another technical/technological approach to ISMS studies had been provided by Pavlov and Karakaneva (2011). These authors held that organisational ISMS is a combination of setting security standards and security policy implementation. Only when concepts meet their applications, a “culture of security” is established and a business is able to manage risks considerably (p. 25).

The risk management perspective of ISMS had also been explored in the works of: Elky (2006); Mirela and Maria (2008); and Toosarvandani, et. al. (2012). While Elky (2006) provided a more generic overview of IS risk management as an essential element of ISMS, Mirela and Maria (2008) specifically discussed risk assessment and management in the context of Romanian financial institutions. Their work echoed Terroza’s (2015) six sigma proposition to practice an ongoing process of assessing, measuring, analyzing, improving and controlling risks for successful ISMS in organizations. Toosarvandani, et. al. (2012) narrowed focus and studied implementation of the six sigma ISMS cycle particularly in the case of local area networks (LAN) in organizations.

Montesino and Fenz (2011) offered a significant technological discussion on effective ISMS in organizations. They explored the automation possibilities of ISM in their study. The research found that automation can be implemented only partly in managing IS. Since, the vulnerability landscape rapidly changes, it is difficult to automate ISMS completely.

ISMS research often focused on particular industries and types of organizations. Some authors focused on e-commerce, some on financial sector, some on education, some on defense/military, and so on. Although their technical applicability changes with organizational types, there is a common need for CIA compliance in all these research.

Lane (2007) studied how IS can be applied to complex Australian university IT systems, where academic freedom coexists with information security mandates. Implementing effective ISMS in educational institutions is often a challenge for security practitioners. To that end, the author provided an integrated theoretical framework for them to successfully implement ISMS in educational organizations.

Qin and Li (2012) studied IS technologies like data encryption and identity authentication technologies for e-commerce systems, which are very relevant in today’s world. Giordano and Maciag (2002) addressed another very contemporary issue of ISM in the cyberspace. They discussed particular needs and challenges of cyber forensics in the military context, where entire information systems and networks are attacked at once, instead of individual systems. Therefore, it changes the whole approach of ISMS in terms of its scalability, data integrity, recovery and timeliness of analysis. According to the authors, effective ISMS in the military context would require expertise, awareness and ongoing development of tools and capabilities. However, these studies are often countered by behavioral studies in ISMS, that argue that technology alone cannot ensure information security in today’s organizations.

 

Organizational / Behavioral

Post 2000 saw a plethora of ISMS research covering the organizational and behavioral aspects, which are generally the non-technical issues of information security. In fact, more of these deal with employee attitudes, study employee security behaviors and propose tested models of ISMS for the managers and leaders of organizations.

Chang & Ho (2006), Thomson & Solms (2006) and Chang & Lin (2007) studied influence of organisation culture on effective ISM. But while Chang & Ho particularly found the IT competence of managers to be impacting the health of IS in organizations, Thomson & Solms revealed through an IT competence maturity model that the level of IS embedded in a corporate culture influenced employee behaviors towards security. Findings of Chang & Lin indicated that a control-oriented organizational culture drives more effective ISM.

However, researchers like Kolkowska, et. al. (2017) and Hedström, et. al. (2011) would strongly disagree. These authors empirically deduced that employees are motivated by values they derive out of security compliance and hence, a Value-Based Compliance (VBC) Model is a more effective approach to ISM than a control-oriented approach of penalties and sanctions. Before we discuss the extent to which value-driven information security research has increased in recent times, it is important to also take note of studies which found ISMS success only in a combination of organisation culture and employees’ responsible behavior towards IS.

Herath & Rao (2009), for example, felt that IS technology is not enough to safeguard organizations. As Furnell (2006) pointed, the primary IS threats arise from internal staff, either deliberately or inadvertently or ignorantly. This may be one reason adding to organizational IS vulnerabilities. For Herath & Rao, the solution lay in social/peer influence of security compliance, fear of penalties and in the employees’ perceived contribution to security. Therefore, as Alfawaz, et. al. (2010) pointed in their study, if behavioral issues like careless password sharing or downloading unauthorized software can be controlled, it can lead to higher IS in organizations. Klein & Luciano (2016) observed that employee perception of the threat, control and disgruntlement impacted security behaviors. They also belong to the research lobby who believed that organizations can create positive IS orientations in employees.

Siponen, et. al. (2014) made it more specific. They deduced that it is the managers and leaders in organizations who have a significant role to play in inducing positive IS orientations and awareness among employees through training and education. They also pointed out five intrinsic motivators to positive security behavior, all of which sum up to a ‘value’ for each employee in his/her own perception. So this, in turn, ties to the research by Kolkowska, et. al. (2017) and Hedström, et. al. (2011), who found that organizations are characterized by multiple rationalities and hence, managers should examine such multiplicities before asking for ISMS compliance.

From a purely organizational standpoint, Byrd, et. al. (2006) felt the role of senior IT leadership to be particularly critical in creating an environment of information security compliance. However, from a purely behavioral standpoint, it is the ability of organizations/managers/leaders to understand employees’ intrinsic motivations towards security behaviors that holds the key to successful ISMS. Zinatullin (2016) clearly stated that “scare tactics” are ineffective in generating positive behaviors. The main decision-making motivator for employees is their personal gain. Human psychology keeps doing a cost-benefit analysis to varying degrees and that determines their security-related behaviors.

Hu, et. al. (2014) offered a neuro-scientific explanation to human decision-making. Higher levels of neural action in the left and right brain is directly correlated to higher self-control and consequently lesser risky behaviors. The future of ISM research, therefore, is in understanding employees, hackers, insiders’ negligent behaviors, etc., concluded Crossler, at. al. (2013). Hence, the five additional research papers chosen for more detailed discussions later are from this category of Organizational/Behavioral ISMS research.

 

Socio-political and Others

Some of the ISMS research were found to cover completely different aspects of information security in organizations. Fanciulli (2006), for instance, studied the globalized context of IS, where organizations substantially run on virtual collaboration. Such virtual teams are often marked by polarization and lack of trust, thus threatening the CIA of IS. So Fanciulli suggested that the socio-political issues in organizations need to be handled first in order to establish effective ISM. For Jeong and Ahn (2014), security breaches can be mitigated through active learning and they also concluded that a successful ISMS would mean a synergy of technical, physical and administrative approaches.

Šalgovičová and Prajová (2012) had a slightly different approach. For these authors, ISMS should be established based on the corporate needs of the organisation, its security requirements, its size, its structure, etc. They offered a totally strategic approach to ISMS. However, such research is not very rare; one can still find works on the strategic perspectives of ISM. Perspective that is particularly rare in ISM studies is the one offered by Anderson (2001). Anderson negated all possibilities of achieving information security on the grounds of “perverse economic” objectives (p. 9). He maintained that IS is about power and hence, there will always be perverse agents in the organizational environment who will try to derive economic gains from IS, thus putting the latter always at risk. It can be debated to what extent Anderson’s view is true.

You get premium service at the best market price. Our best price guarantee ensures that the features we offer cannot be matched by any of the competitors, in case they do – “We will beat the price”. Thus, for an effective and cheap assignment help, always count on us.