Analysis of Academic Research in Information Security
With the increasing number of computer networks and the pervasiveness of the Internet, exchange of data and information has reached a whole new high in today’s world. However, that progress has brought with it the need for security. Organisations need to protect data from Information Security (IS) threats like viruses and unauthorised persons (Humaidi & Balakrishnan, 2015). This has led to the eventual development of information security management systems or ISMS. Not only does ISMS intend to protect IT assets in an organisation, it also safeguards the organisation by minimising the business impact of untoward security breaches and thus ensuring business continuity. Information security is, therefore, one of the major concerns in organisations today (Toosarvandani, Modiri & Afzali, 2012). AssignmentStudio has the best qualified and experienced team of experts to provide students help with information security assignments.
The need for an ISMS emerged strongly in the late 90’s and the first standard of ISMS was the BS7999, which was published in England in 1995. Through the years and through revisions, finally the International Organization for Standardization (ISO) emerged in 2000 (Toosarvandani, Modiri & Afzali, 2012), which standardised a framework for managing organisational information security in a continual cycle of implementing, operating, monitoring, reviewing, maintaining and improving it (Varanasi & Gupta, 2012). Since then, ISMS has been a topic of significant study among organisational researchers and management scholars.
Studies indicate that ISMS has many aspects that has interested academicians from the time it began to be practised. Starting with its risk assessment to control through technical enhancements and standardisations, there are several approaches to information security across the many types of organisations and industries. The area of focus in ISMS studies has also been found to have shifted from being technical and process-oriented in the 90s to behavioural and people-oriented after 2000. Individual and organisational perspectives have occupied the centre of ISMS research in recent years (Bulgurcu, Cavusoglu & Benbasat, 2010). This report analyses about 30 research papers on ISMS studies and delves deep into another five academic works to understand why and how the subject shift in ISMS research has taken place since 2000. If you ever need Essay Help, always get in touch with us.
Review & Analysis by Topic
The primary aim of ISMS is to protect the confidentiality, integrity, and availability (CIA) of information stored in systems and to mitigate the different risks to that information (Chang, et. al., 2011). Apart from adhering to an appropriate ISO standard for ISMS, organisations can approach information security management in more ways than one. Many academicians have tried to propose theoretical models and have made psycho-social analyses to understand what best serves to secure information in organisations. There can be theoretical approaches, behavioural approaches, technical and technological approaches and other socio-political and strategic approaches too.
Hong, et. al. (2003) felt that there was a lot of studies on security technologies, but theories on information security management were quite scant. Hence, they combined five related theories of information security to develop an integrated theory of information security management (ISM) that may further help organisations to protect their enterprise assets and manage the risks to them.
Stahl, et. al. (2008) lends support to Hong, et. al.’s claim in that there is a need for ISM theories to facilitate better managerial control in organisations. The authors approach information security from a critical research standpoint, whereby ISM should be established on an ideological and hegemonic basis. They enforce the idea that in organisations, the individual rights to privacy must be overridden by the group’s or company’s need for security, which covers the “greater good” (p. 10).
Tu & Yuan’s (2014) study also provides a theoretical model for effective ISM. These authors studied various ISM standards and prior research on information security to identify six critical factors that can lead to successful ISM. These socio-organisational factors are: business alignment of IS objectives, IT competence, organisational awareness, security control development, organisational support, and performance evaluation.
Technical / Technological
Some ISMS research are purely technical in nature, discussing and understanding effective IS technologies in business contexts. Tomhave (2004), for example, analysed thirteen IS technology domains in light of their business viability and security aspects. Each technology area was discussed in terms of organisational needs, while also catering to the CIA requirements.
Speaking of CIA compliance, another technical/technological approach to ISMS studies had been provided by Pavlov and Karakaneva (2011). These authors held that organisational ISMS is a combination of setting security standards and security policy implementation. Only when concepts meet their applications, a “culture of security” is established and a business is able to manage risks considerably (p. 25).
The risk management perspective of ISMS had also been explored in the works of: Elky (2006); Mirela and Maria (2008); and Toosarvandani, et. al. (2012). While Elky (2006) provided a more generic overview of IS risk management as an essential element of ISMS, Mirela and Maria (2008) specifically discussed risk assessment and management in the context of Romanian financial institutions. Their work echoed Terroza’s (2015) six sigma proposition to practice an ongoing process of assessing, measuring, analysing, improving and controlling risks for successful ISMS in organisations. Toosarvandani, et. al. (2012) narrowed focus and studied implementation of the six sigma ISMS cycle particularly in the case of local area networks (LAN) in organisations.
Montesino and Fenz (2011) offered a significant technological discussion on effective ISMS in organisations. They explored the automation possibilities of ISM in their study. The research found that automation can be implemented only partly in managing IS. Since, the vulnerability landscape rapidly changes, it is difficult to automate ISMS completely.
ISMS research often focused on particular industries and types of organisations. Some authors focused on e-commerce, some on financial sector, some on education, some on defense/military, and so on. Although their technical applicability changes with organisational types, there is a common need for CIA compliance in all these research.
Lane (2007) studied how IS can be applied to complex Australian university IT systems, where academic freedom coexists with information security mandates. Implementing effective ISMS in educational institutions is often a challenge for security practitioners. To that end, the author provided an integrated theoretical framework for them to successfully implement ISMS in educational organisations.
Qin and Li (2012) studied IS technologies like data encryption and identity authentication technologies for e-commerce systems, which are very relevant in today’s world. Giordano and Maciag (2002) addressed another very contemporary issue of ISM in the cyberspace. They discussed particular needs and challenges of cyber forensics in the military context, where entire information systems and networks are attacked at once, instead of individual systems. Therefore, it changes the whole approach of ISMS in terms of its scalability, data integrity, recovery and timeliness of analysis. According to the authors, effective ISMS in the military context would require expertise, awareness and ongoing development of tools and capabilities. However, these studies are often countered by behavioural studies in ISMS, that argue that technology alone cannot ensure information security in today’s organisations.
Organisational / Behavioural
Post 2000 saw a plethora of ISMS research covering the organisational and behavioural aspects, which are generally the non-technical issues of information security. In fact, more of these deal with employee attitudes, study employee security behaviours and propose tested models of ISMS for the managers and leaders of organisations.
Chang & Ho (2006), Thomson & Solms (2006) and Chang & Lin (2007) studied influence of organisation culture on effective ISM. But while Chang & Ho particularly found the IT competence of managers to be impacting the health of IS in organisations, Thomson & Solms revealed through an IT competence maturity model that the level of IS embedded in a corporate culture influenced employee behaviours towards security. Findings of Chang & Lin indicated that a control-oriented organisational culture drives more effective ISM.
However, researchers like Kolkowska, et. al. (2017) and Hedström, et. al. (2011) would strongly disagree. These authors empirically deduced that employees are motivated by values they derive out of security compliance and hence, a Value-Based Compliance (VBC) Model is a more effective approach to ISM than a control-oriented approach of penalties and sanctions. Before we discuss the extent to which value-driven information security research has increased in recent times, it is important to also take note of studies which found ISMS success only in a combination of organisation culture and employees’ responsible behaviour towards IS.
Herath & Rao (2009), for example, felt that IS technology is not enough to safeguard organisations. As Furnell (2006) pointed, the primary IS threats arise from internal staff, either deliberately or inadvertently or ignorantly. This may be one reason adding to organisational IS vulnerabilities. For Herath & Rao, the solution lay in social/peer influence of security compliance, fear of penalties and in the employees’ perceived contribution to security. Therefore, as Alfawaz, et. al. (2010) pointed in their study, if behavioural issues like careless password sharing or downloading unauthorised software can be controlled, it can lead to higher IS in organisations. Klein & Luciano (2016) observed that employee perception of the threat, control and disgruntlement impacted security behaviours. They also belong to the research lobby who believed that organisations can create positive IS orientations in employees.
Siponen, et. al. (2014) made it more specific. They deduced that it is the managers and leaders in organisations who have a significant role to play in inducing positive IS orientations and awareness among employees through training and education. They also pointed out five intrinsic motivators to positive security behaviour, all of which sum up to a ‘value’ for each employee in his/her own perception. So this, in turn, ties to the research by Kolkowska, et. al. (2017) and Hedström, et. al. (2011), who found that organisations are characterised by multiple rationalities and hence, managers should examine such multiplicities before asking for ISMS compliance.
From a purely organisational standpoint, Byrd, et. al. (2006) felt the role of senior IT leadership to be particularly critical in creating an environment of information security compliance. However, from a purely behavioural standpoint, it is the ability of organisations/managers/leaders to understand employees’ intrinsic motivations towards security behaviours that holds the key to successful ISMS. Zinatullin (2016) clearly stated that “scare tactics” are ineffective in generating positive behaviours. The main decision-making motivator for employees is their personal gain. Human psychology keeps doing a cost-benefit analysis to varying degrees and that determines their security-related behaviours.
Hu, et. al. (2014) offered a neuro-scientific explanation to human decision-making. Higher levels of neural action in the left and right brain is directly correlated to higher self-control and consequently lesser risky behaviours. The future of ISM research, therefore, is in understanding employees, hackers, insiders’ negligent behaviours, etc., concluded Crossler, at. al. (2013). Hence, the five additional research papers chosen for more detailed discussions later are from this category of Organisational/Behavioural ISMS research.
Socio-political and Others
Some of the ISMS research were found to cover completely different aspects of information security in organisations. Fanciulli (2006), for instance, studied the globalised context of IS, where organisations substantially run on virtual collaboration. Such virtual teams are often marked by polarisation and lack of trust, thus threatening the CIA of IS. So Fanciulli suggested that the socio-political issues in organisations need to be handled first in order to establish effective ISM. For Jeong and Ahn (2014), security breaches can be mitigated through active learning and they also concluded that a successful ISMS would mean a synergy of technical, physical and administrative approaches.
Šalgovičová and Prajová (2012) had a slightly different approach. For these authors, ISMS should be established based on the corporate needs of the organisation, its security requirements, its size, its structure, etc. They offered a totally strategic approach to ISMS. However, such research is not very rare; one can still find works on the strategic perspectives of ISM. Perspective that is particularly rare in ISM studies is the one offered by Anderson (2001). Anderson negated all possibilities of achieving information security on the grounds of “perverse economic” objectives (p. 9). He maintained that IS is about power and hence, there will always be perverse agents in the organisational environment who will try to derive economic gains from IS, thus putting the latter always at risk. It can be debated to what extent Anderson’s view is true.
You get premium service at the best market price. Our best price guarantee ensures that the features we offer cannot be matched by any of the competitors, in case they do – “We will beat the price”. Thus, for an effective and cheap assignment help, always count on us.