Acknowledgement Of Organization Information Security

Published Date: 02 Nov 2017

The business value of information has increased dramatically over the last few decades. Information systems have pervaded the business world in a rapid pace and have become critical assets in many organisations (Nanno, 2006). Organizations depend on information technology and the information systems that are developed from that technology to successfully carry out their missions and business functions. Information systems can include as constituent components, a range of diverse computing platforms from high-end supercomputers to personal digital assistants and cellular telephones. Information systems can also include very specialized systems and devices (e.g., telecommunications systems, industrial/process control systems, testing and calibration devices, weapons systems, command and control systems, and environmental control systems). Federal information and information systems are subject to serious threats that can have adverse impacts on organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation by compromising the confidentiality, integrity, or availability of information being processed, stored, or transmitted by those systems. Threats to information and information systems include environmental disruptions, human or machine errors, and purposeful attacks. Cyber attacks on information systems today are often aggressive, disciplined, well-organized, well-funded, and in a growing number of documented cases, very sophisticated. Successful attacks on public and private sector information systems can result in serious or grave damage to the national and economic security interests of the United States. Given the significant and growing danger of these threats, it is imperative that leaders at all levels of an organization understand their responsibilities for achieving adequate information security and for managing information system-related security risks (Guide for Applying the Risk Management Framework to Federal Information Systems, 2010).

In today’s global market intranet is connected to Internet and an organization’s assets will become a target for various malicious attacks. The need for protecting the organizational information assets has increased due to the technology revolution in information systems and communication media (Dhillon, 2006). The organizations that participated in this research indicated that there was a need to implement proper security measures to protect information assets from malicious attacks. Ensuring information and not securing the tangible assets of an organization can be risky because this separation will create an opportunity for an attacker to cause serious harm by gaining physical access (Schou, and Shoemaker, 2006). Organizations implementing security measures and countermeasures to protect hardware, software, and information, such as antivirus, firewalls, encryptions, password protection, hardening operating systems, hardening network operating systems, hardening network devices, and employee’s awareness decreased vulnerabilities and security breaches (Ciampa, 2005).

The Internet and computer networking means that there is a need for new security measures and policies to reduce the threats and challenges inherent from these new technologies and software applications and network devices. Information, network equipments, transmission media, computer systems, and servers are subject to threats. "Yet the use of information and communication technologies has increased the incidents of computer abuse." (Backhouse and Dhillon, 2000). Security measures and countermeasures are implanted to protect organizations from different security attacks. To guarantee the security requirements of a given organization, it is essential to be able to evaluate the current security demands of an organization as well as the measures taken to achieve such requirements. Security weaknesses cause a negative impact on organizations such as financial loss, reputations, and loss of customer confidence (Kumar, Park, and Subramaniam, 2008). The intention of implementing security measures, controls, and policies is to guard information security objectives and information assets. Information security objectives, which are confidentiality, integrity, and availability, are the main concern in categorizing information security level (Chen , Shaw and Yang, 2006, Johnson, 2008 and. Nyanchama, 2005).

Information security breaches take many forms and could carry disturbing and devastating consequences on both the economy and national security. The Department for Business Enterprise & Regulatory Reform (BERR) in the United Kingdom conducted a survey in 2008 which indicated that the estimated financial losses due to the security breach were several billion pounds a year (Chen, Shaw, and Yang, 2006). Richardson found in the annual CSI conducted by FBI that the average financial loss due to the security breach per respondent was $288,618, however; only 144 respondents from 522 were willing to share their financial losses. Security- related losses cost the U.S economy some U.S $117.5 Billion a year (Powner, 2009). An organization which could experience a loss of personal information due to the breach of confidentiality, integrity or availability would be categorized as a low, moderate, or high security level. Table 1 illustrates a template example for a high security level of a given organization. Measuring the level of personal, physical and network security will assist organizations in determining the average security level that needs to be implemented in an organization.

The security measures and countermeasures are used in organizations to protect information security objectives. These measures will assist an evaluator to measure the security level. For example the security level is high when an organization implements the most proper, updated measures, policies, and countermeasures to protect its security objectives. The information security level is low when an organization implements up to 49% of the measures and countermeasures to protect its security objectives. The security moderate is high when an organization implements between 50% and up to 79% of the measures and countermeasures to protect its security objectives as shown in Table 1 (Abdullah, 2010).

All organizations face growing security threats, from the local small business to the multinational corporation. The problem is often greater for larger organizations due to their larger number of computers and employees, as well as the potential for them to be targeted for political, social and economic reasons. The magnitude of the problem is also compounded for larger organizations and their senior management who, in an effort to protect and maintain their information assets, need to meet ever-expanding compliance requirements levied by the U.S. Federal Government. Several high visibility events, such as distributed denial-of-service attacks and website defacements perpetrated against Internet-based organizations, have served notice that the 21st century will be an increasingly challenging time to organizations that rely on information technology (IT) systems. A study performed by the President’s Commission on Critical Infrastructure Protection ("PCCIP," 1997) and the President’s Critical Infrastructure Protection Board ("PCIPB," 2001) recognized the implications of pervasive interconnectivity of critical infrastructures at the national level. Recent Federal legislative and Office of Management and Budget (OMB) requirements have forced organizations to change the way they manage IT, and have compelled them to include metrics to demonstrate their progress in achieving their enterprise-wide goals and objectives ("FISMA," 2002; "HIPAA," 1996; NPR, 1997; "SOX," 2002).

An examination of the existing literature not only reveals that the OISM discipline is fundamentally immature, but that considerable ambiguity even exists surrounding the concept of IT security metrics. While organizations (governmental, non-governmental, academia and business) are working to develop OISM, there is a wide disparity between their approaches, the applicability of their results, and the assumptions used to interpret the results. Notwithstanding a substantial body of literature on the technical aspects of IT security metrics, no scholarly study has been undertaken regarding the critical factors that influence decision makers when they consider that OISM be adopted in their organizations. Unfortunately, this leaves little in the way of data to aid decision-making managers in their willingness to consider the adoption of OISM for their organizations.

OISM has certain characteristics that often make the process of organizational adoption decisions difficult. Lease (2005) succinctly stated the perceptions of a specific security technology, its function-effectiveness, reliability, and its cost-effectiveness as being critical factors in organizational manager’s decision to adopt that technology. Organizations facing increasing security costs are scrutinizing the IT security expenditures be proportionate to the IT security risks in the form of cost-benefit/ROI analyses (CDS, 2005; Lanzi, 2002; Lawlor, 2005; Lesk, 2003; Levine, 2004; Richards, 2002; Shore, 2004; Verton, 2003). These types of analyses are not commonly applied for IT investments in general and for IT security investments in particular because of intrinsic difficulties and absence of transparent models in applying traditional ROI to these investments (Fitzgerald, 2008; Hoo, 2000; Mercuri, 2003; Nguyen, 2004; Orlandi, 1991; Ya & Kauffman, 2003). This research study seeks to shed light on this process to help decision-makers, as well as OISM security services/solution providers, understand the important perceptions of OISM within their customer base of organizational decision-making managers.

To accomplish the goal of this study, primary research was collected to identify factors affecting decision-making managers’ willingness to adopt OISM and the association of manager’s attitudes and perceptions to their willingness to adopt OISM.

1.2 Background of the Study

1.2.1 Integrated organization-wide risk management

Managing information system-related security risks is a complex, multifaceted undertaking that requires the involvement of the entire organization—from senior leaders providing the strategic vision and top-level goals and objectives for the organization, to mid-level leaders planning and managing projects, to individuals on the front lines developing, implementing, and operating the systems supporting the organization’s core missions and business processes. Risk management can be viewed as a holistic activity that is fully integrated into every aspect of the organization. Figure 1 (NIST, 2010) illustrates a three-tiered approach to risk management that addresses risk-related concerns at: (i) the organization level; (ii) the mission and business process level; and (iii) the information system level.

Figure 1. Tiered Risk Management Approach (NIST, 2010)

Tier 1 addresses risk from an organizational perspective with the development of a comprehensive governance structure and organization-wide risk management strategy that includes: (i) the techniques and methodologies the organization plans to employ to assess information system-related security risks and other types of risk of concern to the organization; (ii) the methods and procedures the organization plans to use to evaluate the significance of the risks identified during the risk assessment; (iii) the types and extent of risk mitigation measures the organization plans to employ to address identified risks; (iv) the level of risk the organization plans to accept (i.e., risk tolerance); (v) how the organization plans to monitor risk on an ongoing basis given the inevitable changes to organizational information systems and their environments of operation; and (vi) the degree and type of oversight the organization plans to use to ensure that the risk management strategy is being effectively carried out. As part of the overall governance structure established by the organization, the risk management strategy is propagated to organizational officials and contractors with programmatic, planning, developmental, acquisition, operational, and oversight responsibilities, including for example: (i) authorizing officials; (ii) chief information officers; (iii) senior information security officers; (iv) enterprise/information security architects; (v) information system owners/program managers; (vi) information owners/stewards; (vii) information system security officers; (viii) information system security engineers; (ix) information system developers and integrators; (x) system administrators; (xi) contracting officers; and (xii) users.

Tier 2 addresses risk from a mission and business process perspective and is guided by the risk decisions at Tier 1. Tier 2 activities are closely associated with enterprise architecture and include: (i) defining the core missions and business processes for the organization (including any derivative or related missions and business processes carried out by subordinate organizations); (ii) prioritizing missions and business processes with respect to the goals and objectives of the organization; (iii) defining the types of information that the organization needs to successfully execute the stated missions and business processes and the information flows both internal and external to the organization; (iv) developing an organization-wide information protection strategy and incorporating high-level information security requirements into the core missions and business processes; and (v) specifying the degree of autonomy for subordinate organizations (i.e., organizations within the parent organization) that the parent organization permits for assessing, evaluating, mitigating, accepting, and monitoring risk.

Because subordinate organizations responsible for carrying out derivative or related missions and business processes may have already invested in their own methods of assessing, evaluating, mitigating, accepting and monitoring risk, parent organizations may allow a greater degree of autonomy within parts of the organization or across the entire organization in order to minimize costs. When a diversity of risk assessment methods is allowed, organizations may choose to employ when feasible, some means of translation and/or synthesis of the risk-related information to ensure that the output of the different risk assessment activities can be correlated in a meaningful manner.

Tier 3 addresses risk from an information system perspective and is guided by the risk decisions at Tiers 1 and 2. Risk decisions at Tiers 1 and 2 impact the ultimate selection and deployment of needed safeguards and countermeasures (i.e., security controls) at the information system level. Information security requirements are satisfied by the selection of appropriate management, operational, and technical security controls from NIST Special Publication 800-53. The security controls are subsequently allocated to the various components of the information system as system-specific, hybrid, or common controls in accordance with the information security architecture developed by the organization. Security controls are typically traceable to the security requirements established by the organization to ensure that the requirements are fully addressed during design, development, and implementation of the information system. Security controls can be provided by the organization or by an external provider. Relationships with external providers are established in a variety of ways, for example, through joint ventures, business partnerships, outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements), licensing agreements, and/or supply chain arrangements.

Risk management tasks begin early in the system development life cycle and are important in shaping the security capabilities of the information system. If these tasks are not adequately performed during the initiation, development, and acquisition phases of the system development life cycle, the tasks will, by necessity, be undertaken later in the life cycle and be more costly to implement. In either situation, all tasks are completed prior to placing the information system into operation or continuing its operation to ensure that: (i) information system-related security risks are being adequately addressed on an ongoing basis; and (ii) the authorizing official explicitly understands and accepts the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of a defined set of security controls and the current security state of the information system.

The Risk Management Framework (RMF), provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle. The RMF operates primarily at Tier 3 in the risk management hierarchy but can also have interactions at Tiers 1 and 2 (e.g., providing feedback from ongoing authorization decisions to the risk executive [function], dissemination of updated threat and risk information to authorizing officials and information system owners). The RMF steps include:

• Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.

• Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions.

• Implement the security controls and describe how the controls are employed within the information system and its environment of operation.

• Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

• Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.

• Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.

In summary, there is a significant degree of flexibility in how organizations employ the risk management processes described above. While it is convenient to portray the risk management approach in Figure 1 as hierarchical, the reality of project and organization dynamics can be much more complex. The organizational management style may be at one or more points on thecontinuum from top-down command to consensus among peers. For risk management to succeed at all levels of the organization, the organization must have a consistent and effective approach to risk management that is applied to all risk management processes and procedures. Organizational officials identify the resources necessary to complete the risk management tasks described in this publication and ensure that those resources are made available to appropriate personnel. Resource allocation includes both funding to carry out the risk management tasks and assigning qualified personnel needed to accomplish the tasks (Guide for Applying the Risk Management Framework to Federal Information Systems A Security Life Cycle Approach, 2010).

1.2.2 Information Risk Management and Information Security

This study places paramount emphasis on the concept of information risk management as a business issue, not a technical issue, which is ultimately the responsibility of senior management. For the purposes of this study, information risk management includes "information security," the technical means of protecting IT systems, and encompasses the total business process that balances the cost and potential gains of protective measures against the risks (A Balanced Approach to Managing Information Risk in an Unfriendly World: An Executive’s Guide, 2003).

1.2.3 Strategic Principles

Here are 10 principles to guide an effective top-down approach to information risk management.

1. It’s about the business! - The only purpose of an information risk management program is to support the agency’s mission. As a leader, focus relentlessly on this principle. It’s not about technology. It’s not just about compliance. It’s about achieving the right balance of information risk management to achieve your mission and goals.

2. The goal is balance. - The idea that information risk can be eliminated is impractical. Even if it were possible, the cost restrict it. Look also for balance among different types of risk.

3. Engage agency business executives. - Ensure business or program executives, not just your technology or security managers, take ownership of and responsibility for information risk management. They are responsible for the agency’s assets and strategic goals. They also are the ones who must make the critical judgments about the business impact of potential security lapses, threat motivations, and non-technical alternatives for absorbing the risk. Managers will routinely evaluate all sorts of risks to their programs; information risk is not fundamentally different. Include the functional executives from finance, legal, and stakeholder relations in an information risk management team led by the CIO or ISO. Leverage their authoritative insight into liability issues and risk mitigation alternatives that may not be apparent to program managers or technology staff. Give the members of the information risk management team responsibility for this function and hold them accountable.

4. Do first things first. - Separate short-term issues from long-term issues. Prioritize and track both. This study provides a manageable list of immediate steps to reduce risk that probably won’t require new funding. Don’t stop there. Sophisticated cyber-crime and ambitious e-government projects require more robust protection that takes longer to plan and implement. To build security into systems from the start-which is cheaper and more effective than adding it after a failure or an audit - you’ll need to upgrade your IT planning and management processes. Build skills and an agency management culture that deals effectively with information risk.

5. Know where you’re going. - Develop a blueprint of your target information security posture and a roadmap to get there. This is amazingly effective for coordinating efforts throughout a large organization. Projects that don’t fit the plan, or are duplicative, become easier to spot. It does wonders for explaining to funding authorities what the money is for and it builds confidence that you know what you’re doing.

6. Consider non-technical options first. - Use your business savvy to identify the most cost-effective solutions. It’s often both less expensive and more effective to eliminate or absorb risk without relying on technology. For example, an agreement to limit liability could be negotiated with a business partner. This is where engaging a non-technical executive in information risk management pays off.

7. Manage for results. - Set goals for the outcomes of security efforts rather than the outputs. Measure work time lost because of computer virus infections, not the number of viruses stopped. This approach is consistent with performance-based management. You must still comply with process-oriented audits, but completing a checklist never guarantees you’ll meet your mission goals.

8. Secure the whole business process, not just the automated parts. - Some risk analysis tools focus narrowly on computer systems and overlook significant non-automated portions of a business process. An enterprise architecture perspective directs attention to the high-level blueprint of the end-to-end business process, so threats to all (automated and non-automated) components of the process areconsidered. This approach also leads to development of a risk baseline, incorporating risks accepted in the business process as it operates today. This encourages establishment of realistic security goals.

9. Producing security documents will not manage your risks. - Manage information risk for effectiveness, not just for compliance. Establish an information risk management program, integrate security requirements into your business management processes, and take responsibility for information risk management to ensure cost-effective support of your mission and thereby achieve compliance. And let your Inspector General (IG) know you’re serious about information risk management. Seek agreement on how the audit approach can accelerate your plans, not delay them. You should reach out to the IG, as you are more likely to gain IG flexibility and cooperation than your staff.

10. Get involved. - A word from the boss draws attention to an issue. Make a brief progress report on the information security blueprint milestones a regular item in senior staff meetings. Sit in the front row at annual security-awareness training and ask a question. Celebrate and reward successes in information risk management. A few well-focused hours of your time each year can make a huge difference. (A Balanced Approach to ManagingInformation Risk in an UnfriendlyWorld: An Executive’s Guide, 2003).

1.2.4 Information security measures backgound

This section provides basic information on what information security measures are and why information security performance should be measured. Additionally, this section defines types of measures that can be used; discusses the key aspects of making an information security measurement program successful; and identifies the uses of measures for management, reporting, and decision making.

1.2.4.1 Definition

At the document NIST (National Institute of Standards and Technology) Special Publication 800-55 Revision 1 "Performance Measurement Guide for Information Security" (Chew, Swanson, Stine, Bartol, Brown, and Robinson, 2008) defined that:

Information security measures are used to facilitate decision making and improve performance and accountability through the collection, analysis, and reporting of relevant performance-related data. The purpose of measuring performance is to monitor the status of measured activities and facilitate improvement in those activities by applying corrective actions based on observed measurements.

Information security measures can be obtained at different levels within an organization. Detailed measures, collected at the information system level, can be aggregated and rolled up to progressively higher levels, depending on the size and complexity of an organization. While a case can be made for using different terms for more detailed and aggregated items, such as "metrics" and "measures," this document standardizes on "measures" to mean the results of data collection, analysis, and reporting. This document refers to the process of data collection, analysis, and reporting as "measurement."

Information security measures are based on information security performance goals and objectives. Information security performance goals state the desired results of an information or security program implementation, such as, "All employees should receive adequate information security awareness training." Information security performance objectives enable accomplishment of goals by identifying practices defined by information security policies and procedures that direct consistent implementation of security controls across the organization. Examples of information security performance objectives, corresponding to the example goal cited above, are: All new employees receive new employee training. Employee training includes a summary of the Rules of Behavior. Employee training includes a summary of, and a reference to, the organization’s information security policies and procedures.

Information security measures monitor the accomplishment of goals and objectives by quantifying the implementation, efficiency, and effectiveness of security controls; analyzing the adequacy of information security program (ISP) activities; and identifying possible improvement actions. During measures development, goals and objectives from federal guidelines, legislation, regulations, and enterprise-level guidance are identified and prioritized to ensure that the measurable aspects of information security performance correspond to the operational priorities of the organization.

Information security measures must yield quantifiable information for comparison purposes, apply formulas for analysis, and track changes using the same points of reference. Percentages or averages are most common. Absolute numbers are sometimes useful, depending on the activity that is being measured.

Data required for calculating measures must be readily obtainable, and the process that is under consideration needs to be measurable. Only processes that can be consistent and repeatable should be considered for measurement. Even though the processes may be repeatable and stable, measurable data may be difficult to obtain if the processes and their performance have not been documented. Measures must use easily obtainable data to ensure that the burden of measurement on the organization does not defeat the purpose of measurement by absorbing resources that may be needed elsewhere. Examples of information security activities that can provide data for measurement include risk assessments, penetration testing, security assessments, and continuous monitoring. Other assessment activities (such as the effectiveness of a training and awareness program) can also be quantified and used as data sources for measures.

To be useful in tracking performance and directing resources, measures need to provide relevant performance trends over time and point to improvement actions that can be applied to problem areas. Management should use measures to review performance by observing trends, identifying and prioritizing corrective actions, and directing the application of those corrective actions based on risk mitigation factors and available resources. The measures development process ensures that measures are developed with the purpose of identifying causes of poor performance and point to appropriate corrective actions.

1.2.4.2 Benefits of using measures

An information security measurement program provides a number of organizational and financial benefits. Major benefits include increasing accountability for information security performance; improving effectiveness of information security activities; demonstrating compliance with laws, rules and regulations; and providing quantifiable inputs for resource allocation decisions.

Increase Accountability: Information security measures can increase accountability for information security by helping to identify specific security controls that are implemented incorrectly, are not implemented, or are ineffective. Data collection and analysis processes can facilitate identification of the personnel responsible for security controls implementation within specific organizational components or for specific information systems.

Improve Information Security Effectiveness: An information security measurement program will enable organizations to quantify improvements in securing information systems and demonstrate quantifiable progress in accomplishing agency strategic goals and objectives. Information security measures can assist with determining the effectiveness of implemented information security processes, procedures, and security controls by relating results of information security activities and events (e.g., incident data, revenue lost to cyber attacks) to security controls and information security investments.

Demonstrate Compliance: Organizations can demonstrate compliance with applicable laws, rules, and regulations by implementing and maintaining an information security measurement program. Information security measures will assist in satisfying the annual FISMA reporting requirement to state performance measures for past and current fiscal years. Additionally, information security measures can be used as input into the Government Accountability Office (GAO) and Inspectors General (IG) audits. Implementation of an information security measurement program will demonstrate agency commitment to proactive information security. It will also greatly reduce time spent by agencies in collecting data, which is routinely requested by the GAO and IG during audits and for subsequent status updates.

Provide Quantifiable Inputs for Resource Allocation Decisions: Fiscal constraints and market conditions compel government and industry to operate on reduced budgets. In such an environment, it is difficult to justify broad investments in the information security infrastructure. Information security investments should be allocated in accordance with a comprehensive risk management program. Use of information security measures will support risk-based decision making by contributing quantifiable information to the risk management process. It will allow organizations to measure successes and failures of past and current information security investments, and should provide quantifiable data that will support resource allocation for future investments. Using the results of the measures analysis, program managers and system owners can isolate problems, use collected data to justify investment requests, and then target investments specifically to the areas in need of improvement. By using measures to target security investments, these measures can aid organizations in obtaining the best value from available resources.

1.2.4.3 Types of Measures

The maturity of an organization’s information security program determines the type of measures that can be gathered successfully. A program’s maturity is defined by the existence and institutionalization of processes and procedures. As an information security program matures, its policies become more detailed and better documented, the processes it uses become more standardized and repeatable, and the program produces a greater quantity of data that can be used for performance measurement.

Figure 2 (NIST, 2008) depicts this continuum by illustrating measurement considerations for information security programs. As Figure 2 illustrates, less mature information security programs need to develop their goals and objectives before being able to implement effective measurement. More mature programs use implementation measures to evaluate performance, while the most mature programs use effectiveness/efficiency and business impact measures to determine the effect of their information security processes and procedures.

An information security program is dependent upon upper-level management support to define its goals and objectives. These goals and objectives may be expressed through information security policies and processes at the program’s inception, or in a variety of other sources. Information security policies are documented, and information security procedures begin to stabilize, as the program is implemented and begins to mature. To be useful, information security measurement requires existence of documented procedures and some available data on the implementation of security controls.

Figure 2. ISP Maturity and Types of Measurement (NIST, 2008)

A mature program normally uses multiple tracking mechanisms to document and quantify various aspects of its performance. As more data becomes available, the difficulty of measurement decreases and the ability to automate data collection increases. Data collection automation depends on the availability of data from automated sources versus the availability of data input by personnel. Manual data collection involves developing questionnaires and conducting interviews and surveys with the organization’s staff. More usable data is available from semi automated and automated data sources—such as self-assessment tools, certification and accreditation (C&A) databases, and incident reporting/response databases—as an information security program matures. Measures data collection is considered to be fully automated when all data is gathered by automated data sources without human involvement or intervention.

Types of measures (implementation, effectiveness/efficiency, and impact) that can realistically be obtained and are useful for performance improvement depend on the maturity of the security control implementation. Although different types of measures can be used simultaneously, the primary focus of information security measures shifts as implementation of the information security program matures. As information security program goals and strategic plans are documented and implemented, the ability to reliably collect the outcome of their implementation improves. As an organization’s information security program evolves and performance data becomes more readily available, measures will focus on program effectiveness/efficiency and the operational results of security control implementation. Once information security is integrated into an organization’s processes, the processes become repeatable, measurement data collection becomes fully automated, and the mission or business impact of information security-related actions and events can be determined by analyzing and correlating the measurement data.

1.2.4.4 Measurement Considerations

Organizations embarking on information security performance measurement should be aware of several considerations that can help make their program a success. These include specific organizational structure and processes as well as an understanding of required budget, personnel, and time resources.

1.2.4.5 Information Security Measurement Program Scope

An information security measurement program can be scoped to a variety of environments and needs:

• Quantifying information system-level security performance for an operational information system;

• Quantifying the integration of information security into the system development life cycle (SDLC) during information system and software development processes; and

• Quantifying enterprise-wide information security performance.

Information security measures can be applied to organizational units, sites, or other organizational constructs. Organizations should carefully define the scope of their information security measurement program based on specific stakeholder needs, strategic goals and objectives, operating environments, risk priorities, and information security program maturity.

1.3 Problem Statement

Today’s public and private sector decision-making senior managers face the following information security concerns and expenditure issues (Brodkin, 2008; Chapman, 2008):

+ How much should be invested in information security? (Duffy, 2003; Witty, 2001)

+ How does one calculate the return-on-investment (ROI) for their security investments? (Berinato, 2002; Connolly, 2006; Mercuri, 2003; Mimoso, 2002; Schneier, 2008; Schwartau, 2008; Surmacz, 2002)

+ How does one portray to customers, partners, affiliates, and insurance companies, the "security health" of the organization and whether that "health" is improving, stable or deteriorating? (Baker, 2006; Chapin & Akridge, 2005; Gordon, Loeb, & Sohail, 2003; MacLean & Jaquith, 2006)

These growing threats, as well as their increasingly complex compliance environments, require senior managers to "Index" the enterprise security health of their organizations.

In other investment areas, senior managers have solved this problem by using:

+ Enterprise Resource Planning (ERP) (Keen & Digrius, 2002; Saunders, 2007)

+ Customer Relationship Management (CRM) (Dyché, 2001)

+ Human Resources (HR) / Human Capital Management (HCM) (Fitz-enz, 2000)

Senior managers can make investment decisions based on ROI analysis in each of these areas, because they have a "Return" metric which estimates and calculates how much "benefit" they are receiving for each $1.00 invested.

Thus, to produce "ROI" analyses for security investments, as well as measure security health over time, senior managers need an "Information Security Metric". However, few senior managers have adopted a "return" metric for information security (InfoSec) for their enterprise (M. Schwartz, 2003). Without such enterprise-wide information security metric (OISM), senior managers cannot calculate or make InfoSec investment decisions with ROI analysis (E. Schwartz, 2003; Schwartz, 2004; M. Schwartz, 2003).

To address this "security investment decision" problem, the study sought to identify and assess the factors that affect decision-making managers’ willingness to adopt OISM.

1.4 Reason and Opportunity for Research

Based on a number of orders, circulars, decrees, decisions and directives of the Central Government, the National Assembly, the Government, the Ministries/Departments/Organizations and some written guidance on safe legal environment for information security in the digital age of provinces/cities. In particular, note that a number of guidance documents issued as follows:

- The Planning on Digital Content Safety to 2010 (Prime Minister’s Decision No. 63/QD-TTg on Jan 13, 2010).

- Directive No. 879/CT-TTg of June 10, 2011 of Prime Minister on strengthening the deployment of secure digital information operations.

- Circular No. 23/2011/TT-BTTTT dated August 11, 2011 of the Ministry of Information and Communications on the management, operation and use of, and assurance of information security on specialized data transmission networks in party and state agencies.

- Directive No. 03/2007/CT-BBCVT dated Feb 23, 2007 of the Ministry of Post and Telecommunications on enhancing information security on the Internet.

- Joint Circular No. 06/2008/TTLT-BTTTT-BCA dated November 28, 2008 of the Ministry of Information and Communication and the Ministry of Public Security on assurance of infrastructure safety and information security in post, telecommunications and information technology activities.

- Circular No. 25/2010/TT-BTTTT dated 15/11/2010 of the Ministry of Information and Communications on collection, use, sharing, security assurance and protection of personal information on website or portals of state agencies.

- Official Letter No. 1790/BTTTT-VNCERT dated 20/06/2011 of Ministry of Information and Communications on strengthening security for the port/site.

- Official Letter No. 2132/BTTTT-VNCERT dated 18/07/2011 of the Ministry of Information and Communications on the "Guildance to ensure safety information for the electronic information portal/page ".

These documents are intended to direct the organizations applying the solution to ensure information security, anti-virus and malicious code for information systems and personal computers connected to the Internet, and managed by their own organizations. Other important documents titled "The Legal Environment of Digital Information Security in Vietnam" section (as indicated in Appendix 9)

Schwartz (2003) stated information assurance (IA) metrics are not only difficult to interpret, but also difficult to implement. Metrics have historically been available however, despite the potential benefits offered such as an increase in overall security effectiveness; metrics have been largely ignored by many organizations. The reasons behind organizational security professionals’ decision to utilize the best practices instead of metrics, are two-fold: 1) existing metrics are too complex to implement, and, 2) they perceive that metrics may represent a threat to their jobs due to the metrics' potential to highlight potential security weaknesses in their organizations (Schwartz, 2003).

The protection afforded to an organization’s IT resources through the unplanned and uncoordinated implementation of IA tools cannot be expected to be adequate or especially cost-effective (Hulme, 2002; Lindstrom, 2002). Instead, an organization must start with a deliberate and systematic process of formally establishing policies and procedures to ensure that a fully functional, well integrated, and cost-effective security infrastructure is an integral part of its enterprise’s IT resources. With this in mind, it is the responsibility of every organization to protect its own systems and data.

With regards to new security products, "organizational decision making can be quite complicated when considering the adoption of new technology" (Lease, 2005, p. 5). OISM has certain characteristics and challenges that compound the difficulty of making the decision to adopt this type of solution. The overall goal of this study is to provide decision-makers with the improved insight and knowledge necessary to make the often difficult and complex decisions about OISM adoption.

The perceptions of IT managers and professionals play an influencing role in their decisions on the selection and adoption of security technologies for their organizations (Dynes, Brechbuhl, & Johnson, 2005). Based on these findings, the researcher believes that it is appropriate to evaluate the perceptions of decision-making managers regarding OISM, and their willingness to consider adopting OISM, as integral elements in the overall organizational technology adoption decision process. Researchers ascribed the rationale for the choice to recommend a new security technology to the perceptive areas of its cost-effectiveness, reliability, organizational need, and function-effectiveness (Craig & Hamid-Noori, 1985; Ettlie, 1986, 2000; Meridith & Hill, 1987; Putnam, 1987; Roberts & Pick, 2004).

Based on the literature review findings this study focused on the factors that influence decision-making manager’s willingness to adopt OISM. Drawing from the extant literature and prior refinement of the relevant concepts, the study gauged the influence of security function-effectiveness, organizational need, reliability, cost-effectiveness, change acceptance, and ease of use on manager’s willingness to adopt OISM. Therefore, the study will provide information for decision-makers and OISM security services/solution providers to help them better understand:

+ What factors influence a manager’s willingness to adopt OISM?

1.5 Research Objective

The research objective in this study was accomplished by identifying the factors affecting an organization’s willingness to adopt OISM. The results will enable decision making managers and other stakeholders to better understand the factors influencing their willingness to adopt OISM. The results will also contribute to the fields of information technology and information security/assurance, as well as highlight the importance of the perceptions of decision-making managers regarding OISM.

This study serves individuals associated with the design, development, implementation, operation, maintenance, and disposition of federal information systems including:

• Individuals with mission/business ownership responsibilities or fiduciary responsibilities (e.g., heads of federal agencies, chief executive officers, chief financial officers);

• Individuals with information system development and integration responsibilities (e.g., program managers, information technology product developers, information system developers, information systems integrators, enterprise architects, information security architects);

• Individuals with information system and/or security management/oversight responsibilities (e.g., senior leaders, risk executives, authorizing officials, chief information officers, senior information security officers);

• Individuals with information system and security control assessment and monitoring responsibilities (e.g., system evaluators, assessors/assessment teams, independent verification and validation assessors, auditors, or information system owners); and

• Individuals with information security implementation and operational responsibilities (e.g., information system owners, common control providers, information owners/stewards, mission/business owners, information security architects, information system security engineers/officers).

1.6 Significance of the Study

The topic of dissertation has following meanings:

First, the research results will indicate the general view on the acceptability OISM in the factors and different aspects. At the same time, the study made ​​comparing the acceptance OISM is divided by gender, age, educational level, job position and of the different types of organizations.

Second, this study helped identify the scale factor used to measure information security within the organization and the factors influencing the acceptance of measurement technology, which the managers of the business enterprises, companies and organizations will build their organization appropriates policies to improve information security issues in their organizations.

Third, this study is to explore, as a basis for further studies on the impact to managers, national information security standards and procedures for building scale information security in the future.

Fourth, this study is one of the construction documents to apply the safety assessment program information, training lectures for training information security programs in the universities/institutes study, the short-term program to standardize safety knowledge for leaders/managers and a number of other studies for the field of information security and information management system. Since then, a process for building information security roadmap for e-government in Vietnam.

Finally, the study is a new discovery and research is a breakthrough in the field of information security in conjunction with the factors affecting the decision of the management in order to contribute to contribute to the new research on the safety of the world in which information in Vietnam is now the field is rather new.

1.7 Research Question(s)

Drawn from the extant literature and with prior refinement of the relevant concepts of security technology adoption for biometric security technologies by Lease (2005), this study investigated six research questions. Each of the research questions gauged the respective aspects of the decision-making manager’s perceptions of OISM, relative to six factors identified in the literature: security function-effectiveness, organizational need, reliability, change acceptance, ease of use, and anticipated cost-effectiveness of OISM. The specific research questions were as follows:

Question 1. Is a manager’s willingness to adopt OISM independent of his/her perception of its function-effectiveness?

Question 2. Is a manager’s willingness to adopt OISM independent of his/her perception of its need?

Question 3. Is a manager’s willingness to adopt OISM independent of his/her perception of its reliability?

Question 4. Is a manager’s willingness to adopt OISM independent of his/her perception of its cost-effectiveness?

Question 5. Is a manager’s willingness to adopt OISM independent of his/her perception of its change acceptance?

Question 6. Is a manager’s willingness to adopt OISM independent of his/her perception of its ease of use?

1.8 Definition of Terms

An information system – is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

A federal information system – is an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.

Agency Head - The specific Agency Head responsibilities related to information security measurement are as follows:

• Ensuring that information security measures are used in support of agency strategic and operational planning processes to secure the organization’s mission;

• Ensuring that information security measures are integrated into annual reporting on the effectiveness of the agency information security program by the Chief Information Officer (CIO);

• Demonstrating support for information security measures development and implementation, and communicating official support to the agency;

• Ensuring that information security measurement activities have adequate financial and human resources for success;

• Actively promoting information security measurement as an essential facilitator of information security performance improvement throughout the agency; and

• Approving policy to officially institute measures collection. (Performance Measurement Guide for Information Security, 2008).

BSC - Balanced Scorecard: This term was first used by Kaplan and Norton to describe how an organization measure performance comprehensively. An organization's activities should be considered in many different ways.

CEO – Chief Executive Officer is the highest-ranking corporate or executive officer in an organization, with ultimate authority over the management of the organization (Chief Executive Officer, 2006).

CIO – for the purposes of this study, the CIO or Chief Information Officer is defined as the Information Systems Leader; "the senior executive responsible for establishing corporate information policy, standards, and management control over all corporate information resources" (Synnott & Gruber, 1981, p. 66). The Chief Information Officer (CIO) has the following responsibilities related to information security measurement:

• Using information security measures to assist in monitoring compliance with applicable information security requirements;

• Using information security measures in annually reporting on effectiveness of the agency information security program to the agency head;

• Demonstrating management’s commitment to information security measures development and implementation through formal leadership;

• Formally communicating the importance of using information security measures to monitor the overall health of the information security program and to comply with applicable regulations;

• Ensuring information security measurement program development and implementation;

• Allocating adequate financial and human resources to the information security measurement program;

• Reviewing information security measures regularly and using information security measures data to support policy, resource allocation, budget decisions, and assessment of the information security program posture and operational risks to agency information systems;

• Ensuring that a process is in place to address issues discovered through measures analysis and taking corrective actions such as revising information security procedures and providing additional information security training to staff; and

• Issuing policy, procedures, and guidelines to officially develop, implement, and institute measures (Performance Measurement Guide for Information Security, 2008).

Information Assurance: Information assurance pertains to the operations of an organization that "protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities" (ATIS, 2007).

Information Security Metric/Security Metric/Information Technology (IT) Security Metric/Information Assurance (IA) Metric/Enterprise-Level Security Metric: These terms may be used interchangeably, due to the varied cited references from the literature. The Organization Information Security Metric (OISM) is the term to be used in this study for consistency.

IS – Information Systems constitute a "set of information resources organized for the collection, storage, processing, maintenance, use, sharing, dissemination, disposition, display, or transmission of information" (Committee on National Security Systems, 2003, p. 33).

Information Security Assessment – An information security assessment is the process of determining how effectively an entity being assessed (e.g., host, system, network, procedure, person—known as the assessment object) meets specific security objectives. Three types of assessment methods can be used to accomplish this—testing, examination, and interviewing. Testing is the process of exercising one or more assessment objects under specified conditions to compare actual and expected behaviors. Examination is the process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence. Interviewing is the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or identify the location of evidence. Assessment results are used to support the determination of security control effectiveness over time (Technical Guide to Information Security Testing and Assessment, 2008).

Information System Security Officer - The Information System Security Officer (ISSO) has the following responsibilities related to information security measurement:

• Participating in information security measurement program development and implementation by providing feedback on the feasibility of data collection and identifying data sources and repositories; and

• Collecting data or providing measurement data to designated staff that are collecting, analyzing, and reporting the data (Performance Measurement Guide for Information Security, 2008).

Information Technology: Information technology, as defined by the Information Technology Association of America (ITAA) is: "the study, design, development, implementation, support or management of computer-based information systems, particularly software applications and computer hardware." In short, IT deals with the use of electronic computers and computer software to convert, store, protect, process, transmit and retrieve information securely.

KPI - Key Performance Indicators: This term is defined as management indicators used to measure, report and improve the work efficiency. These indicators can be classified as primary outcome indicators, performance indicators and key performance indicators.

Organization Information Security Metric (OISM): (Excerpted and adapted from IRC Definition for Enterprise-Level Security Metric) "Along with the systems and component-level metrics that have been mentioned in the preceding ’hard problems,’ and the technology-specific metrics that are continuing to emerge with new technologies year after year, it is essential to have a macro-level view of security within an organization. What happens when all the systems, processes, and tools are turned on? Today, government decision makers and corporate leaders do not have answers to important questions such as, "How secure is my organization? Has our security posture improved over the last year? To what degree has security improved in response to changing threats and technology? How do we compare with our peers? How secure is this product or software that we are purchasing? How does it fit into the existing systems and networks? What is the marginal change in our security, given the use of a new tool or practice?" Most organizations view the answers to these questions in the short term from a financial mind-set and make a cost-benefit trade analysis. The decisions resulting from this analysis will frequently be to the detriment of significant improvements in security in the long term, which may require costly new development." (IRC, 2005, p. 31).

Program Manager/Information System Owner - Program managers, as well as information system owners, are responsible for ensuring that proper security controls are in place to address the confidentiality, integrity, and availability of information and information systems. The program manager/information system owner has the following responsibilities related to information security measurement:

• Participating in information security measurement program development and implementation by providing feedback on the feasibility of data collection and identifying data sources and repositories;

• Educating staff on the development, collection, analysis, and reporting of information security measures and how it will affect information security policy, requirements, resource allocation, and budget decisions;

• Ensuring that measurement data is collected consistently and accurately and is provided to designated staff who are analyzing and reporting the data;

• Directing full participation and cooperation of staff, when required;

• Reviewing information security measures data regularly and using it for policy, resource allocation, and budget decisions; and

• Supporting implementation of corrective actions, identified through measuring information security performance (Performance Measurement Guide for Information Security, 2008).

Risk – is a measure of the extent to which an entity is threatened by a potential circumstance or event, and a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.

Senior Agency Information Security Officer - Depending upon the agency, the Senior Agency Information Security Officer (SAISO) may sometimes be referred to as the Chief Information Security Officer (CISO). Within this document, the term SAISO is used to represent both the SAISO and the CISO. The SAISO has the following responsibilities related to information security measurement:

• Integrating information security measurement into the process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the agency;

• Obtaining adequate financial and human resources to support information security measurement program development and implementation;

• Leading the development of any internal guidelines or policy related to information security measures;

• Using information security measures in support of the agency CIO’s annual reporting to the agency head on the effectiveness of the agency’s information security program, including progress of remedial actions;

• Conducting information security measures development and implementation;

• Ensuring that a standard process is used throughout the agency for information security measures development, creation, analysis, and reporting; and,

• Using information security measures for policy, resource allocation, and budget decisions (Performance Measurement Guide for Information Security, 2008).

Senior Manager/Senior Management: The reference to a senior manager or senior management in a company or organization in this study applies to those persons whose job is to make and implement major decisions, such as OISM adoption. More specifically, senior managers/management can either be an individual, or a team of individuals, at the highest level of organizational management with the responsibility of making capital investment decisions.

The Term organization – is used in