Inter Organizational Perspective Of Information Security Management

Published Date: 02 Nov 2017

Abstract

In today’s business environment, an effective information system is part of the indispensable infrastructure of most organizations. As organizations depend more on information systems to perform most of their business operations, concerns about controlling and securing information has become paramount. Increased organizational dependence on information systems has led to a relative increase in the impact on the organization of compromised information security. In this context, information security management (ISM) is a critical issue that has begun to attract the attention of the communities of research and practice. ISM includes ensuring the security of information through proactive management of information security risks, threats and vulnerabilities. This necessitates the need for ISM to be built into the daily business operations and alignment with the overall business objectives of the organization. Also, when the businesses transcended the organizational boundaries to interplay with diverse cultures, standards, policies, practices and regulations, the security process became all the more complicated. This has become an issue of great concern in a global supply chain setting. Therefore, this paper throws light on the earlier studies done in the area of ISM from an intra- and inter-organizational as well as supply chain perspectives and attempts to suggest an agenda for future research. The current research thus proposes a framework for information security in a supply chain context, encompassing intra-and inter-organizational perspectives.

An Intra- and Inter-organizational Perspective of Information Security Management: Literature Review and Research Framework

Introduction

In today’s business environment, an effective information system is part of the essential infrastructure of most organizations. Information systems include not only the hardware, software, data and other information assets, but also the people, policies, and procedures associated with the gathering, distribution, usage and maintenance of the information. As organizations rely more and more on information systems to perform most of their business operations, concerns about controlling and securing information has become paramount. Increased organizational dependence on information systems has led to a relative increase in the impact on the organization of compromised information security (Kankanhalli et al. 2003). In this context, information security management (ISM) is a critical issue that has begun to attract the attention of the communities of research and practice. ISM focuses on streamlining the management activities that creates an organizational framework within which the information system operates and mainly aims at protecting the information assets of the organization (Karyda et al. 2005). It includes ensuring the security of information through proactive management of information security risks, threats and vulnerabilities. This necessitates the need for ISM to be built into the daily business operations and alignment with the overall business objectives of the organization.

ISO 27001 (2005) defines the management aspects of Information Security as, ‘that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve Information Security’. It states that this includes, ‘organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources’. The real challenge of information systems is to ensure that the information is of highest quality in terms of timeliness, completeness, accuracy, confidentiality, reliability, readability and appropriateness (Wang and Strong 1996; Caby et al. 1995; Miller 1996). As organizations experience unacceptably high levels of security abuses, they seldom provide consistently high quality information resources to meet manager’s requirements (Garg et al. 2003). The cost of compromising the information for any reason is extremely grave in terms of the damages caused due to monetary losses, disruption of internal processes and communication, loss of potential sales, loss of competitive advantage, wastage of time, efforts and manpower and even business opportunities, while it also damages the reputation, goodwill, trust and business relationships (Dhillon and Moores, 2001).

Also, when the businesses transcended the organizational boundaries to interplay with diverse cultures, standards, policies, practices and regulations, the security process became all the more complicated. This has become an issue of great concern in a global supply chain setting. Recent research in supply chain management has been epitomized by an increased emphasis on collaboration and shared vision between trading partners for competitive advantage. This paradigm shift from competition to collaboration has been enabled by the explosive growth of internet-enabled inter-organizational information systems as a medium of information exchange between trading partners. According to Premkumar (2000), inter-organizational systems (IOS) provide the technology infrastructure to facilitate the flow of information along the chain and thereby guarantee the smooth flow of goods. The author discusses various management issues and technology strategies for successful implementation of supply chain and IOS. Among which, data security is also mentioned as a management concern because IOS provides access to information in databases to their trading partners. However, the security of information that is communicated between the supply chain partners is always at risk as the communication media is stuffed with security loopholes. Though various security measures can be implemented to ensure security, it still exposes the firm and its trading partners to some data risk. The firm may be concerned about intruders hacking into the database and getting confidential information about its operations. The partners may be worried about their competitors getting information about their business dealings with the firm. Also in IOS, trading partners may be concerned about the security systems that protect its information in their partners' databases.

In this paper, we would like to analyze the previous researches done in the area of ISM. As pointed out by Gerber et al. (2001), literature on information security used the terms such as ‘computer security’, ‘information systems security’, information technology security’, ‘supply chain security’ and so on, the primary goal was to protect ‘Information’, the key organizational asset. Further, as observed by von Solms (1998), gradually the concept of information security was promoted from merely a domestic technical concern to a multi-disciplinary, cross-functional trans-border security issue. In this research, two broad parallel streams of research have been identified to explore more on information security literature, namely; Information systems/Information Technology (IS/IT) and Supply chain management. In the next section, an overview of information security research followed by theme-wise categorization of topics from the literature is discussed.

Information Security Research: an Overview

Rusell and Gangemi (1991) observed that the concept of information security can be dated back to the origin of information itself and the practice of protecting the information started from the time when it began to be transmitted, stored and processed for various purposes. Dlamini et al., (2009) discussed in detail the evolution of information security research. The author pointed out evidences of information safety practices during first century when Julius Caesar used secret codes to secure confidential information from being intercepted or leaked during the process of message transfer. During the 19th century, the invention of telegraph and telephone and its associated information safety practices in the form of encryption codes and safeguarding legislations against wiretapping etc exemplified the importance of information security. Later, during mid of 20th century, with the advent of computers and mainframes, the scope of security scaled beyond the protection of confidential information to setting access controls for physical and logical locations of data storage and to safeguard business reputation and maintain a competitive posture. The scope of information security further widened with the introduction of network computing, mini-computers and personal computers. Safeguarding mechanisms like cryptographic techniques, anti-virus definitions, digital signatures etc began to show its presence in the world of computing. Security policies and control mechanisms were developed to protect the information. Thus the practices of information security gradually evolved from securing hand written messages, telegrams and telephonic conversations to the bigger world of network computing. The focus of information security shifted from the basics of securing the secrecy of information to a much advanced accessibility policies and access control mechanisms.

Table 1 here

In all these years, information security research has evolved from an information systems perspective to an organizational perspective, with a broader focus and wider appeal. Literature on security is widely spread across various streams like information systems, information technology, organizational security, supply chain security and information security. Table-1 gives the summary of information security research based on diverse conceptual underpinnings. Next sections will focus on the theme-wise discussion of the earlier studies in ISM domain.

Theme 1: Information Security Research: Evolution and Contributions

Dlamini et al., (2009) discussed the evolution of information security and also investigated the information security trends from the past to the present and gave indications about the future trends. The authors conducted a two phased research which involved (1) the assessment of articles on information security which appeared in the four journals that had information security as their prime focus namely, Computer &Security, Computer Fraud & Security, IEEE Security & Privacy and Information management & Computer security, for the year 2005 and 2006 and (2) analysis of the reports issued by CSI/FBI and SANS institute for the year 2006. During phase 1, the topics covered under information security issues were identified by brainstorming sessions and prioritized the top five topics published in each of these journals. The topics identified as being most published were on information security management, information security awareness, digital forensics, legal & regulatory compliance, physical security, network security, software security, privacy, risk management etc. During phase 2, surveys of the existing CSI/FBI and SANS reports were analyzed to identify the most critical security issues for the next two years. The top five issues of CSI/FBI survey were data protection, policy and regulatory compliance, identity theft and leakage of private information, worms and viruses and management involvement and risk management. The top five issues of SANS survey were encryption, theft of computing devices, legislation governing the protection of customer information, increase in targeted attacks and increase in cell phone worms. Further the authors compared and analyzed the two phases and pointed out that information security has a much broader focus, not just limiting to technical aspects, to include legal and regulatory compliance, risk management and information security management. They have also noticed a major shift in attitude in information security-moving towards a more proactive strategic approach from pure reactive technical measures, which comes as an afterthought. Moreover, the authors also pointed out the areas which are less discussed as revealed by the survey of the journal publications such as information security awareness and training, incident response and disaster recovery, social, cultural and ethical aspects of human resources and organizational policies. The authors also suggested for a multi disciplinary approach to be followed in the information security domain for future research.

Some of the relevant information security (InfoSec) research contributions are summarized in Table 2.

Table 2 here

Theme 2: Technological, Organizational and Human Aspects of Information Security

Beznosov & Beznosova (2007) observed that over 94 percent of the computer security related research activities focused on the technological aspects such as cryptography, digital signature, firewalls, anti-virus applications, access control, intrusion detection, biometrics etc. Nevertheless, most of the security breaches occur within the remaining 6% consisting of the social and human factors. Also, recent research acknowledges the importance of human, social and organizational factors that interplay between the technological factors (Dhillon, 2007; Beznosov & Beznosova, 2007; Tan & Hunter, 2002; Dhillon & Torkzadeh, 2006; Kraemer & Carayon, 2007). Though the technological solutions to ensure information security seem to be sophisticated and stringent, humans are the first line of defense to secure information assets (Chen et al., 2008) and human factor is the weakest link in information security chain (Wilson & Hash, 2003; Finne, 1996).

Werlinger et al. (2009) presented a holistic view of the challenges faced by Information Technology (IT) practitioners in their organizations from human, organizational and technological perspectives. The authors developed an integrated framework of challenges that hindered the effective implementation of information security controls, with the help of data collected through 36 semi-structured interviews with security practitioners from 17 organizations. Human challenges identified were lack of security training, lack of security culture and communication of security issues. Organizational challenges included risk estimation, open environments and freedom, lack of budget, security as a secondary priority, tight schedules, business relationships with other organizations, distribution of IT responsibilities, access control to sensitive data, size of the organization and top management support. Technological challenges comprised of complexity of systems, vulnerabilities in systems and applications, mobile and distributed access and lack of efficient security tools.

Kankanhalli et al. (2003) developed an integrated model that proposed relationships among organizational factors, information system (IS) security practices and IS security effectiveness. The study categorized information security practices or measures as deterrents and preventives, that has been adopted from previous studies on IS security. Organizational factors considered were organizational size, top management support and industry type. The study hypothesized that organizational factors are positively related to deterrent and preventive practices. Also, deterrent and preventive measures are positively related to information security effectiveness. By means of questionnaire survey, 63 usable responses were obtained from IS managers belonging to various sectors. Partial Least squares (PLS) analysis was done by developing a PLS measurement model and the hypotheses were tested. Results showed that organizational factors had a significantly positive effect towards IS security practices and hence contributed to IS security effectiveness.

Chang and Ho (2006) examined the influence of organizational factors on the effectiveness of implementing the information security management standard, BS7799, in various organizations in Taiwan. Organizational factors considered for the study were IT competence, environmental uncertainty, industry type and organization size. Security control measures contained in BS7799 standard formed the basis for information security management construct. Authors argued that as organizations are interconnected to facilitate information exchange, the organizational factors also captured the possibility of the influence from both internal and external environment of the organization. The study hypothesized that organizational factors considered are positive determinants of implementation and effectiveness of information security management (ISM). By means of questionnaire survey, 59 usable responses were obtained from senior managers having knowledge in IT, from various industries. Upon regression analysis to test the influence of the organizational factors on ISM implementation and effectiveness, the results revealed that all the organizational factors positively influenced information security implementation and effectiveness which is in agreement with the result of Kankanhalli et al. (2003). This result gives an indication that the internal and external environment of the organization needs to be considered, while implementing information security controls.

Kraemer and Carayon (2007) proposed a macro-ergonomic conceptual framework that provided a basis for understanding the linkages of human and organizational factors to human errors that contribute to computer and information security. They defined human error as a human but unintentional cause of poor information security practices. This study investigated the vulnerability level of the work system elements toward human errors. The work system elements consisted of task related factors, workplace environment related factors, technology elements, organizational elements and individual elements. Human errors were categorized as intentional and unintentional. The study used theoretical sampling, a type of qualitative research method used to develop emerging categories of concepts, to interpret the data collected through semi-structured interviews from 8 network administrators and 8 security specialists. The interviews were transcribed and analyzed through the process of content analysis by coding specific themes. Later these themes were expanded to form a conceptual framework. Results revealed the types of errors that contributed to vulnerabilities and the work system elements that contributed to the errors. Errors that contributed to vulnerabilities were classified as intentional (includes mistake and violation) and unintentional errors made by network administrators and end users. The work system elements that contributed to human errors were classified as individual, task, workplace environment, technology and organization. Also they pointed out that organizational issues of security culture and policy, communication failures, etc are frequent causes of errors in the context of information security.

Dhillon (2007) classified information security as having three levels- technical, formal and informal. The author has depicted the three levels in the form of a "fried egg model", with technical security controls at the innermost level surrounded by a formal level which in turn is enveloped by an informal level. At the technical level, information security controls consists of defensive mechanisms such as firewalls, antivirus applications, voice analysis, digital signatures, biometric devices and other authentication protocols intended to protect the software applications, hardware and data that resides in computer systems. Technical controls are required to protect a firm’s hardware, software and data from being modified, disclosed, intercepted, destroyed, interrupted or fabricated. Formal controls are rule based and dictate how technical controls are deployed and used to manage information security within the organization. Formal controls form the information security policy document that administers the security of information and information assets (von Solms, 1997). Apart from these two controls, informal controls play a vital role in shaping up the security structure of an organization. Informal controls consist of training and awareness programs conducted to orient employee behavior related to information security. This fried egg model gives an indication that information security is bounded by technological, organizational and human aspects. Also, human behavior (both formal and informal) has an overarching impact on both technological and organizational aspects of information security.

Theme 3: Information Security Standards and Practices

To safeguard organizational information assets from internal and external security threats, variety of information security standards and guidelines have been proposed and developed. The phrase "security framework" has been used in a variety of ways in the security literature over the years, but British standards (BS 7799: 1999) promoted the term information security management system (ISMS) and came to be used as an aggregate term for the various documents and architectures, from a variety of sources, that give recommendations on topics related to information systems security, particularly with regard to the planning, managing, or auditing of overall information security practices for a given institution. BS 7799/ISO 17799 deals with ISMS requirements and can be used by the companies to create security requirements and objectives. The Generally Accepted System Security Principles (GASSP) is a joint international attempt to develop a protocol to achieve information integrity, availability and confidentiality. However, ISO 17799:2005 (ISO 27001: 2005) is the widely accepted and suitable model for ISM, as it adequately addresses various security issues in organizations (Dhillon & Backhose, 2001).

Ma et al. (2008) refined a set of information security objectives and practices extracted from previous studies and reports sourced from academia and practice. Six objectives that were found to be frequently cited in the literature – confidentiality, integrity, non-repudiation, authentication, accountability and availability – were used to measure the perceptions of security professionals regarding the ISM objectives. The complete set of ISO 17799 (ISO 27001) security practices that covers 10 control areas namely security policy, organizational security, asset classification and control, personnel security, physical and environmental security, communications and operations management, access control, systems development and maintenance, business continuity management and compliance were converted into questionnaire items to measure the perceptions regarding ISM practices. Based on a survey, data was obtained from 354 certified information security professionals regarding their perceptions about information security objectives and practices within their respective organizations. Using principal component analysis, a four factor solution emerged for information security objectives which were named as confidentiality, integrity, accountability and availability. Using confirmatory factor analysis, an eight factor solution emerged for information security practices named as information security policy, organizational security, business continuity planning, system access control, systems development and maintenance, communications & operations management and external information security. This study gives an indication that information security is not only internal, but external too.

Theme 4: Information Security Culture

Deal and Kennedy (1983) indicated that culture is an important factor that accounted for the failure or success of any organizational implementation. Since culture influences the operational activities in an organization and the effectiveness of information security practices, the manager should regard organizational culture as an important factor for guiding information security practices in an organization (Chang & Lin, 2007). Consequently, exploring the various cultural traits that facilitates an organization to perform ISM is of utmost importance from an organizational perspective. Hall (1959) identified 10 streams of culture useful for addressing security issues that might emerge in any given setting. Later, Dhillon (2007) called those 10 streams as a web of culture which included: interaction, association, subsistence, gender, temporality, territoriality, learning, play, defense and exploitation, which can be used to explain the information security culture in an organization.

Knapp et al. (2006) proposed a theoretical model that demonstrated the influence of top management support on organization’s security culture and policy. Six items were used to measure the security professionals’ perception regarding top management support. Six items measured the perception regarding organization’s culture and four items measured the organization’s security policy. 68 security professionals responded to the web-based questionnaire survey. Data was analyzed using structural equation modeling techniques. Results indicated that top management support positively impacted security culture and policy enforcement. Further the results revealed that low levels of management support will produce an organizational culture less tolerant of good security practices and will retard the level of enforcement of existing security policies.

Chang and Lin (2007) examined the influence of organizational culture on information security management effectiveness. Organizational culture characteristics were measured using two dimensions of culture, viz. internal/external orientation and flexibility/control orientation. Cultural traits were considered were cooperativeness, innovativeness, consistency and effectiveness. Confidentiality, integrity, availability and accountability were used to measure ISM principles. 87 usable responses were collected using survey method from respondents belonging to different organizations from various sectors. Regression analyses were carried out to assess the effect of cultural traits on each of the four constructs of ISM. They found significant positive relationships between organizational culture and ISM.

An information security culture is defined as the way organizational activities are routed to protect information assets (Da Veiga et al., 2007). As organizations increasingly invest and implement information security measures, the concern of employees’ attention and commitment towards understanding the objectives of information security has become equally important. The orientation and focus of an organization’s security depends on the environment in which the organization operates. There are external forces (government, regulations etc.) and internal needs (policies, procedures etc.), which influences the security of the organization. An ideal security culture has to balance between internal and external focus (Ruighaver et al., 2007). Da Veiga and Eloff (2009) proposed a framework for information security culture that promotes acceptable information security behavior and also assist organizations to implement security components that would positively route employee behavior towards the protection of information assets. An empirical study was conducted in 5 South African organizations. The results indicated that there existed a good fit between the theoretical model and the empirical data.

Theme 5: Information Security Policies

One of the most important information security controls is the information security policy. According to British Standards Institution (BS7799, 1999), information security policies of an organization deals with the processes and procedures that the employee should adhere to in order to protect the confidentiality, integrity and availability of information and other valuable assets. Information security policies express the security goals of the company as set by the senior management in alignment with the vision of the organization. They form the guidelines that dictate the rules and regulations of the organization, which governs the security of information and information assets (von Solms, 1997). International standards on information security are referred by the organization before attempting to write the information security policy document (Hone & Eloff, 2002). The primary reason for considering information security policy as a pre-requisite for effective security practices indicated that without a policy, security practices will be developed without clear demarcation of objectives and responsibilities (Higgins, 1999).

Fulford and Doherty (2003) conducted an empirical study to investigate the uptake, content, compliance and impact of information security policies and also to achieve an understanding of the factors that impacted the successful deployment of information security policies in UK based organizations. The study used the factors identified by BS 7799 standard (10 distinct factors) that are critical to the successful implementation of information security within an organization. The respondents were asked to indicate, on a five-point Likert scale, the perceived importance of each factor and the percentage of adoption of each factor by the organization. Based on a questionnaire survey, 208 valid responses were obtained from senior IS executives for the study. Results revealed that a good amount of the sample had an information security in place, but the dissemination of it is not given much priority. Again the existence of information security policy is not related with the sector in which the organization belongs to. Later paired sample t-tests were done on each of the 10 factors and the results showed that management commitment, good understanding of security risks, guidance on security policy and a good understanding of security requirements were perceived to be important factors. There is a high degree of consensus among many researchers that formulation and utilization of information security policy is critical for effective information security management (Siponen, 2000; von Solms, 1998).

Hong, Chi, Chao and Tang (2006) investigated the organizational factors that determined the development of an information security policy (ISP). The study defined ISP as the rules set-up for the use of information assets, statement set-up for the security priorities to achieve organizational objectives, the principle for information management and resource use and the principle for supporting security techniques. The organizational characteristics considered were organizational type, siz,e history of IT application, structure of MIS department and IT infrastructure. ISP was operationalized by ISP adoption time, ISP contents, ISP implementation items and procedures for ISP maintenance. Information security elevation was measured as the decrease of threats and vulnerability, reduction in security incidents and less damage due to security incidents. First set of hypotheses stated that organizational characteristics may have an impact on the formulation, implementation and maintenance of information security policy. Second set of hypotheses stated that ISP adoption time, functions, contents, sub-policy and procedures will have an impact on information security level. Data was collected using questionnaire survey from 165 MIS managers of different organizations in Taiwan. Regression analysis was performed to examine the hypotheses. Results showed that organization type and MIS/IS department size were found to be good predictors of ISP adoption time. But ISP adoption time did not contribute towards the elevation of security practices. But the contents, functions, implementation and procedures of an ISP contributed to the perceived elevation of information security.

Theme 6: Information Security and Awareness Creation

Information security awareness ensures that employees are aware of their role and responsibility towards securing the information they handles (Irvine et al., 1998; Schultz, 2004). The significance of information security awareness is widely accepted amongst information security researchers (Thomson & von Solms, 1998; Straub & Welke, 1998; Siponen, 2001).

Siponen (2001) has proposed five dimensions of information security awareness – organizational, general public, socio-political, computer ethical and institutional education – based on its prescriptiveness and descriptiveness goal. Organizational dimension is a prescriptive (committed) goal, while others may be included in both. Descriptiveness is subjective and influenced by the environment and cannot be put into practice easily.

Hagen et al., (2008) discussed the implementation of organizational information security measures and assessed the effectiveness of such measures. By means of a wide literature review, the authors identified the security measures that were very critical during implementation. A questionnaire was developed and administered among 87 security professionals, which addressed questions on whether security measures were implemented or not. Further respondents were asked to subjectively assess the effectiveness of different measures, independent of whether they were implemented or not. Later, the responses for IS practices were factor analyzed to arrive at factors which were named as implemented information security policy, technical measures, procedures & control, tools & methods and awareness campaigns conducted. Information security performance was subjectively measured based on whether the organization’s security performance was better than average, average, much better than average or worse than average with other organizations. Regression analysis was performed with security performance as the dependent variable and individual security practices as independent variables, to measure the relative contribution from different security practices. Results revealed that effectiveness of awareness creating activities was significant among others in organizations where security measures are implemented. Based on the level of implementation of each measures (indicated by the beta-co-efficients), an organizational information security staircase model was formed with awareness creation, tools and methods, procedures and control and information security policy in the increasing order of implementation, with a rigid technological security foundation.

Kritzinger & Smith (2008) proposed a conceptual model for information security retrieval and awareness (ISRA), to enhance the security awareness among all the IT authority levels and also assist IT authority levels in decision making about information security processes. They proposed a common body of knowledge for information security that will ensure that the technical information security issues do not surpass the non-technical human-related information security issues. The ISRA model proposed in this paper consists of three parts, namely the ISRA dimensions (non-technical information security issues, IT authority levels and information security documents), information security retrieval and awareness, and measuring and monitoring.

Chen et al. (2008) conducted an inter-cultural study in US and Taiwan to investigate the relationship between security awareness learning exposure and performance in those security awareness outcomes. The authors used Hofstede’s (1993) four inter-cultural dimensions to examine the security awareness levels at an individual and organizational level. Following an experimental design research methodology, an animation-based security awareness program was designed using Macromedia Flash application and was conducted among 160 Taiwanese and 100 American subjects. Subjects were divided into experimental group and control groups. Experimental group received situational training and the control group received the traditional face-to-face learning. American users who received the situational security awareness training outperformed those who received the traditional step-by-step instruction. In contrast, Taiwanese users of both experimental and controllable groups had similar performances after receiving respective training approaches. Since the research findings at both sites go in the opposing direction, the authors stated that situational security awareness training is more useful and effective to high individualists (US population) than high collectivists (Taiwanese). Results showed that users exposed to training showed greater performance and such programs can strengthen the people factor.

Theme 7: Information Security: Internal and External Dimensions

White, Fisch & Pooch (1996) classified organization’s security functions as internal and external. External security functions included physical, personnel and administrative security, while internal security function pertained to technical security (hardware, software and data). When more and more organizations get interconnected and needs to exchange data through various media, information security cannot be restricted to be an internal affair, but it is necessary to extend the scope to external aspects (Chang & Ho, 2006). ISO 27001 (2005) clearly stated that ‘selection of adequate and proportionate security controls would protect information assets and give confidence to the third parties’, such as suppliers, customers etc’. Grounding on ISO 27001, Ashenden (2008) observed a clear indication of the existence of internal and external dimensions to information security management. As per this, when supply chains have transcended the borders, information security also needed to break down the hard boundaries and take the information security level to be managed across a network of partnerships, strategic alliances etc.

Finne (1996) developed a conceptual model of an information security chain that consisted of 12 modules and 79 sub-modules that influenced information security in an organization. Broadly, the modules emphasized on logical security, physical and environmental security, operation security, communication, external and internal threats, contingency planning, personnel security, information security policy and information security culture. Each module was partly influenced by the outside world surrounding the organization. The model postulates two dimensions for information security - internal and external.

Theme 8: Information Security in Supply Chain Management Context

Further, to substantiate the internal and external perspective of information security, a few studies can be found in the supply chain security literature. A summary of the supply chain security literature is given in Table-3. From a supply chain perspective, Sheffi (2005) conjectured that internal security efforts taken by one trading partner can be potentially annulled by the lack of security efforts taken by the other or lack of coordination between the trading partners. To ensure complete security coverage, each organization in the supply chain has to employ internal (protecting internal facilities) and external (reaching beyond the four walls) security measures.

Voss, Whipple & Closs (2008) carried out a study to examine the extent to which the organizations employ security initiatives, both internal and external. The target respondents were manufacturers, retailers and distributors of a food supply chain. Questionnaire consisting of items, anchored on a 5-point Likert scale, relating to internal and external security initiatives was developed by means of literature review. Data was obtained from 199 organizations of the target population, through a web-based survey. Data were factor analyzed to extract one factor which was named as ‘strategic security’. Further based on the responses of that construct, the respondents were classified as two groups: firms having high (3 and above on the Likert scale) and low (less than 3) strategic priority for information security. t-tests were performed between both the groups to assess whether firms placing high strategic priority on security perceived a higher level of security initiative implementation than firms placing low priority on security initiatives. Findings showed that organizations that consider security to be a strategic priority observed higher levels of security execution and better security performance and also showed a greater ability to recognize and recuperate from security incidents both within the organization and across the supply chain.

Table 3 here

Sarathy (2006) gave a conceptual understanding of the importance of supply chain security and the sources of internal and external risk. The author posits that smooth functioning of the supply chain requires protecting against disruptions at all levels of the supply chain such as facilities level, information flow level or transportation of goods level etc. According to the author, supply chain consisted of three subsystems namely; internal supply chain management, customer relationship management and supplier management. While the first one is under the full control of the organization, the two latter ones require collaboration with partners upstream and downstream of the supply chain, to avoid disruptions. The nature of the relationship between an organization and its environment is controlled by its external environment.

Some of the other studies in the area of information security in the context of supply chain management (SCM) are summarized in Table- 4.

Table 4 here

Research Agenda for an Integrated View of Information Security Management

Most of the past studies on ISM focused on the technological (Siponen and Kukkonen 2007) and administrative (Kraemer and Carayon 2005; Mouratidis et al. 2008) issues from an IS or IT perspective. However, the challenges faced by ISM stem from those related to the management of organization as a whole. In spite of the vast resources expended by organizational entities attempting to secure information systems through technical controls and restrictive formal procedures, occurrences of security breaches and the magnitude of consequential damage continue to rise. The weakest link in the security chain appears to be the absence or inadequate emphasis on the behavioral and organizational aspects of ISM. Effective organizational information security depends on managing the three components, namely; people, process and technology. Werlinger et al., [12] tried to provide an integrated view of human, organizational and technological factors that contributed to the complexity of security related challenges. The study aimed at providing suggestions for improving the security tools and processes. Though they have identified and described 18 challenges that can affect the ISM within an organization, the paper is silent on implications on firm’s performance. Hagen et al., [13] tried to assess the effectiveness of implemented organizational information security measures and suggested that awareness creating activities should be encouraged in organizations where security measures are implemented. Though the authors looked at the effectiveness of such measures from a technical and administrative stand point, the study has not taken into consideration other critical factors of management. Further, implications of assessed effectiveness of security measures on organizational output are not dealt with. Studies have been done to measure the effectiveness of ISM from various individual dimensions. Chang and Lin [14] examined the influence of organizational culture on the effectiveness of ISM implementation. Authors suggested that human dimension of information security cannot be resolved by technical and management measures alone. They proposed a research framework relating organizational culture traits with the principles of ISM. Ashenden [15] addresses the human challenges of ISM and pointed out that information security management depends on technology, processes and people. Author suggests that organization should look into the skills that are needed to change the culture and build effective communication between all members of the organization, with regards to information security. Dhillon (2007) has suggested considering technical, formal and informal security controls for effective ISM.

Extant research has extensively discussed the challenges of information security management and the issues cropping out of security neglect from within an organizational setting. A careful look at most of the studies in the area of information security (Kankanhalli, 2003; Karyda et al., 2005; Chang & Ho, 2006; Ma et al., 2008; Werlinger et al., 2009) makes it evident that a number of studies have been done within an organizational setting. However, most of the conceptual studies (Sarathy, 2006; Michelberger & Labodi, 2009; Voss et al., 2009) suggested for extending the scope to consider the environment external to the organization, as in supply chain.

We observed that most of the past studies were either conceptual or partially empirical. Most of the survey-based research had a poor response rate due to the fact that information security aspects are considered to be sensitive by most of the organizations as experienced by Koutilic and Clark (2004). Still, it is clearly evident from the review of literature that there is a need for an integrated framework that encompasses technical, organizational (formal) and human (formal and informal) aspects from an intra- and inter-organizational perspective. In this paper, we are trying to address this gap by putting forward a research framework explained in the next section.

Proposed Research Framework

The current research thus proposes a framework for information security in a supply chain context, encompassing intra-and inter-organizational perspectives. We represent the research framework using the conceptual model given in figure. 1. The model depicts various organizational factors to be the drivers of information security management. ISM objectives and practices are dimensions to assess ISM. The complete set of ISO 17799 (ISO 27001) security practices that covers 10 control areas viz. security policy, organizational security, asset classification and control, personnel security, physical and environmental security, communications and operations management, access control, systems development and maintenance, business continuity management and compliance can be used to explore the ISM practices. Further, the influence of ISM, driven by the organizational factors, on the performance and competitive advantage is represented in the model. The research framework proposes to:

Develop a comprehensive framework for ISM, reflecting the organizational dimensions of security concerns.

Explore the various ISM objectives, standards and practices.

Examine the role of each dimension towards effective ISM.

Examine the influence of ISM dimensions on Organizational/Supply Chain Performance and Competitive advantage

Figure 1here

The methodology proposed for this research is a combination of focus group discussions and case study research to develop a clear questionnaire, followed by a survey method targeted at the right kind of respondents. As experienced by Koutilic and Clarke (2004), a survey eliciting information related to organizational information security will be successful only if the researcher has a good rapport with target respondents. Therefore, expanding network methodology (Malhotra et al. 2005) may be used for data collection. In this method, an organization that has a good understanding with the researcher may give the contact list of their first tier and second tier partners. For any research to be productive and beneficial to both academia and practice there should be a strong interaction between the researchers and practitioners with regards to knowledge sharing.

The Road Ahead

Every business, big or small, faces major financial consequences due to loss of data or a breach of security. Out of the various types of security breaches happening in US, 47% accounted for the security incidents involving corporations and businesses [30]. At the bottom line, a business cannot afford to take the risk of ignoring data loss and security breach exposure. Therefore it is imperative that an organization give due consideration to the information security management aspects. This conceptual framework aims at providing a better understanding of the information security objectives and practices, considering other organizational factors, for an effective information security management. Information security management plays a vital role in addressing the security, compliance and efficiency needs of an organization. This provides a vast range of benefits which includes a holistic understanding of organizations’ security status of the assets, prioritizing security occurrences, evading security breaches and demonstrating conformity with regulations in a much more efficient fashion than in the past.

We envision the developed framework to help:

Explore approaches to integrate ISM within the organization

Develop an information security strategy for the organization

Create a pervasive information security culture

Build trust and confidence in inter-organizational activities and processes to strengthen the supply chain.