Saahil Goel MS-MIS Practicum Assignment 6

From Information Systems at Pitt Business

Jump to: navigation, search

IS Issue | Information Security & Identity Management | Current Knowledge and Background Submitted by: Saahil Goel

There is a high degree of knowledge in the information technology world and amongst some business and most IT professionals about the lack of awareness of information security in top management in most businesses. Since information security is not enforced or taken as a key business area by top-management, it is left out as an initiative purely run by the Information Technology department within companies. Further, management only tends to realize their mistake once they get hit by a security breach. There is a need for companies to follow a proactive approach to information security rather than a reactive one. In February 2003, President George Bush released a document called “The National Strategy to Secure Cyberspace” to ensure that a framework exists which can protect the internet which is “essential to our economy, security, and a way of life” . The report also mentions the rising threats and disruptions to the cyber-economy by lack of information security controls. It is also mentioned that the task of securing the internet is a rather challenging one – a task that needs a focused effort from the entire society – the government, private enterprises and the people. The mere authority of this document indicates the high need for awareness that exists for information security – not just amongst top management executives, but amongst all users of the internet. There is a marked trend of digitization of information. E-governance is already present in the United States to some extent and is going to grow tremendously in the future. With critical future dependencies on an underlying IT framework for government to civilian transactions and vice versa, the need for awareness of information security is paramount.

A prevalent outlook amongst many c-suite members is that of “don’t fix it if it isn’t broken”. This just doesn’t work with information security. In other words, physical and electronic security cannot be a project that is implemented once and then forgotten about. It is an on-going task and it needs attention from all users within any organization. Usually organizations take a “reactive” approach. But that causes an initial damage to reputation and potential economic losses. For example, the awareness for information security has critically risen after the September 11, 2001 terrorist attacks on the World Trade Center . As David Bank points out in his “Tech Executives Try to Ward Off Security Rules” article in the Wall Street Journal, even though security awareness has improved since the September 11 attacks, many business leaders, specifically in the small and medium enterprises view information security as a non-key element to running their business. Key people who run businesses are concerned only with running the business. The realization that should be brought to light is that security is part of running the business.

Not only are many executives unaware of the weak security that exists within their organizations, they are also unwilling to implement better security to protect their businesses unless they see a clearly tangible economic advantage in the effort. As described in the article “Info Security ‘from the Ground Up’” in Business Week , even though CEO’s have made considerable investments for security infrastructure following the September 11 attacks, they still view security as a sunk cost. That is, they do not find any real benefit to business from implementing security. Management still needs to know (and measure) the economic benefits that would come of out implementation of enterprise information security system. The fact that information security implementations do offer economic benefits in savings (from potential law suits, bankruptcy, leakage of confidential information and fraudulent transactions) and in increasing productivity, efficiency and brand equity, it is still “hard” to sell information security to management. This brings out an underlying difference of opinion and perhaps the unwillingness of business leaders to learn about information security holistically. The problem could lie in the fact that the current information that is available is not easy to understand for a non-IT individual. As pointed out by Gary S. Miliefsky, one of the seven best information security practices is to deliver corporate security and awareness training and make it simple enough that an 8th grader can understand it . The problem could also exist in the way information security is presented to management. Unless all business unit leaders are involved in a security implementation initiative at a company, top management will not take notice of it. If each business unit leader is made aware of the potential benefits of security and the savings it could have for their unit, it would be easier to approach top management with support from senior management.

Even though there is lack of security awareness amongst management in most industries, the financial services industry has a higher information security spend than other industries. It also employs latest technologies for protection of their information. Since the primary goal of a person trying to compromise security is money, financial services institutions become prime targets for such attempts. FSIs also have most of their operating data electronically available over the internet since customers directly deal with these companies using corporate portals. Further, financial service companies are able to write off information security expenses in linkages with business processes. The FSIs report the lowest cyber-crime rates amongst all industries and have employed technologies such as Identity Management and intrusion detection tools. According to “The Global State of Information Systems 2006” report by CIO, security executives still need to persuade top management to implement information security . It might be easier for security executives working in the FSI as they can tangible measure the benefits from security implementations and the addition of value to shareholders. In fact, FSIs are one of the few industries which measure the result of information security implements in return on investment and in potential impact on revenue terms. Further, FSIs are governed by regulations such as the Sarbanes Oxley Act of 2002. The report further states that since regulation play such an important part in healthcare, government and education sectors as well, those too would employ high security. But that is not the case. The government and healthcare sectors benchmark themselves with other sectors (non FSI) to keep “abreast” of the information security trends. The above discussion in the report outlines two important results – firstly, companies still have “Security Executives” doing the “selling” work to top-management. Even though it might work in the FSI industry, it will not work as well in other industries where it is hard to justify the cost of implementation. Secondly, it shows that there is a problem of lack of awareness amongst all sectors of work – some which even need critical attention to security and do NOT have budget constraint problems – such as the government. There is either a lack of information security awareness in certain sectors or if the information is there, it is not understandable or it not tailored according to its audience. The ignorance and indifference displayed towards security is also portrayed by the article “Businesses More Concerned About Mobile, Remote Security, But Still Ignore Training” in Information Week . Lack of information security awareness not only causes direct impact such as breaches and the negative effects associated with that, but also causes users to become complacent about implementing security at all. This could lead to a vicious circle where lack of information security leads to further complacency towards learning about it – leading to a potentially dangerous situation. Further, with an organization’s employees uneducated about security, it becomes business unit leaders to take an initiative and hence the top management follows suits – it has a cascading effect. Information security awareness has to begin at the lowest level and needs to proliferate its way to the top management for any results. According to Jones, even though sixty percent of organizations reported an increase in security issues related to mobile corporate users over the last 12 months, most companies ignore security training. Further only 10% of the companies plan to implement security training over the next 12 months (according to the research from TNS Prognostics). In fact, the article also mentions that 90% of the companies who implemented information security awareness training have seen a reduction in the number of information security breaches.

Another article “Compliance Provides Benefits Beyond the Obvious” in the Information Week describes the role of compliance in businesses and the benefits it offers . Compliance is viewed by organizations as an unnecessary administrative burden with unrecoverable costs. However, organizations need to understand that even without the presence of compliance norms, customers would still demand their private data to be confidential and would still expect companies to secure financial information as much as possible. Further, various economic benefits, such as possibility of outsourcing more operations by improving security, improving internal communications within companies, resource sharing across global networks, decreased liability in case of an actual breach, etc. are also highlighted in the article. Therefore, there are several economic benefits available – even though this information may not be available to top management in an understandable form.

To discuss the cost benefit advantage from spend on information security vs. the disadvantages caused by the lack of it, Cindy Waxer discusses several statistics in her article “The Hidden Cost of IT Security” on the Network Security Journal . In December 2006, TJX, the US giant retailer, had a security attack on their servers leading to a compromise of 45.7 million customer credit and debit cards. This has approximately caused TJX nearly $1.7 billion. The company also faces legal claims from customers and shareholders that were affected by the breach. There is also an increase in the losses from laptop and mobile hardware theft which increased from $19,052 per respondent in 2005 to $30,057 per respondent in 2006. In consequence to breaches such as these, there are “clean-up” costs as well. “In fact, according to a Ponemon Institute survey, the cost of diverting employees from everyday tasks to managing a data breach increased 100 percent last year, from $15 per record in 2005 to $30 a record”. Rebuilding a brand also costs a company dearly since customers lose their trust in the company. Once a customer has a bad experience with a company there is also potential to lose future customers because of negative word of mouth publicity. “After the U.S. Department of Veterans Affairs lost 26.5 million personal records in a data breach, a coalition of veterans groups filed a class action seeking $1,000 in damages for each person, a payout that could eventually reach $26.5 billion”. To consolidate the economic losses faced by a company after a breach of security, the article describes that public companies on average face a drop of 5% in their stock price when they disclose information about a security breach. Apart from the immediate drop in stock price, some companies, such as ChoicePoint, suffered a drop in stock price consecutively for two years when they reported a stolen laptop with 163,000 customer data. This incident shows how important information security awareness can be. According to general information security guidelines confidential data should never be centralized and certainly never be stored on a mobile device. Had the company’s staff been more aware of information security and its implications, this incident could have been avoided.

Sun Microsystems, one of the leading vendors for information security related products has described “Security Awareness Development” and “IT Security Staff Development” as two of the three “Critical Investments for Success” . The investment in creating security awareness throughout the organization is considered to be worth it. “Building a culture of security awareness is critical to protecting enterprise assets. People need to understand that many threats to the network exist — not just to the infrastructure itself, but also the components that they touch every day, including telecommunication assets like cell phones.” The paper also discusses the importance of having a separate unit for security within an organization rather than that being merged with the rest of information technology. For example, a CISO should be a part of a technology control unit or a risk management team which is independent of the information technology department and has a higher position in the organizational structure. Also, this group should have the ability to influence the executive directors of the company and should participate in making strategic and visionary company decisions. Further, for long-term sustainability Sun considers security to be a key player in enterprise leadership. Every business leader should consider information security when making any business decisions.

According to the “2007 Global Security Survey” by Deloitte and Touche Tohmatsu, information security and awareness training sessions are part of the main initiatives that would be undertaken by the companies that participated in the security survey . The reasons identified for security awareness being one of the key areas of concentration are the increasing complexity of threats to security and the increasing regulation related to security. Further the report reiterates that to be able to “demonstrate effective information security governance, it is necessary to understand and define expected outcomes, performance targets, efficiency measures and related reporting requirements”.

In general Deloitte and Sun agree on the problem that exists with respect to lack of information security awareness and on how to approach this problem.

At the University of Pittsburgh, courses such as Risk Management in a Global Enterprise, Business Law, IS Security, Financial Accounting and Current Issues in MIS are some of the courses which would be relevant in understanding this problem. There are general ideas about the gap in communication between IT personnel and business – which is also a general trend in the industry. There is also the general conception that technology is viewed as a cost (and a support function) in some businesses while as an investment (and an enabler) in others. However, there is no coursework which specifically deals with the issue of lack of security awareness amongst top management and its implications to businesses at current times.

The general issue this problem relates to is the complacency of management towards Information Technology initiatives. The issue exists because top management needs justification about IT spending and the benefit that it may accrue to their companies. Many companies (especially SMEs and Non-Financial services industry companies) view technology implementations – especially information security – as an added administrative burden and as something which would require high capital and operating expenditure with little or no benefit to business. This issue has prevailed ever since IT has been enabling businesses. The chief reason for this belief held by top management could be based on the fact that there are no indicators to prove that technology indeed does provide measurable returns basis the money spent on implementing it. Since the view held by top management is based on a tangible return on all investments, they are not very supportive of spending money in a “project” which does not provide a measurable benefit. For example, if management decides to spend a certain amount on boosting marketing, the result of that spending on marketing can provide easily measurable returns in terms of the increase in sales as an effect of that campaign – the same may not be true for information technology initiatives.

Since 1993 the “Productivity Paradox” of spending on information technology has been a concept that has changed over the years, but is still deep rooted in older executives – who typically fill top management positions . According to the author of this paper, even though the results of measurement of return on IT spending have been disappointing, it cannot be used a factor to decide what benefit IT really offers to an industry. Primarily because it is not possible measure accurately (using conventional approaches) what the return from information technology really is. Many businesses, even today, have information technology as an intertwined part of their business and processes. To be able to measure the return on information technology spending in isolation is difficult. For example, in businesses where IT is not the chief enabler, but a supporting function, such as banking, one cannot say with certainty the value that IT adds to the business. Since the banking business relies extremely heavily for their record management, personnel management, customer service management, marketing, etc. on IT, to be able to measure what would be the differential in the company’s value if IT was removed from their organizational setup is an extremely difficult task. Further, IT spending does not usually provide immediate returns. Spending on technology can sometimes provide ever-lasting benefits over periods of time – which again is difficult to quantify and measure.

The lack of tools and techniques for measurement of spending and subsequent returns on technology are also stressed in the paper “The Business Value of Computers” by Paul. A. Strassmann . “There are good reasons why there is a random relationship between information technology and various financial measures. The researchers could extract only limited amounts of information because their analytic tools did not encompass the complex nature of the relationship involved in the application of information technology”. The reason for a lack of correlation between information technology expenses and profitability has been described to arise from the poor selection of variables used for measurement. Further, the paper highlights the fact that the effect of information technology on profitability is very subtle and hard to measure – making the situation even more complex. In conclusion, information technology spending is not viewed as a valuable investment as the returns are not exactly tangibly measurable. Further, because of lack of training and awareness of top management about certain initiatives, which demand critical attention, such as information security, these are viewed as less than important. Because of this reason there is an attitude of complacency amongst management about technology implementations. The existence of this issue has been explained by use of various literary and trade resources.


[edit] References 

http://www.whitehouse.gov/pcipb/

“The National Strategy to Secure Cyberspace” by President George Bush This document is an effort from the government of the United States to make all internet users aware of the risks of information security. It also highlights the issue with the rising attacks on information security and their potential impacts. Also suggested in this paper is the move towards digital information and e-governance. 

http://online.wsj.com/article/SB107040249488089600.html?apl=y&r=806784

“Tech Executives Try to Ward Off Security Rules” by David Bank December 3, 2003 This article describes how the September 11, 2001 terrorist attacks caused a series of changes within organizations towards disaster recovery and business continuity planning. It mentions that even though awareness about information security has increased following these attacks, executives still view information security as a purely technology initiative and do not actively participate in it. 

http://www.businessweek.com/technology/content/apr2004/tc20040413_9762_tc146.htm?chan=search

“Info Security ‘from the Ground Up’” By Alex Salkever April 13, 2004 Many CEO’s have taken attention to information security post the September 11 attacks and have invested considerable amount of resources and money towards this initiative. However, they are still following the “reactive” method of information security awareness and do not take an active stand on it. Security spending is still viewed by management as only a cost without any real benefit to core business. This article demonstrates a clear lack of understanding of information security and its benefits on the part of management leaders. 

http://www.networkworld.com/columnists/2007/011707miliefsky.html

“The 7 best practices for network security in 2007” By Gary S. Miliefsky January, 17, 2007 This article describes ways to improve information security within an organization by providing 7 best practices as guidelines which corporations could follow to develop their own guidelines. Even though it doesn’t directly describe the current knowledge about information security awareness, it does make the reader aware of the current state of affairs in organizations with respect to information security by mentioning the attitudes of people in organizations and the kind of steps that are required to implement it. 


http://www.cio.com/article/24979/The_Global_State_of_Information_Security_/6

“The Global State of Information Security 2006” By Allan Holmes September 15, 2006 This article is a report on the global state of information security in 2006. It has a section on information security which highlights the current state of information security and awareness in various sectors such as finance, education, healthcare and public. It draws an important argument in support for the fact that management is only concerned with economic benefit from information security rather than a long-term approach to running a business efficiently and securely. 

http://www.informationweek.com/showArticle.jhtml;jsessionid=C4SCFOM3W2ESQQSNDLPSKHSCJUNN2JVN?articleID=202802456&queryText=information+security+awareness

“Businesses More Concerned About Mobile, Remote Security, But Still Ignore Training” By K.C. Jones November 5, 2007 A report by The Computing Technology Industry Association describes that despite a rise in the security breaches related to mobile computing users (which is increasingly gaining popularity in IT/Consultancy sector companies) organizations are complacent about implementing information security or conducting awareness and training sessions for its employees. 

http://www.informationweek.com/management/showArticle.jhtml?articleID=202401916&pgno=2&queryText=information+security+awareness

“Compliance Provides Benefits Beyond The Obvious” By Debra Banning and Glen Day October 13, 2007 This article describes the benefits that compliance (such as SOX, HIPAA, GLBA) offers to organizations. It helps to improve internal communications. Compliance can also help organizations improve their business offerings to customers and also bring in more revenues. This highlights the economic importance of security within organizations as well. 

http://www.networksecurityjournal.com/features/hidden-cost-of-IT-security-041607/

“The Hidden Cost of IT Security” By Cindy Waxer April 16, 2007 Information security implementation has costs. But not implementing it has even high costs. This article provides statistical figures to measure the costs that are actually incurred by company as a consequence of not implementing adequate security measures and/or training/awareness programs. Further, the article shows that a disclosure of news of a security breach can have a negative impact on the company’s reputation and even its stock price. The issue revolves indirectly around information security awareness. 

“Information Security for Pragmatists” by Sun Microsystems

January 2006 A white paper by Sun Microsystems discusses the availability of Sun’s products that can help solve business problems and also give a tangible return on investment. The paper also talks about the importance of compliance and being aligned with security standards. 

“2007 Global Security Survey” by Deloitte and Touche Tohmatsu

2007 A white paper by Deloitte and Touche Tohmatsu which covers Financial Services industries across the world and documents their responses with respect to the current state of affairs and planned activities related for information security. It offers a perspective into the way things stand at present with respect to information security awareness. Apart from bringing out the actual situation as highlighted in the report, it also shows Deloitte’s interest in highlighting the issue of lack of information security awareness in organizations. 

“The Productivity Paradox of Information Technology: Review and Assessment” By Erik Brynjolfsson

September 1992 This research paper discusses in depth the return on investment from investment in technology in various companies in different sectors. Using contemporary methods, the paper attempts to measure the returns on IT spending. However, it makes an important implication that it is not possible to effectively measure the returns that technology provides since it is an intertwined part of business. Thus, it would be incorrect to say that the spending on technology does not provide returns and any conceptions that exist in management’s minds, are baseless. 

“The Business Value of Computers” By Paul A. Strassmann

This paper highlights the problems that exist in accurate measurement of return on IT investments.


Media: Saahil_Goel_Assignment_6_IS_Issue_Current_Knowledge.doc

Media: Saahil Goel_IS_Issue_Background.ppt

[edit] Author

Saahil Goel

[edit] Other Documents

Retrieved from "http://www.katzis.org/wiki/Saahil_Goel_MS-MIS_Practicum_Assignment_6"
Personal tools