Information Security Management

We also identified 7 main categories of information security management and there are 757 articles (see table 2-2 and appendix A for details).

Table 2-2: Categories of Information Security Management and Researches in 1995-2009

Categories Subjects IS Security IS

Risk Management Risk management, Risk assessment, Risk treatment, Risk monitoring and review, and Risk analysis

80 18

Awareness, Behavior, and Education Issues

Security awareness, Security education &

training, Security behavior, and Culture 87 5

Legal and Ethical Issues Copyright & piracy issues, Security and privacy, Security and ethics, Compliance, and other legal aspects of security

Strategy, and Competitive advantages 27 8

Audit and Assurance Computer audit, Information systems audit and

Information assurance 11 7

Total 757 88

Risk Management

The process of information security risk management defined in (ISO, 2008) consists of risk assessment, analysis, identification, estimation, evaluation, treatment, monitoring, review, communication, and acceptance. The researches focus on risk management activities and methodologies are fall into this category.

For the information security management, how to manage information risk is a vital issue (Blakley, et al., 2001; Bodin, et al., 2008), and risk management plays a major role in accessing and treating the information security risks to a acceptable level. As (ISO,

2008) wrote, “A systematic approach to information security risk management is necessary to identify organizational needs regarding information security requirements and to create an effective information security management system (ISMS).” By using the risk management approach, the limited resources allocation can be determined and justified to security needs, and the impact of certain security incidents can be reduced to as lower as possible under such risk and cost trade-off situation. Apart from (ISO, 2008), Stoneburner et al. (2002) provide guidelines that describe the risk management methodology, how it fits into each phase of the SDLC, and how the risk management process is tied to the process of system authorization.

The current developments of risk management in the information security area include searching for appropriate methodologies for the risk analysis in different circumstances (Smith & Eloff, 2002; Sun, et al., 2006). Sumner (2009) provided a methodology based upon an analysis of perceived impact and probability of occurrence of information security threats.

Awareness, Behavior, or Education Issues

The users’ information security awareness and behavior is crucial, as information security control techniques or procedures could be misused or misinterpreted, and thereby losing their real usefulness. The ways to raise users’ awareness and correct their behavior are by using security education and training, and eventually, security became part of the organization’s culture. The awareness, behavior, education, training, and culture issues of security belong to this category.

To accomplish the goal that security becomes a part of organization’s culture is arduous. The current researches aim to better understand users’ behaviors and the reasons behind their acts, and thus develop a more suitable training program or deterrence

methods. Dinev et al. (2008) examined user behavior towards protective information technologies across different cultures and suggested that, while the multiple cultures coexist, the cultural factors should be deliberated. D'Arcy et al. (2009) combined works from criminology, social psychology, and information systems to form an extended deterrence theory model, which was empirically tested, and the results suggest that three practices (i.e. user awareness of security policies; security education, training, and awareness (SETA) programs; and computer monitoring) can deter IS misuses.

Legal and Ethical Issues

There are many legal aspects of information security. For the intellectual property publishers (e.g. software, music, and books), the copyright and piracy are important concerns; for the e-commerce, online transaction, and healthcare companies, protecting their customers’ personal information (i.e. privacy) is crucial. Therefore, for these companies, they need to keep the systems which stored the information assets from being compromised. These legal issues, including the compliance and ethics topics, are categorized as “Legal and Ethical Issues”.

In the subject of copyright and piracy, Gopal and Sanders (1997) found that individuals are deterred from software piracy if the policy state and warn of the legal consequences, and resulted in lower piracy intentions. Moreover, Straub (1990) also conclude that the deterrence measures are a useful strategy for reducing computer abuse activities (e.g. illegally copy and sell software). For the privacy and ethical issues, Culnan and Williams (2009) illustrate their arguments that organizations have a moral responsibility to individuals to avoid causing harm and to take reasonable precautions.

Security Management Plan, Policies, Governance, Standards, and Certifications While planning and implementation of security management, such as implement an

ISMS, the organization should opt for a combination of many aspects (e.g. policies, standards, technology, human issues, legal and ethical issues) in establishing an ISMS Eloff and Eloff (2003). The planning of security management, security policies developments, governance, and other planning and implementing issues should be addressed during the implementation process, and it require the overall corporate involvements. von Solms and von Solms. (2004) identified 10 essential aspects that should be taken into consideration during the information security governance plan.

Business Continuity Planning and Management

Business continuity issues, after a devastating event 911, receive much more attentions. Not only the natural disasters (e.g. flood, earthquakes, and hurricanes) can be the causes of the physical damage of buildings, crash of mainframes, and death of people, but the human kind (e.g. terrorism attacks) could be a great threat that results in these catastrophic consequences. Except the calamities above, business interruption could be caused from other events, such as human error, utility disruptions, and malicious threats.

How can a company recovered from the business interruption rapidly is critical to a company’s survival as a going concern.

Cerullo and Cerullo (2004) propose guidelines for developing and improving a firm’s BCP, which has three components (i.e. business impact analysis, disaster contingency and recovery plan, and training and testing component). Gibb and Buchanan (2006) combined various authors proposed different development cycles for BCM into a framework for BCM program, which consist of multiple phases, including program initiation, risk analysis, monitoring and control, implementation, education and training, etc.

Security Investment and Strategy

With billions of dollars being spent on information security related products and services each year, the economics of information security investment has become an important area of research, with significant implications for management practices. How much investment is enough, what kind of risk level is acceptable, and which strategy should be taken under the cost and benefits trade-off? In the speedy and competitive age, the decisions that an organization made have to be measured its benefits by any means, so do the security investment decisions.

Cavusoglu et al. (2005) proposed a comprehensive model to analyze IT security investment problems that overcome some of the limitations of risk analysis and cost effectiveness analysis methods. Gordon and Loeb (2002) presented an economic model that take into account the vulnerability and potential loss of a breach to determine the optimal amount that should invest to protect a given set of information.

Audit and Assurance

Information systems audit, as known as information technology audit or computer audit, is a process to ensure the information systems are safeguarding assets, maintaining data integrity, and operating effectively. The IS audit process consists of examining the controls within an information system, collecting the evidence of an organization's information systems, practices, and operations, and evaluating the data and operations processed by the systems.