An integrated framework for information security management.
Today information assets face more potential security breaches than at any time in history. To help mitigate the effect of the threats, information security management (ISM) is a very important part of a successful organization's strategic plan. Due to a significant increase in the number of threats over the past decade, organizations need to be proactive to protect their information assets. Unfortunately, there is a lack of experts qualified to address the area of IT security. We propose an integrated framework for ISM, in which it is conceptualized as a continuous decision-making process. The rationale of this framework is based on four guiding principles.
1) Have goal in mind.
2) Align security goals with business strategy.
3) ISM is a multivariate system.
4) ISM is a dynamic process.
ISM is more about the operating procedures and processes in which crucial components such as organizational infrastructure, human factors and information security practices are all involved.
Key components of the ISM framework include the following steps.
1) Assess the organizational environment.
2) Establish information security objectives.
3) Analyze information security requirements.
4) Develop information security controls.
5) Train/evaluate information security controls.
Researchers find that despite the seriousness of the nature and scope of the security threats posed by the environment, many organizations are under-prepared or completely unprepared to mitigate the threatsystems
Further, there appears to be a lack of consensus as to how an organization should implement an information security policy, what information security objectives should be established, or how to react when the information systems are threatened. The framework described herein could be utilized in an effort to effectively implement a holistic and successful ISM plan.
Information security management (ISM) is becoming a critical component to the modern organization. In many cases, it is impossible, or nearly impossible, to run a business without the proper and smooth operation of its information systems (Zviran and Haga, 1999, p. 162). Threats to these information systems have increased significantly over the past decade, which requires organizations to be proactive to protect their information assets. Despite the seriousness of the threats, there is a lack of experts qualified to address the area of IT security (Furnell, Papadaki, Magklaras and Alayed, 2001, p. 89).
There appears to be a lack of consensus as to how an organization should implement an information security policy, what information security objectives should be established, or how to react when the information systems are threatened. Further, Straub and Welke (1998, p. 443) find that despite the seriousness of the nature and scope of the security threats posed by the environment, many organizations are under prepared or completely unprotected to mitigate the threats. If an organization's information security efforts are integrated so that all are focused on the same outcome, then the information security management of an organization should reside in a framework easily understood by all parties at all levels of the organization. Even without technological solutions, a systematic framework is essential for effective organizational information security management.
Although ISM is a critical issue in today's business environment and has drawn considerable attention from researchers and practitioners, there is no universally accepted definition. Security has been defined as the state of being free from danger and not exposed to damage from accidents or attack, or as the process for achieving that state (Bosworth and Kabay, 2002, p. 2). Computer security has been defined as the necessary controls to ensure the continuity of adequate information and the protection of computing assets from loss or damage (GFOA, 1997, p. 44). In general, ISM is concerned with protecting the confidentiality, integrity, and availability of information and information systems (Blackwell, 1998, p. 26; Fried, 1994, p. 57).
Total quality management (TQM) may offer to provide a good foundation for ISM. TQM recognizes the importance of the customer, participation and teamwork and continuous improvement and learning. In the security context, these TQM principles should be supported and implemented by an integrated organizational infrastructure, a set of management practices and an appropriate set of tools and techniques. As such, the goals of TQM could benefit the security community.
Experience indicates that technology cannot provide all the answers to the security problems posed by people in the context of ISM. The CSI/FBI report, which was based on feedback from 697 computer security practitioners and represents a diverse slice of corporate America, found that 56 percent of the respondents reported some form of malicious attack within the past year (Gordon and Loeb, 2006, p. 12). This statistic is up from 54 percent the previous year. Yet another attempt to estimate the number of attacks comes from iDefense. They report monitoring approximately 27,000 attacks in 2004, half of which were designed to covertly steal information or take over computers.
Indeed, at no time in history has the threat to information assets been greater than it has today (Wright, 1994, p. 1). Many organizations are hesitant to report computer attacks for many reasons and most of these reasons center on a desire to avoid negative press. Given the organizations' propensity to under report, it is important not to underestimate the seriousness of the threat in today's security milieu.
In the context of this research, we define ISM as a continuous improvement process intended to assure business continuity, customer confidence, protection of business information assets and the minimization of damage to the business by preventing or minimizing the impact of security incidents. We propose an integrated framework for ISM (See Exhibit 1), in which ISM is conceptualized as a continuous decision-making process.
Many times there is a tradeoff between security and ease of use. For instance, a password that needs to be 10 characters long, contain mixed case, numbers and special characters, would typically provide better security than a four character password with no special requirements. However, the longer password presents a greater cognitive challenge for users. In fact many devices, including wireless access points, have major security problems at least partially because they are designed for easy access (Zviran and Haga, 1999, p. 164).
A Proposed Framework of ISM
The process follows five steps and contains a feedback mechanism which can effectively modify action taken within each step. The first step is to perform an initial analysis of the organizational environment including both internal and external factors. This organizational environment influences the information security objectives which are set by top management and those objectives dictate the security infrastructure and should be aligned with business strategy. To support the information security objectives, certain security practices should be implemented. The output is a secure source of the quality information needed by the organization to achieve its business goals. The proposed framework is a dynamic cycle, which must be adjusted based on an ongoing evaluation of the organization's needs. The rationale of this framework is based on four guiding principles:
1. Have goal in mind
To make predictable progress in a complex situation, it is often beneficial to have a goal and then work towards that goal. This is the case in information systems security. The goal of ISM is to ensure business continuity, customer confidence, protect business investments and opportunities, or reduce damage to the business by preventing and minimizing the impact of security incidents. A good security program is a customized program and its characteristics depend upon the goals, resources and environment of the organization. Exhibit 1, the first three stages are involved in setting goals and objectives. In this process, the goals and objectives are derived from the initial assessment of the business environment and then translating these goals and objectives to specific security requirements. The last two stages provide the mechanism to fulfill the goals.
2. Align security goals with business strategy
Generally, the alignment of IS strategy with business strategy is one of the key factors for IS and organizational success in the new "flat world" in which both markets and human resources are becoming more global (Gerth and Rathman, 2007, p. 103). Alignment helps facilitate acquisition and deployment of information technology resources that are in agreement with the organization's long-term vision. Alignment may be evidenced through an understanding of organizational objectives by top information technology planners, mutual understanding between top managers and IS planners and a heightened view of the IS function within the organization (Pant and Hsu, 1999, p. 15; Reich and Benbasat, 2000, p. 82). Similarly, information security planning or strategy should be aligned with business objectives (Peltier, 2003, p. 22). The number one principle in the Generally Accepted Systems Security Principles (GASSP) stipulates that information security supports the mission of the organization. In the proposed framework, alignment is needed at every stage of goal setting. In addition, it is also important in the implementation and evaluation stage to ensure that the business goals are being achieved.
3. ISM is a multivariate system
An organization is also perceived as a work system (Bostrom and Heinen, 1977, p. 14), which is made up of two independent, but interacting systems--social and technical. The technical system is concerned with the processes, tasks and technology needed to transform inputs to outputs. The social system is concerned with the attributes of people (e.g., education, skills and values), the relationships among people, reward systems and authority structures. The outputs of the work system are the result of joint interactions between these two systems.
Based on this understanding, ISM is a complex process, which includes all stages in the proposed framework. ISM has a distinct task and must have an organizational structure that supports reporting, communication, authority and work flow. Individuals or groups of stakeholders involved in ISM include customers, managers, maintainers, developers and users. Technological tools and methods that are used in security programs include the necessary hardware and software. Thus, ISM is not only a technical issue, but also a management issue as well.
4. ISM is a dynamic process
ISM is more about the operating procedures and processes, in which crucial components such as organizational infrastructure, human factors and information security practices are all involved. In the process of ISM, new vulnerabilities affecting infrastructure components and system applications are discovered almost on a daily basis, thereby requiring continuous efforts on the part of security professionals to stay up-to-date with the latest information security threats and tools on the horizon. Both individuals and organizations need to learn and adjust their efforts so that they can develop an effective information security program to see the expected outcomes. It is absolutely necessary that managers understand that business requirements such as organizational goals, organizational structure and ISM strategy must change as environmental factors such as technology, legislation and business practice constantly morph and evolve. From an emergent point of view, organizations and individuals have to make adjustments based on feedback and outcomes because there are gaps between organizational security objectives and technology readiness/functions. As a result, the information security program must be redesigned continuously for improvement. Due to the dynamic nature of the computer security paradigm, many current security "best practices" and security management strategies tend to be static, ineffective and dogma-based.
Components of the ISM Framework
Step 1. Assess the Organizational Environment
If an organization wishes to develop an information security program, the first step is to conduct a comprehensive assessment of their business environment and organizational goals. The business environment includes both external and internal factors; examples of external factors are institutions or forces (such as suppliers, customers, competitors, government regulatory agencies, public pressure) that are outside the organization and over which the organization has little control. These forces can potentially affect the organization's performance (Porter and Millar, 1985, p. 150). The internal factors include business strategy, organizational culture, human resources, capital and available IT/IS security resources.
It has been suggested that organizations can determine their security needs based on an information risk assessment (Gordon and Loeb, 2006, p. 122), including the organization's need to protect the integrity, availability and confidentiality of its information. This risk assessment brings together important information about the protection of the information system(s) that make up the organization. However, we argue that the determination of information security objectives should not be based solely on an internal analysis. It should also consider external forces. For example, businesses in some industries (government, healthcare, insurance, finance) tend to be interested in compliance with external agencies reporting requirements. The motivation of information security is the mitigation of legal action. In these situations, it is likely the information security initiatives come more from external pressure rather than internal forces. Further, the dynamic nature of information security (Kruger and Kearney, 2006, p. 289) dictates a frequent re-examination of the environment to stay apprised of the most current forces effecting security. The key questions to ask at this point should seek to uncover the recent security threats and developments.
During this stage, management performs activities that assess the size, scope and complexity of the security program and its related activities. These include:
1. Establish the security program steering committee or team
2. Establish a relationship with the external constituents (customers/users).
3. Establish the necessary management procedures for the development of the ISM program.
Step 2. Establish Information Security Objectives
The second stage in ISM is to develop the security objectives. The objectives should have a strategic, organizational focus and be made by executive-level management because top management and steering committee members often have a better understanding of overall business objectives and constraints.
Many professionals agree that the three essential/core objectives of ISM--confidentiality, integrity and availability (CIA)--can never be completely separated. Loss of one or more of these objectives can threaten the continued existence of the organization. Some researchers have included privacy in confidentiality (Krause and Tipton, 2002, p. 234). They claim that keeping data private means keeping it confidential.
In the Internet world, confidentiality has taken on an expanded meaning in the form of privacy controls. For other industries, such as healthcare and finance, privacy is now a regulatory issue. Other researchers have suggested even more objectives, such as 'auditability' and accountability, authorization, identification and anonymity (Host, 2001, p. 1). Based on their specific business environment and organizational goals, organizations should establish the appropriate objectives. It is critical in this step to make sure security objectives align with the organization objectives.
Step 3. Analyze Information Security Requirements
Any information security controls should be based on an analysis of information security requirements. The analysis should address all requirements for confidentiality, integrity and availability of information and should include a review of all legal, functional and other security requirements specified in the goals and objectives established in steps one and two of the proposed framework. Determination of requirements should be accomplished through both managerial and technical approaches. The managerial approach can be reviewing current procedures, policies and interviews with employees at different levels or through committee meetings.
The technical approach can consist of testing of vulnerability of existing hardware and software. This step focuses on what kinds of information and resources should be protected. In this stage, it is necessary to perform a trade-off analysis between the security requirements and functional requirements, because they almost always conflict. For example, requiring users to change a password weekly would provide increased security but would be imposition on users. Further, a security assurance analysis is also suggested. This analysis addresses the activities and assurance needed to produce the desired level of confidence that the information security measures will work correctly and effectively. The goal is to achieve cost-effective assurance that meets the requirements for protecting the organization's information assets. Questions that can help organizations analyze their security requirements are presented in Exhibit 2.
Exhibit 2. Security Requirement Questions
What is the structure of the security team and what are its duties?
What personnel security policies should be implemented?
What use of equipment is acceptable?
What authentication mechanisms and password policies should be used?
Where and what kind of physical security controls should be established?
What are the business continuity/disaster recovery plans?
What steps to take to respond to a security incident?
The outcomes from this process will be notes, documents of procedures, or business rules and policies. Additional specific guidelines, adopted from US-CERT, (www.us.cert.gov/reading_room/brouchure_securityguidance.pdf) that could guide IS security initiatives are found in Exhibit 3. Most of the time, it is necessary to structure or re-organize established requirements. For such purposes, computer-based tools can be helpful. For example, to perform risk analysis, COBRA, SPRAT and UnRiskIT can be used.
Exhibit 3. Questions to Guide IS Security Initiatives
(Adopted from Wright, 1994, p. 6 - 8)
Cyber Security Guidance - Users
Make your passwords complex. Use a combination of numbers, symbols and letters.
Change your passwords regularly (every 45 to 90 days).
Do NOT give any user names, passwords or other computer/Web site access codes to anyone.
Do NOT open e-mails or attachments from strangers.
Do NOT install or connect any personal software or hardware to your organization's network or hardware without permission from your IT department.
Make electronic and physical back-ups or copies of all your most important work.
Report all suspicious or unusual problems with your computer to your IT department.
Cyber Security Guidance - Administrators
Implement Defense-in-Depth--A layered defense strategy that includes technical, organizational, and operational controls.
Establish clear policies and procedures for employee use of your organization's information technologies.
Implement Technical Defenses--Firewalls, intrusion detection systems and Internet content filtering.
Update your anti-virus software daily.
Regularly download vendor security "patches" for all of your software.
Change the manufacturer's default passwords on all of your software.
Monitor, log and analyze successful and attempted intrusions to your systems and networks.
Physical Security Guidance
Monitor and control who is entering your workplace: current employees, former employees and commercial delivery and service personnel.
Check identification and ask individuals to identify the purpose of their visit to your workplace.
Report broken doors, windows and locks to your organization's or building's security personnel as soon as possible.
Make back-ups or copies of sensitive and critical information and databases.
Store, lock and inventory your organization's keys, access cards, uniforms, badges and vehicles.
Monitor and report suspicious activity in or near your facility's entry/exit points, loading docks, parking areas, garages and immediate vicinity.
Report suspicious-looking packages to your local police. DO NOT OPEN or TOUCH them.
Shred or destroy all documents that contain sensitive personal or organizational information that is no longer needed.
Keep an inventory of your most critical equipment, hardware and software.
Store and lock your personal items such as wallets, purses and identification when not in use.
Are you aware of anyone recording or monitoring activities, taking notes, using cameras, maps, binoculars, etc., near a key facility?
Have you observed abandoned vehicles, stockpiling of suspicious materials, or persons being deployed near a key facility?
Are you aware of any attempts to penetrate or test physical security or procedures at a key facility?
Step 4. Develop Information Security Controls
This step determines which security procedures and controls should be implemented, based on the security requirements identified in the previous step. Generally, information security controls are grouped into procedural controls and technical controls. Procedural controls address and strive to protect the interface between humans and the security system, while technical controls are tools or techniques used to enforce security. We provide several examples of information security controls that can be applied in an organization (see Exhibit 4). For each control, a representative sample of items is provided for consideration.
Exhibit 4. Information Security Controls
Information Security Policy
- Specifies the information security responsibility of employees
- Illustrates the importance of security to the organization
- Has an owner who is responsible for the policy's update and maintenance
- Has management's support for information security programs
- Defines information security objectives
- Is regularly reviewed for effectiveness and completeness
- Authorizes the ISM committee to make necessary decisions
- Has information security advisors in each business unit to coordinate ISM
- Has a dedicated security steering committee responsible for ISM
- Has an information security forum to give management direction and support
Asset Classification and Control
- Information assets are clearly labeled based on level of confidentiality
- Information assets are classified based on level of confidentiality
- Information asset classification system is simple and effective
- Information assets are recorded based on ownership
Business Continuity Planning
- Is tested regularly
- Includes a risk analysis of critical processes
- Is assessed using effective techniques
- Ensures speedy resumption of essential operations after system failure
System Technical Control
- Monitors and logs access and use of computer systems
- Has procedures for mobile computing control
- Employs password management systems
- Requires routinely reviewing audit logs
- Requires proper authentication for external connections
- Audits all activities related to working remotely
- Requires users to follow security practices in selection and use of passwords
Systems development and maintenance
- Has formal procedures to maintain the security of application software including application testing, changing and replacing
- Uses cryptographic techniques to protect confidentiality, authenticity and integrity of information
- Protects system files by controlling program source libraries in the development process to restrict possible corruption or tampering
- Has formal procedures to ensure security is built into operational systems
- Follows risk assessment and risk management processes to determine acceptable controls
Communications and Operations Management
- Has a backup/ recovery process to maintain the integrity and availability of essential information processing and communication services
- Protects the integrity and security of essential software and information against virus and intrusion
- Has policies requiring compliance with software licenses and prohibiting the use of unauthorized software
- Takes appropriate security measures for publicly available systems such as Web servers
- Has formal agreements with partners for the exchange of information
- Takes appropriate security measures for electronic commerce to ensure information exchange
To have an effective security program, there should be a task team or steering committee to keep the program up-to-date. This team should have representation from the major business units, as well as from the information security team and the legal department. This team should have authority to make the necessary decisions. Since the security policy and controls should be changed to "fit" changing security objectives, periodic reviews for effectiveness and completeness are important and additional updates may be necessary whenever there is a significant change in the organization's direction or environment.
Step 5. Train/Evaluate Information Security Controls
Information security training and management support are possibly the most important components of an effective information security program. Training can increase security awareness, understanding and thus, participation. A good training program consists of courses (both initial and refresher classroom and/or online), regular updates, collateral material such as posters and a system of rewards and penalties for desirable and undesirable behavior. There is much collateral material available at: www.us-cert.gov/
It is necessary to continuously review logs, so that problems can be caught and fixed quickly. In addition, good systems, network and security administrators often perform other kinds of monitoring functions - e.g., running sniffers or integrity checkers. Reporting procedures are necessary to provide input for measurement, audit and monitoring. In particular, reports of the activities mentioned above should be reviewed during the monitoring process so that potential problems can be addressed and the information can be used in diagnosing anomalies.
Many organizations employ the use of technical tools as a mechanism for controlling information assets. These are typically IS-based tools that allow the organization to use their information systems resources to check on four basic groups of controls: authentication, authorization, access control and monitoring (Bachman, 2002, p. 8). Authentication controls are designed to verify the identity of the person or system that is requesting access. Some examples of authentication mechanisms are: username/password and certificates--Public Key certificates, hardware tokens and multi-biometrics. Access controls are designed to enforce the decisions of the authorization system by allowing or denying access. Examples of access control systems are: firewalls, file encryption and virtual private networks.
Monitoring tools are used to watch for anomalies and raise alarms. Server logs and intrusion detection systems are examples of monitoring tools. Virus scanners are also monitoring tools.
It is important to remember that none of these technical controls can be effective unless they are applied in a coordinated manner and managed appropriately.
A response procedure (backup and recovery plan) is important. When a security incident is spotted, administrators should have a plan for dealing with it. This plan should include documentation and notification requirements and escalation procedures. In addition, it may include measures to preserve evidence in case prosecution becomes necessary.
As with any business process, in order to determine whether an organization is meeting its goals, the organization needs to measure its progress. Evaluation allows finding out whether the organization is receiving the return on investment, as well as whether the program is running effectively and efficiently. Numerous metrics or tools can be used for this purpose. Organizations can measure the number of incidents detected and addressed, whether the security team met Service Level Agreements for responding to change requests and how many hours were spent reviewing logs.
Unfortunately, the aforementioned steps give only a general idea of the health of the security system. They can be corrupted and mislead decision makers. For example, if we measure the number of security incidents reported by assuming that fewer incidents is better, then the security team could receive a better rating simply by reducing its monitoring efforts. If the management team does not investigate the meaning of the metrics, the security improves on paper while becoming less effective in reality (Bachman, 2002, p. 5). However, as part of a holistic plan for security, the health of systems can be tested by an independent party such as the audit group or an outside vendor.
Lastly, as are other IT development processes, information security is also an improvement process. The maturity of the security process itself should be measured and adjusted to meet the needs of the organization. One way to do this is to compare the process and its parts to a maturity scale (see Exhibit 5). This scale is adapted from a capability maturity model for software (Paulk, Curtis, Chrissis and Weber, 1993, p. 8). It is important to note that not all organizations should strive for Level 5 processes. Moving up the scale is expensive and return on investment should be considered when setting goals.
Exhibit 5. Information Security Maturity Scale Level Characteristics Level 1: Ad hoc ISM functions are performed as needed. The process is generally chaotic. Level 2: Repeatable ISM functions are performed regularly, usually in the same way. Level 3: Defined ISM functions are documented and performed in a standard manner. Level 4: Managed Performance of ISM functions is monitored, measured and reviewed in an ongoing manner. Level 5: Optimized ISM processes are verified, integrated, controlled and continually improved
To help provide insights into the context in which the information security issues can occur and to understand the basis of the approaches suggested by both researchers and practitioners, we have proposed an integrated framework for ISM. This framework offers several benefits:
- First, it serves as a common ground for integrating all types of information security functions
- Second, it helps answer questions of how to react to information security issues
- Finally, it helps identify what are the important components involved in establishing and maintaining information security initiatives
By following the framework proposed in this article, information security practitioners can determine how to initiate an ISM plan to provide secure and high quality information for their organizations. Due to the rising popularity of mobile and wireless systems, voice over-IP, development of supply chain integration, business application outsourcing and other new developments, new vulnerabilities will be created on a consistent basis. Given this ever-changing security paradigm, the effective way to protect information assets is to develop an ISM program based on the framework proposed in this article.
(1.) Bachman, D. 2002. Information Systems Security: Principles and Perspectives. Sprint E| Solutions. White paper: 1-13.
(2.) Blackwell, E. 1998. Building a solid foundation for intranet security. Information Systems Management. Spring 15(2): 26-34.
(3.) Bostrom, R. and Heinen, J. 1977. MIS problems and failures: a socio-technical perspective - Part I: the causes. MIS Quarterly September: 17-32.
(4.) Bosworth, S. and Kabay, M. E. 2002. Computer Security Handbook (4th edition, Bosworth and Kabay eds.). New York, NY: John Wiley & Sons, Inc.
(5.) Brenner, B. 2005. Botnets are more menacing than ever. Retrieved September, 2005 from http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1068871.00.html
(6.) Fried, L. (1994). Information Security and New Technology Potential Threats and Solutions. Information Systems Management, 11 (3): 57-63.
(7.) Furnell, S. M., Papadaki, M., Magklaras, G. and Alayed, A. 2001. Security Vulnerabilities and System Intrusions: The Need for Automated Response Frameworks. In H. P. Eloff, L. Labuschage, R. V. Solms & G. Dhillon (Eds.), Advances in Information Security Management & Small Systems Security. Dordrecht, Netherlands: Kluwer Academic Publishers.
(8.) Gerth, A. B. and Rothman, S. 2007. The Future IS Organization in a Flat World. Information Systems Management. 24(2): 103-111.
(9.) GFOA (Government Finance Officers Association), 1997. An Introduction to Treasury Management Practices, GFOA, ISBN 0891252118, 65 pages.
(10.) Gordon, L. A., Loeb, M. P., Lucyshyn, W. and Richardson, R. 2005 CSI/FBI Computer Crime and Security Survey. Retrieved from www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml;jsessionid=CREWIZUTIPCCSQSNDBCCKHSCJUMEKJVN
(11.) Gordon, L. A. and Loeb, M. P. 2006. Budgeting process for Information Security Expenditures. Communications of the ACM. 49(1): 121 - 125.
(12.) Host, R. 2001. New information security requirements for federal agencies. Accessed on Feb. 25, 2003 at: http://www.sans.org/rr/policy/fed.php
(13.) Krause, M. and Tipton, H. F. 2002. Handbook of Information Security Management, CRC Press LLC, ISBN: 0849399475.
(14.) Kruger, H. A. and Kearney, W.D. 2006. A prototype for assessing information security awareness. Computers & Security. 25(4): 289 - 296.
(15.) Pant, S. and Hsu, C. 1999. An integrated framework for strategic information systems planning and development, Information Resources Management Journal. 12(1): 15 - 25.
(16.) Paulk, M.C., Curtis, B., Chrissis, M.B. and Weber. C.V. 1993. Capability Maturity Model for Software, Version 1.1 Technical Report. CMU/SEI-93-TR-024, ESC-TR-93-177. Retrieved from: http://www.dynamics.unam.edu/NotasVarias/CMM.pdf
(17.) Peltier, T. R. 2003. Preparing for ISO 17799. Security Management Practices. 21 - 28.
(18.) Porter, M. and Millar, V. 1985. How information gives you competitive advantage. Harvard Business Review. July-August: 149 - 160.
(19.) Reich, B.H. and Benbasat, I. 2000. Factors that influence the social dimension of alignment between business and information technology objectives. MIS Quarterly. 24(1): 81 - 111.
(20.) Straub, D. W. and Welke, R. J. 1998. Coping with systems risk: security planning models for management decision making. MIS Quarterly 22(4): 441 - 469.
(21.) US-CERT, United States Computer Emergency Response Team. Retrieved May 2006 from http://www.us-cert.gov/reading_room/brochure_securityguidance.pdf.
(22.) Wright, M. A. 1994. Protecting information: effective security controls. Review of Business, 16(2): 4 - 9.
(23.) Zviran, M. and Haga, W. J. 1999. Password security: an empirical study. Journal of Management Systems, 5(4): 161 - 185.
Qingxiong Ma, Harmon College of Business Administration, University of Central Missouri
Mark B. Schmidt, G.R. Herberger College of Business,St. Cloud State University
J. Michael Pearson, College of Business Administration, Southern Illinois University
|Printer friendly Cite/link Email Feedback|
|Author:||Ma, Qingxiong; Schmidt, Mark B.; Herberger, G.R.; Pearson, J. Michael|
|Publication:||Review of Business|
|Date:||Sep 22, 2009|
|Previous Article:||Fashion accessory buying intentions among female millennials.|
|Next Article:||Modern bankruptcies as tools for teaching valuable lessons in business.|