Upload
cathdee
View
213
Download
0
Embed Size (px)
Citation preview
8/7/2019 16_A model of information
1/11
20
W W W . I S M - J O U R N A L . C O M
S P R I N G 2 0 0 5
A MODEL OF
INFORMATIONASSURANCE BENEFITS
Jean-Nol Ezingeard, Elspeth McFadzean, and David Birchall
Effective information assurance (IA) is the key to reliable management decision-making, cus-
tomer trust, business continuity, and good governance in all sectors of industry and public ser-vice. Yet making a business case for IA investments can be difficult because the scope of the
potential benefits can be very broad. Based on interview data collected from company execu-
tives, senior IA managers, and a variety of external stakeholders, we develop and discuss a
four-layer model that can be used to help structure the case for IA investments.
ECURITY CONCERNS ARE ON THE IN-
crease in all organizations worldwideand there is a growing number of calls
urging senior managers and top execu-tives to take greater interest in information se-curity (Fourie, 2003). These calls are mainly
based on the premise that the engagement ofsenior managers and directors with the infor-
mation security agenda is key to achievinggood security (ISO, 2000; Thomson and von
Solms, 2003). But are these calls being heard?Unfortunately, there is evidence that the topicis not reaching the top layers of organizations,
or that it only does so at irregular intervals andon an ad-hoc basis (Ezingeard et al., 2004b), with
the attention of senior managers for informa-tion security centered around incidents, either
published in the press or internally identified.
In parallel to the increased focus on busi-ness benefits for IT investments, the topic of in-
formation security has evolved in manyorganizations to cover broader issues than se-
curity. The scope of potential benefits hastherefore also increased. In particular, aspects
such as quality and trustworthiness of informa-tion are now becoming key business issues. Inlight of several high-profile governance failures
that could be traced to distorted information,executives are being required to pay more
attention to aspects of information integrity
due to legislation (ITGI, 2003). In this context,the term information assurance (IA) is there-
fore emerging as a broader business concept
than just security (Colwill et al., 2001).Whereas security was once the sole domain
of the information systems department, organi-zations are increasingly tasking audit and com-
pliance committees with monitoring andoverseeing information assurance processes.
Experts suggest that auditors should fully un-derstand IA issues as a key part of future re-
sponsibility (Parker, 2001). Despite this
widening of scope, there is still evidence of alack of senior management understanding of
the business value of good information assur-ance (Deloitte, 2003; Ernst & Young, 2002).
Research has shown that the lack of engage-
ment from senior managers and boards couldbe attributed to differences in language and cul-ture between information security staff and se-
nior managers, and that there is a need to
express information security problems in busi-ness rather than technical language (McFadzean
et al., 2003). This is compounded by a dearth ofadvice and research into how information secu-
rity return on investment (ROI) can be bettercalculated and presented to senior managers
(McAdams, 2004). The research presented here
S
JEAN-NOLEZINGEARD isprofessor ofmanagement studies
(processes and systemsmanagement) at
Henley ManagementCollege in the United
Kingdom. He can bereached at
ELSPETHMCFADZEAN is alead tutor and visitingsenior research fellowat Henley Management
College and a visitinglecturer at theUniversity of Surrey.
DAVID BIRCHALL isdirector of research at
Henley ManagementCollege and also leadsthe Centre for Businessin the Digital
Economy.
SECURITY, ETHICS, AND LEGAL ISSUES
8/7/2019 16_A model of information
2/11
I N F O R M A T I O N S Y S T E M S M A N A G E M E N T
S P R I N G 2 0 0 5
SECURITY, ETHICS, AND LEGAL ISSUES
aims to bridge this gap by advancing the under-
standing of the benefits that can be gained
from superior information assurance. We do so
by investigating what organizations expect to
gain from information assurance through a se-
ries of interviews with senior managers from
which we build a structured model of the busi-
ness benefits of IA.
Our research was based on a two-prongeddata collection approach. A total of 32 inter-
views was conducted with two different
groups. Our initial enquiry started with in-
depth interviews with 22 senior business man-
agers. From these interviews we were able to
establish both the internal and external busi-
ness benefits of an effective IA policy for differ-
ent organizations. Apart from one U.K. charity
and one government department, all managers
were from public companies with listings on
the London, New York, Zrich, or Frankfurt
stock exchanges. In parallel, we conducted in-
terviews with representatives of ten external
stakeholders to gain the different perspectives
of IA benefits from people located outside the
companies including investors and suppli-
ers. These two sets of interviews enabled us
using interpretive content analysis assisted by
cognitive mapping software to develop our
model of IA benefits. (More details on our re-
search methods are provided in Table 1.)
WHAT IS INFORMATION ASSURANCE?
Unfortunately, there is no universally accepted
definition of what constitutes information as-surance (IA). Many still equate it with informa-
tion security but the term information
assurance is growing in acceptance and usage,
particularly among government and interna-
tional agencies (Wolf, 2003). Information secu-
rity generally includes the following three
elements (Whitman, 2003):
1. Confidentiality.This ensures information is
accessible on a need-to-know basis and that
unauthorized access is prevented.
2. Integrity. This ensures that data (or, more
widely, information) is not deleted or cor-rupted, either accidentally or deliberately.
3. Availability. This ensures that information
is available when it is required and that it
will support the organizations ability to
operate and accomplish its objectives.
Some experts add identification and authen-
tication to this list (Koved et al., 2001; Landwehr,
2001). The distinction between these two terms
emphasizes a necessary separation between the
act of recording who has carried out an interac-
tion with an information asset and the act of de-
termining their authority to do so. Separating
these concepts in information architecture
can, for example, identify instances of pass-
word security breaches.A further component is non-repudiation, in-
troduced as far back as the late 1980s (ISO,
1989). Non-repudiation is a basic security ser-
vice that ensures organizations can prove that
transactions actually took place and that they
are correctly recorded. This expanded scope of
the activities associated with managing the de-
fense, preservation, provenance, and surety of
TABLE 1
Research Methodology Details
In-Depth Interviews
with Senior Business Managers
We sought the views of 22 managers, all based
in the United Kingdom except for four (two in the
United States, one in Germany, one in South
Africa). Six of the respondents are board-level
directors (CEO, CFO, non-executive director),four are in charge of information systems for their
organization, ten have responsibility for
information assurance (head of information
assurance, head of risk, head of information
security), and two are senior project managers
specializing in IA. Sectors represented include
financial services, manufacturing, power
distribution, retail, IT services, consultancy, and
pharmaceutical. The managers were asked
about the effect of information assurance on their
organizations. This included both an internal
perspective (e.g., how IA influences employees,
managers, etc.) and an external perspective
(e.g., the impact of IA on customers, suppliers,
etc). Consequently, we gained detailedinformation on the effect of IA on issues such as
business processes, information sharing,
innovation, company reputation, and
relationships with suppl iers among others. These
interviews lasted between 60 and 90 minutes.
Stakeholder Interviews
In parallel, we interviewed ten external
stakeholders three investors, two buyers with
an interest in the IA procedures of their suppliers,
two suppliers with an interest in the IA
procedures of their customers, an insurance
underwriter, a provider of professional technical
services, and a financial consultant with
significant experience in flotation and merger
and acquisitions. The aim of these interviewswas to provide us with information about how
organizations information assurance policies
affected their external stakeholders. This
enabled us to gain a different perspective on IA
benefits from outside the companies. These
interviews lasted up to 30 minutes, which was
sufficient to examine the participants views
using questions that were very focused.
8/7/2019 16_A model of information
3/11
22W W W . I S M - J O U R N A L . C O M
S P R I N G 2 0 0 5
SECURITY, ETHICS, AND LEGAL ISSUES
information now forms the concept and defini-
tion of IA used in many countries. For example,
The Information Assurance Advisory Council(IAAC, 2003) in the U.K. defines information
assurance as:
the certainty that the information within an organization is reliable, se-
cure and private. IA encompasses both
the accuracy of the information and itsprotection, and includes disciplinessuch as security management, risk man-
agement and business continuity man-
agement.
Despite this widening of scope, informa-
tion assurance is still frequently used as a syn-
onym for security, where little value is added tothe mindset of defense (Boyce and Jennings,
2002). The danger here is that operational de-
fensive measures such as intrusion detection
and password breach prevention become the
benchmarks for successful performance failing to identify and capture the scale of expo-
sure because of, for example, errors in accu-
rately invoicing goods and services delivered.Security considerations typically focus on
the need to protect systems from internal andexternal attack, environmental threats, acci-
dental damage, and disaster recovery. This is
undoubtedly a core element of information as-
surance but can lead to a fixed state approachbecause of the dangerous assumption that all
threats can be accurately predicted. Agility is
needed in the face of unpredictable threats and the ability of an organization to adapt its
policies, procedures, and technology may be as
important as the ability to produce a complete
assessment of all possible threats. Systemchanges can even be viewed as a temporary
transition between static states, breeding a tol-
erance for a reduced state of security during atransition period. Our interviewees had little
doubt that this approach is complacent in to-
days threat environment, where the Internet
allows security weaknesses to be publicizedwidely among hackers and business-crippling
worms can spread globally in minutes. Wheth-er it is a law of economic conservation or sim-
ply ironic, the same Internet that allows manycompanies to reduce operating costs and im-
prove customer services also increases the cost
and complexity of IA, as it increases the num-ber of defensive frontiers that a company must
manage.
Adopting a problem-prevention outlookcan be very limiting. It is particularly danger-
ous to assume that the majority of serious
threats can be predicted or to introduce sys-
tems that are so rigid they are slow or evenunable to respond to changing needs. If cus-
tomer services unilaterally implemented inflex-
ible and strict security procedures, they mightachieve a zero-complaints target, but they
might also completely prevent any sales from
occurring. Similarly, finance could eliminate
bad debt by refusing to offer credit terms toany customer. While these are obviously ex-
treme examples, they illustrate how a depart-ment unchecked by business logic can hamper
business performance. Of course, the corpo-
rate mindset that does not question its securitypolicies in the face of employee inconve-
nience, ever-increasing procedures, and re-
strictions on knowledge management is beingequally shortsighted.
Our research also indicates that taking a se-curity outlook can be counter-productive in
achieving board engagement. This is because
information security tends to be associatedwith technology not always a topic in which
board members can engage. In the words of
the group IA adviser for a multinational retailbank:
Board members tend not to be very
technical and avoid IA. However, thetechnical part of IA is actually only a
small element It is important to be
able to look at things in a holistic way, with a broader perspective, not just
technical.
ENABLING RATHER THAN PREVENTING
Information assurance could be said to repre-
sent a migration from a preventative approachto an enabling approach. Information systems
can represent a source of competitive advan-
tage through their structural integrity as muchas through the information content they deliv-
er. Reliability and resilience mean more consis-
tent operational and customer serviceperformance, thus reducing costs and increas-
ing the ability to adapt quickly to changing mar-
ket circumstances. Table 2 compares the keyelements of a traditional information security
method to a more pioneering information as-
surance approach. A comprehensive conceptualization of IA
ensures that the information systems serve theorganizations transactional needs such as
operational capability, customer service, and fi-
nancial systems as well as its transformation-al needs including knowledge management,
innovation, and rapid adaptation. Taking such a
he
ability of anorganization
to adapt its
policies,
procedures,
and technology
may be as
important as
the ability to
produce a
complete
assessment of
all possible
threats.
T
8/7/2019 16_A model of information
4/11
I N F O R M A T I O N S Y S T E M S M A N A G E M E N T
S P R I N G 2 0 0 5
SECURITY, ETHICS, AND LEGAL ISSUES
forward-looking view requires an examination
of the direction of the business as its current
needs and systems. IA practitioners must un-
derstand how value is created in the business
and what will influence future strategic deci-
sions (Ezingeard et al., 2004a).
Consequently, by combining all these ideas,
information assurance strategy can be defined
as:
Determining how the reliability, accura-
cy, security and availability of a compa-
nys information assets should be
managed to provide maximum benefit
to the organization, in alignment with
corporate objectives and strategy.
AVOIDING NEGATIVE STRATEGIC
CONSEQUENCES OF POOR
INFORMATION ASSURANCE
Breaches in security heighten awareness of just
how dependent organizations have become on
their information systems and how high the
price for failing to safeguard them is in terms of
reputational damage, loss of business and re-
duction in share price (Hovav and DArcy,
2003). Breaches in information reliability can
have similarly devastating reputational or finan-
cial consequences. It is vital, therefore, that or-
ganizations develop an effective IA strategy to
help them defend against these violations.
Despite these dangers, information assur-
ance is not a key consideration in shaping cor-
porate strategy. Naturally, companies do not
consider revenue generation plans and budgets
secondary to IA policies (with the few excep-
tions being those whose primary business is to
secure transmission or storage of information).
Nonetheless, information assurance is a strate-
gic issue in the sense of the potential impacton the rest of the business (McFarlan, 1984;
Ward, 1988). If it is not undertaken well, strate-
gic risks may follow. IA should therefore sup-
port corporate strategy because the
consequences of IA policy decisions can affect
the entire business. For example, an informa-
tion systems failure could cause damage to an
organizations reputation and may inhibit the
firms ability to operate; or ill-considered poli-
cies may restrict information flow, causing
poor customer service and resulting in loss of
business over time. Finally, the cost of the inci-
dent may be prohibitively high and the organi-
zation may not survive the disruption (Logan
and Logan, 2003).
Customer tolerance for publicized security
breaches is decreasing (DTI, 2002; Treanor,
2000).This also calls for information security
concerns to rise to the highest levels of the or-
ganization. If customers migrate not just be-
cause of perceived risk, but simply because of
the inconvenience of failing computer systems,
TABLE 2 Comparing Information Security with Information Assurance
Information Security Information Assurance
Confidentiality Need-to-know only and
protection from
unauthorized access
How can ongoing compliance be ensured against
regulatory changes or regional variations?
What would be the impact on reputation of a breach in
confidentiality?
Integrity Preventing accidental ormalicious alteration,
corruption, or deletion
Can users compare relative levels of reliability if datais conflicting?
How does the organization reduce costs incurred
through errors?
Availability Disaster recovery and
business continuity to
ensure ongoing operation
of existing systems
How can we develop systems that will not be restrictive
as the organization grows, enters new alliances, or
develops new businesses?
Identification
and
Authentication
Password access control Do users keep their passwords secret and change
them regularly because they are told to or because
they understand the importance of password safety?
How can we develop better identification and
authentication methods for our stakeholders?
Non-repudiation Fraud prevention How can secur ity reduce the organizations transaction
costs?Can transactions be simplified for our customers to
increase their value gained from dealing with us,
without compromising security?
8/7/2019 16_A model of information
5/11
24W W W . I S M - J O U R N A L . C O M
S P R I N G 2 0 0 5
SECURITY, ETHICS, AND LEGAL ISSUES
then stability and reliability become competitivedrivers. In the United States, the advent of the
SarbanesOxley Act, which holds executivespersonally liable for the accuracy of financial
results, could potentially pave the way to simi-lar liability for all compliance issues particu-
larly in light of growing consumer concern forinformation privacy (Stewart and Segars, 2002).
Information assurance must become a con-
cern from a corporate governance perspective(Thomson and von Solms, 2003). Recent media
reports have also highlighted the potentiallydramatic consequences of poor information in-
tegrity, demonstrating that decisions taken onthe basis of unreliable information can leave
shareholders and voters concerned and angry(Stiles and Taylor, 2001). Stakeholders no long-er see the fact that decisions were taken in
good faith or that assets were represented tothe best of executives knowledge as an ac-
ceptable excuse for mistakes subsequently dis-covered. Unsurprisingly, corrupt data (and its
impact on corporate governance and generalmanagement decision making) was thereforeseen by our interviewees as one of the biggest
risks of poor IA.Perhaps too often, information security is
presented as a necessity for survival rather thana business enabler. Interestingly, considering
information assurance as incorporating respon-sibility for the reliability and integrity of data
means that those formerly responsible for im-plementing information security can make a
value-addingcontribution to the organization
through this changing perspective, enhancing
competitive advantage rather than simply de-
fending existing systems (Dhillon, 2004). This
is what we explore in the next section.
HARNESSING POSITIVE
CONSEQUENCES OF GOOD
INFORMATION ASSURANCE
Ensuring business continuity the ability to
continue operating without falling foul to legis-
lation or adverse media reports is an imme-
diate benefit that many of the board members
and senior executives interviewed recognized.
Some managers, however, go beyond the sim-
ple, immediate benefits of IA. These inter-
viewees pointed out that in the medium term,
it should be possible to achieve further bene-
fits. As illustrated in Figure 1, we have classified
those into:
Operational benefits: those benefits that will
have an immediate positive impact on the
organizations ability to deliver goods and
services more efficiently or effectively Tactical benefits: those benefits that will
have a medium-term positive impact on the
organizations relationships with its trading
partners Strategic benefits: those benefits that are
more long-term in nature and connected
with competitive advantage Organizational benefits: those benefits
sought by the owners of the organization orits key stakeholders
Operational Benefits
Resilient Business Processes. A good IA
policy can provide a global framework for in-
formation security within an organization, pull-
ing together both information and physical
security to ensure business continuity. Going
beyond information security, effective IA is also
the key to good operational controls and proce-
dures that rely on timely and accurate informa-
tion for their business continuity or simply foreffectiveness. Supply chains, for example, are in-
creasingly considered an area of exposure by
many businesses but also an opportunity to
gain significant competitive advantage. Because
controlling the supply chain is a very informa-
tion-intensive activity, supply-chain management
is an example of a business process whose resil-
ience can be significantly enhanced by good
IA. Many interviewees pointed to resilience of
business processes as a key benefit of good IA in
FIGURE 1 Interview Findings: The Benefits of Good Information
Assurance
Strategic Benefits
Organ
izational
Tactical Benefits
Operatio
nal Benefits
Benefits
ImprovedShareholder
Value
CompetitiveAdvantage
License toOperate
Resilie
nt
Bus
ines
sProc
esses
Imp
rovedResponsiveness
EasierCom
pliance
LowerCosts M
ore
Sal
es
Bette
rCon
trol
Better In
form
ation
Usage
CheaperEq
uity
ImprovedCusto
merServic
e
Bett
er
Gov
erna
nce
Bu
sin
ess
Opp
ortunities
Bett
er
Und
erstan
ding o
f Commit
mentfromBusin
ess
Partnersand
Custo
me
rs
8/7/2019 16_A model of information
6/11
I N F O R M A T I O N S Y S T E M S M A N A G E M E N T
S P R I N G 2 0 0 5
SECURITY, ETHICS, AND LEGAL ISSUES
sectors such as banking, telecommunication,
and retail.
Improved Customer Service. An effec-
tive IA strategy can help the organization to
provide secure and easy-to-use access, which
customers increasingly expect as a given, as
well as reliable information, which is the key to
good service provision. As one of our inter-viewees described it, Information is absolutely
central to good advice delivery. It is particular-
ly critical, for example, in sectors where cus-
tomer service is delivered through call center
operations. In other sectors, such as financial
services, good IA will often be the key to the
ability to deliver real-time financial information
to customers. In retail, good IA is a cornerstone
of many loyalty programs.
Better Information Usage. IA facilitates
improvement in the quality, integrity, availabil-
ity, and reliability of information. Many organi-zations suggest that information is a key
element for business decisions and innovation.
It is therefore beneficial for companies to gath-
er and maintain accurate and reliable informa-
tion. Collecting, storing, and processing
information can be costly, however. Good IA is
therefore linked by some of our interviewees
to enabling a reduction in such costs. This, for
example, can be the cost of storing business-
critical information in an efficient way. In the
words of one of the executives interviewed,
good IA can help identify when youve got
four copies of that [because] you dont need
four. In other companies, good IA will ensure
that information is enhanced, as well as pro-
tected and used well. For example, the CEO of
one of the banks interviewed pointed out that
good IA helped ensure that customer needs
were matched appropriately to products.
Improved Responsiveness. Good IA can
significantly improve responsiveness. In securi-
ty terms, good IA is often the key to responsive-
ness when breaches do actually occur.
Responsiveness is often only possible if everyindividual within an organization feels respon-
sible for security. Improving knowledge and
awareness of security issues can be beneficial
in itself; but in addition, this awareness can
help to improve the speed of response when a
breach in security occurs. Thus, both the com-
munication of the breach and the repair of the
infringement can be undertaken much faster.
Furthermore, good IA will ensure that an
organization is alerted rapidly to changes in the
environment. In situations where rapid re-
sponses are required, being able to trust the in-formation on the basis of which decisions aretaken will be critical. As argued by the chief
risk officer of a large bank that participated inthe research, one of the reasons that his organi-
zation pays attention to IA is because it supportsthe banks ability to remain cutting edge.
Tactical Benefits
Easier Compliance. Many organizations
see IA solely as a compliance issue. Achievingcompliance can be expensive simply meet-
ing the data storage requirements broughtabout by the SarbanesOxley Act has requiredthe quadrupling of storage capacity in many or-
ganizations (Economist, 2004). By ensuringgood IA processes, companies are able to
achieve leaner internal control systems thatstill meet regulatory and legal requirements;
they need to spend less on technology to re-main compliant and less on processes to moni-tor compliance. Improved confidence and
accountability in IA reduces the complexity(and therefore the cost) of post-hoc verifica-
tion of information accuracy.
Better Control. An effective IA policy will
provide additional rigor for information and se-curity controls. At a basic operational level,
strict control procedures can be put in place tostop unauthorized access to information or theuse of unauthorized software, illicit Web surf-
ing, and e-mail communication. One seniormanager (from a telecommunications firm) we
interviewed suggested that, at a tactical level,control often takes another form. He pointed
out that an organization will want to ensurethat once vulnerabilities are identified, itbrings the risk down to a manageable and rec-
ognizable level. In addition, business control isalso much more than security, and good IA will
ensure that aspects such as expenditure arelooked at rigorously to ensure that no surpris-
es are brought to light, for example, in an an-nual audit. Finally, business control needs
reliable information to steer the organization inthe right direction. As pointed out by one ofour interviewees, if youre making decisions
on the wrong data, then making better deci-sions is probably not your biggest issue.
Better Understanding of BusinessOpportunities. Understanding businessopportunities and markets relies on trusted
market intelligence. Many organizations in-creasingly place an emphasis on ensuring that
ood IA
will often bethe key to the
ability to
deliver real-
time financial
information to
customers.
G
8/7/2019 16_A model of information
7/11
26W W W . I S M - J O U R N A L . C O M
S P R I N G 2 0 0 5
SECURITY, ETHICS, AND LEGAL ISSUES
this information is available and accurate. Al-
though few organizations will make this an ex-
plicit requirement of their internal control
systems, shareholders are becoming much less
tolerant of companies that constantly misjudge
market outlook. As pointed out by a senior con-
sultant we interviewed, If you go back to the
Internet bubble where people would give you
a million dollars for having an idea on a Website, great. I think those days are gone
theyre far more rigorous now.
Commitment from Business Partnersand Customers. As information technology
permeates all business relationships, custom-
ers and suppliers alike are becoming more de-
manding. An organization will instill trust
among its stakeholders if it is able to constantly
demonstrate that it knows how to ensure that
the information it collects and exchanges with
its trading partners is secure. This in turn willinspire commitment. In the retail sector, for ex-
ample, allowing automated shelf-restocking or-
ders from direct observation by suppliers of
sales transactions can be a source of significant
commercial benefit (e.g., reduced cost of order
administration, reduced inventory manage-
ment, and fewer missed sales opportunities).
However, in practice, that can only arise from
assuring partners of the ability to guarantee not
only the accuracy of sales data, but also the se-
curity of commercially sensitive information.
Strategic Benefits
Better Governance. Feedback to the board
regarding IA is necessary to ensure that direc-
tors are kept informed about potential prob-
lems or risks. In the words of one of our
interviewees, I think for non-executive direc-
tors their nightmare is having a scandal, so
theyve got to be and they are being more
challenging and require more information.
This also means that the board can make better
decisions regarding IA investment as well as
providing assurance concerning the companys
security to other stakeholders. In addition, it
enables the senior executive responsible for IA
to view the issue holistically. He or she can
therefore facilitate compliance with govern-
ment directives and provide global standards
for the entire organization.
Cheaper Equity. Many firms require access
to external financing to fund innovation and
growth. A number of academic studies have
shown that investors believe that companies
that have been vulnerable to security breaches
such as denial-of-service attacks in the past will
be exposed to financial damage in the future
(Ettredge and Richardson, 2003; Garg et al.,
2003; Hovav and DArcy, 2003). The only ex-
ceptions to this were firms that showed they
were willing to continuously invest in informa-
tion security. Our interviews have confirmedthat few analysts will take IA seriously when
making investment decisions either as part
of an initial due diligence process or in subse-
quent reviews. IA reviews by market analysts
are clearly not a widespread practice, although
our interpretation of interview data is that the
trend is growing.
More Sales. Effective communication of IA
readiness will serve as reassurance for all stake-
holders, including customers. It illustrates that
the company:
Is willing to protect its customers informa-
tion from malicious intent Provides better customer service Has more resilient processes that will ensure
unbroken supply or service
For example, one of our interviewees (from
a manufacturing company) pointed out that
many of its customers dont want their prices
and their volumes [made public] and that they
would stop buying if they felt that there was a
chance that their competitors would under-stand how much theyre buying and get some
competitive insights into the information we
had about them. This, of course, is not unusual
and not specific to manufacturing.
Lower Costs. The combination of opera-
tional and tactical benefits of good IA can ulti-
mately result in lower overall costs for the
business. Major security problems can cause
substantial downtime and extreme disruption
to the workforce. Research has also shown the
massive costs that security breaches can create
(Garg, 2003).An effective IA strategy therefore
has the potential benefit of reducing costs and
decreasing disruption and downtime due to se-
curity infringements.Other cost drivers will be influenced by
good IA, and we have already discussed busi-
ness process benefits. Combined with better
management information and better control,
IA can clearly contribute to lowering an organi-
zations overall costs.
reviews
by marketanalysts are
clearly not a
widespread
practice,
although our
interpretation
of interview
data is that the
trend is
growing.
IA
8/7/2019 16_A model of information
8/11
I N F O R M A T I O N S Y S T E M S M A N A G E M E N T
S P R I N G 2 0 0 5
SECURITY, ETHICS, AND LEGAL ISSUES
Organizational Benefits
Improved Shareholder Value. As pointed
out by a senior IA executive we interviewed,
Spending money without justification is not
the order of the day any more, and all IA
spending is now increasingly linked to the re-
turn it will produce for shareholders. We have
already discussed operational and tactical value
drivers that IA can help realize, such as com-mitment from customers and trading partners.
These are, in turn, likely to generate sharehold-
er value.Ensuring shareholder value is one of the
many roles undertaken by the board of direc-
tors (Stiles and Taylor, 2001). An effective IA
strategy was seen as one method of communi-
cating to shareholders the boards intent re-
garding security. That is, the strategy seeks to
reassure shareholders regarding the safety of
the organization as well as its security invest-
ment intentions.
Competitive Advantage. Competitive ad-
vantage is the ability of an organization to dif-
ferentiate itself from its competitors. What,
then, would IA-driven competitive advantage
look like? While none of our interviewees actu-
ally linked IA to competitive advantage per se,
it was linked to competitive advantage at two
broad levels:
1. Reliable information about competitors,
their new products and services, or market-
ing tactics can often help achieve competi-
tive advantage.2. The operational and tactical benefits that
we have already associated with IA were
linked with IA by interviewees. These
included commitment from trading part-
ners and better decision making.
License to Operate. Finally, many inter-
viewees reminded us that, at a very fundamen-
tal level, organizations must comply with the
legislation and regulatory requirements of the
countries in which they operate. In extreme
cases, failure to comply will result in a lack of
approval to operate.
IMPLICATIONS
There are a number of implications of the mod-
el in Figure 1 for both managers and researchers.
For example, the model shows that information
assurance can have a resounding impact on
many organizational processes, as well as influ-
ence both internal and external stakeholders.
Consequently, information assurance should be
seen in broad business terms rather than in nar-
row technical terms. It is important, therefore,that senior managers take responsibility for in-
formation assurance in order to guarantee the
following:
A holistic picture of IA controls and proce-dures has been developed and maintained.
Appropriate compliance and legislation
issues have been fulfilled. Information assurance strategy has been
aligned with the organizations corporate
goals. Employees have been fully briefed and are
regularly updated on information assurance
policies, processes, and potential threats. Appropriate adjustments can be made to IA
policies when the internal or external envi-
ronments alter, thus necessitating a change
in security procedures.
Further research can also be undertaken in
this area. This qualitative study is interpretive innature and focuses on a small number of orga-nizations. A wider survey of the benefits of IA
to organizations could be undertaken, with
data collected on the magnitude of the value ofoperational, tactical, strategic, and organiza-
tional benefits. It would also be interesting to
ascertain whether the values of these benefitsare similar for both internal and external stake-
holders, and if they are similar for organiza-
tions in the United States and European
countries.
CONCLUSION
Our research has shown that the benefits of su-perior information assurance can be grouped
under four different headings:
1. Operational benefits: The immediate anddirect consequence of superior informa-
tion assurance will be flows of accurate
information, available when and where
they are needed. This in turn will supportoperational excellence and ensure the con-
tinuity of day-to-day operations for the ben-
efit of the organizations customers.2. Tactical benefits: Derived from the avail-
ability of usable management informationand robustness of the informat ion
exchanges with business partners, these
benefits are often the most publicized by IApractitioners.
3. Strategic benefits: These are the benefits
that are linked with the ability of the orga-nization to achieve its strategic objectives
and achieve better performance than its
n effective
IA strategywas seen as
one method of
communicating
to shareholders
the boards
intent
regarding
security.
A
8/7/2019 16_A model of information
9/11
28W W W . I S M - J O U R N A L . C O M
S P R I N G 2 0 0 5
SECURITY, ETHICS, AND LEGAL ISSUES
competitors. Although they are more long
term in nature, we found that they were
often sought as direct benefits of IA by the
managers who participated in our research.4. Organizational benefits: Ultimately, the
rolling up of the operational, tactical, and
strategic benefits of IA should result in
improved shareholder value and competi-
tive advantage. In some industries, superiorIA is also a condition that regulators and
other authorities place on organizations
in which case, a license to operate is the
ultimate organizational benefit.
Information assurance is critical to organi-
zations in all sectors of industry and public ser-
vice. It is the key to reliable management
decision-making, customer trust, business con-
tinuity, and good governance. Yet, making the
case for IA investments can be difficult as the
scope of benefits is wide. The four-layer model
presented here can be used to help structurethe case for IA investments. Many practitioners
and vendors often focus their arguments on
what the negative outcomes of poor IA are. In
contrast, our model shows what business ben-
efits can be gained.
References
Boyce, J.G. and Jennings, D.W. (2002) Information
Assurance: Managing Organizational IT
Security Risks, London: Butterworth Heineman.
Colwill, C.J., Todd, M.C., Fielder, G.P., and
Natanson, C. (2001) Information Assurance.BT
Technology Journal, 19(3), 107114.Deloitte (2003) 2003 Global Security Survey.
Deloitte Touche Tohmatsu.
Dhillon, G. (2004) The Challenge of Managing
Information Security Guest Editorial.
International Journal of Information
Management, pp. 243244.
DTI (2002) Information Security Breaches Survey.
Department of Trade and Industry/
PricewaterhouseCoopers, London, U.K.
Economist(2004) File that The SarbanesOxley
Act Is Causing a Quantum Leap in the Storage
Industry.The Economist[print edition] March 4.
Ernst & Young (2002) Global Information SecuritySurvey. Ernst & Young LLP.
Ettredge, M. and Richardson, V. J. (2003)
Information Transfer among Internet Firms:
The Case of Hacker Attacks.Journal of
Information Systems,17(2), 7182.
Ezingeard, J.-N., Bowen-Schrire, M., and Birchall, D.
(2004a) Triggers of Change in Information
Security Management. Proceedings of
ISOneWorld Conference,Las Vegas, April 2325.
Ezingeard, J.-N., McFadzean, E., and Birchall, D. W.
(2004b) Board of Directors and Information
Security: A Perception Grid. Paper No. 222 in
Proceedings of British Academy of
Management Conference,Harrogate.
Fourie, L.C.H. (2003) The Management of
Information Security A South African Case
Study. South African Journal of Business
Management, 34(2), 19.
Garg, A. (2003) What Does an Information Security
Breach Really Cost? Evidence and Implications.
Information Strategy: The Executives Journal,19(4), 21f.
Garg, A., Curtis, J., and Halper, H. (2003)
Quantifying the Financial Impact of IT Security
Breaches. Information Management &
Computer Security, 11(2), 374383.
Hovav, A. and DArcy, J. (2003) The Impact of
Denial-of-Service Attack Announcements on the
Market Value of Firms.Risk Management &
Insurance Review,6(2), 97.
IAAC (2003) Engaging the Board: Corporate
Governance and Information Assurance.
Information Assurance Advisory Council,
Cambridge, U.K.
ISO (1989) ISO 7498-2:1989 InformationProcessing Systems Open Systems
Interconnection Basic Reference Model
Part 2: Security Architecture. ISO, Geneva.
ISO (2000) ISO/IEC 17799:2000 Code of Practice
for Information Security Management. ISO,
Geneva.
ITGI (2003) IT Control Objectives for Sarbanes
Oxley. IT Governance Institute, Rolling
Meadows, IL.
Koved, L., Nadalin, A., Nagaratnam, N., Pistoia, M.,
and Shrader, T. (2001) Security Challenges for
Enterprise Java in an E-Business
Environment. IBM Systems Journal,40(1),
130152.
Landwehr, C.E. (2001) Computer Security.
International Journal of Information Security,
1(1), 313.
Logan, P.Y. and Logan, S.W. (2003) Bitten by a Bug:
A Case Study in Malware Infection.Journal of
Information Systems Education,14(3), 301
305.
McAdams, A.C. (2004) Security and Risk
Management: A Fundamental Business Issue.
Information Management Journal, 38(4), 3644.
McFadzean, E., Ezingeard, J.-N., and Birchall, D.
(2003) Boards of Directors Engagement with
Information Security.Henley Working Paper(HWP0309) (available fromwww.henleymc.
ac.uk).
McFarlan, F.W. (1984) Information Technology
Changes the Way You Compete.Harvard
Business Review,62(3), 98.
Parker, X.L. (2001) Understanding Risk.Internal
Auditor, 6165.
Stewart, K.A. and Segars, A.H. (2002) An Empirical
Examination of the Concern for Information
Privacy Instrument. Information Systems
Research, 13(1), 3649.
n some
industries,superior IA is
also a
condition that
regulators
and other
authorities
place on
organizations
in which
case, a license
to operate is
the ultimate
organizational
benefit.
I
http://www.henleymc.ac.uk/http://www.henleymc.ac.uk/http://www.henleymc.ac.uk/http://www.henleymc.ac.uk/http://www.henleymc.ac.uk/8/7/2019 16_A model of information
10/11
I N F O R M A T I O N S Y S T E M S M A N A G E M E N T
S P R I N G 2 0 0 5
SECURITY, ETHICS, AND LEGAL ISSUES
Stiles, P. and Taylor, B. (2001)Boards at Work: How
Directors View Their Roles and Responsibilities,
Oxford: Oxford University Press.
Thomson, K.-L. and von Solms, R. (2003)
Integrating Information Security into Corporate
Governance. 18th IFIP International
Information Security Conference,Athens,
pp. 169180.
Treanor, J. (2000) Security Fear Shuts Online Bank.
The Guardian,Aug. 1, 2000Ward, J.M. (1988) Information Systems and
Technology Application Portfolio
Management An Assessment of Matrix-Based
Analyses.Journal of Information Technology,
3(3), 205.
Whitman, M.E. (2003) Enemy at the Gate: Threats
to Information Security. Communications of
the ACM, 46(8), 9195.
Wolf, D.G. (2003) Statement by NSAs Director of
Information Assurance before the House Select
Committee on Homeland Security. U.S. Houseof Representatives (available fromhttp://www.
nsa.gov/ia/Wolf_SFR_22_July_2003.pdf).
http://www.nsa.gov/http://www.nsa.gov/http://www.nsa.gov/http://www.nsa.gov/http://www.nsa.gov/http://www.nsa.gov/8/7/2019 16_A model of information
11/11