Factors Influencing the Implementation of Information Systems Security Strategies in

Organizations

Sangseo Park Department of Information Systems

The University of Melbourne Carlton, Victoria, Australia

parks@pgrad.unimelb.edu.au

Atif Ahmad Department of Information Systems

The University of Melbourne Carlton, Victoria, Australia

atif@unimelb.edu.au

Anthonie B. Ruighaver School of Information Systems

Deakin University Burwood, Victoria, Australia

tobias@deakin.edu.au

Abstract— Many organizations still rely on deterrence to control insider threats and on purely preventive strategies to control outsider threats. Such a simple approach to organizational information security is no longer viable given the increasing operational sophistication of current security threat agents and the complexity of information technology infrastructure. Effective implementation of security requires organizations to select a combination of strategies that work in tandem and best suits their security situation. This paper addresses the identification and classification of factors that influence implementation of security strategies in organizations. In this paper, we develop a preliminary architecture that aims to assist organizations in deciding how strategies can be designed to complement each other to improve the cost-effectiveness of security.

Keywords-Information Systems Security; Information Systems Security Strategy; Security Requirements

I. INTRODUCTIONOrganizations are becoming increasingly aware that

information systems security is an important aspect of their businesses strategy and needs to be treated as a business problem rather than a purely technical one. While many organizations now have deployed ‘baseline’ security measures [1], they often realize that the number of security incidents they experience is not necessarily decreasing.

Most organizations are currently applying a range of security countermeasures, policies, procedures, and guidelines to protect their own organization. Recent surveys report that over 97% of the users of various organizations have installed anti-virus software, and more than 80 % are using firewalls [2, 3]. According to the same survey, over 60 % of users employ intrusion detection systems, encryption mechanisms, anti-spyware software, and patch management systems. Despite

these measures, reports also point out that organizations have experienced (targeted) attacks continuously and that threats are increasing, and security is getting harder to manage [2-4].

Information systems security (ISS) in the real world is believed to have a high tendency of failure when approached from a technology-centric perspective [5, 6], and is strongly influenced by organizational imperatives and constraints within which security measures have to be implemented [7]. Hence, it is generally accepted that shifting the balance of information security from a technology-centered approach to an organizational one is needed to drive improvement of ISS [6, 8]. This increasingly leads us to believe that information security is a management problem not a technical problem [9-11].

However, lack of guidance on a new management approach to information security means organizations are still relying on traditional security technologies (this continuing trend may explain why current research in ISS is still concentrated on traditional technologies). While within organizations security concerns is beginning to shift from technology-only to social and organizational aspects [12], the large cost of these traditional technologies, in particular their large maintenance cost, has made it difficult to shift the perception that security funding is an expense rather than an investment.

In this climate, security experts and practitioners point out that organizations must employ strategies to direct their security efforts and optimize limited resources [13-15]. Unfortunately, current guidelines on information security such as currents security standards and the extensive repository of U.S. Gover ment guidelines in NIST's Computer Security Resource Centre concentrate on risks and security controls and offer little assistance on how to prioritize security expenditure or on deciding what business security strategies to apply [16]

978-1-4244-5943-8/10/$26.00 ©2010 IEEE

This paper reports on our research in progress regarding the use of security strategies in organizations. We discuss what types of strategies can be applied in an organizational context and what factors influence their effective implementation. Our aim is to develop an architecture that assists organizations in deciding how strategies can be designed to complement each other to improve the cost-effectiveness of security. One proposal for such an architecture of strategies can be found in a recent paper on Ubiquitous Information Security [17]. The author of this paper proposes an agile approach to information security and identifies a small set of strategies that work well together to create an agile security posture. The lack of a comprehensive framework of factors for assessing the implementation of such an architecture of strategies, however, has made it difficult to further extend this initial approach to agile security.

There is at least one study by Straub et al. [18, 19] that provides some empirical proof that strategies contribute to improvement of security in organizations. Also, there is at least one author, Alberts [20], who points out that devising strategies has priority over developing security measures. Straub [18] and Kankanhalli, Teo, Tan, and Wei [21] have discussed the common use of deterrence and prevention together, while Tirennin and Faatz [13] introduced several strategies such as Defense-in-Depth, deterrence, and deception that can be designed for cyberspace by borrowing basic concepts from traditional war strategies. In addition, Park & Ruighaver [22] have identified information systems security strategies in literature and proposed a preliminary framework for classifying them. Torres, Sarriegi, Santos, and Serrano [23] have identified several critical success factors. However, there is not much literature on factors (or other aspects) that influences the effectiveness of strategies working together in an organizational context.

To identify potential factors that influence the successful implementation of strategies we first identified as many factors as possible that have some influence on the implementation of security in organizations. To this end, we concentrated on papers that discuss information systems security from the management perspective. Torres, Sarriegi, Santos, and Serrano [23], as mentioned before, used a modified Reason’s Swiss Cheese Model to identify 12 factors (infosec awareness, management commitment, staff competence, IS security architecture, business connections, IS security strategy, dynamic evaluation of infosec effectiveness, risk assessment, infosec integration, law enforcement & compliance, project accomplishment, security budget) and 76 indicators. In another paper, Wood [24] identified 14 factors (responsibility for systems security, parties involved and their roles, primary groups responsible, reporting relationship, alternatives for smaller organizations, independence, level in management hierarchy, assigning systems security responsibilities, source and level of financial support, management’s personal liability, assigning responsibility, providing proper feedback, highlighting the incomplete or exposed, quantitative risk analysis) in terms of organizational structure and raising the level of management awareness for information systems security management. Finally, Kankanhalli, Teo, Tan, and Wei [21] have identified 7 other factors (industry size, top

management support, industry type, human, financial resource, fund, organizational innovations) that influence the implementation of information systems security. Obviously, not all the factors mentioned in these papers will be useful for our research.

In the remainder of this paper, we discuss the approach used in the first stages of our research in the development of an architecture of security strategies, i.e., which strategies are used where and how they will work together. In particular, our current research aims to develop a scheme for identifying factors that influence the choice of strategies for this security architecture. To limit the scope of our research we are concentrating our research on an architecture suitable for medium sized organizations. Limiting the scope of this research to medium sized organizations was necessary to ensure that our research has enough context to form a viable research project: Medium sized organizations are expected to have a reasonable budget for information security, but their security policies and architectures are, in general, tend not to be extensive. As an analogy, if one needs to discuss the general architecture for a house, it will be useful to first consider if one was developing a house for a single person, a normal family or for a millionaire. The priorities will be very different in each case, but it will not be difficult to identify what makes a good architecture for each of these situations.

The next section presents our preliminary scheme for identification of factors, framework for classifying them, and some of the initial results from our conceptual research in this area. We then discuss our future research and the use of a focus group to further prioritize the factors and identify any factors we may have missed.

II. RESEARCH APPROACH We developed the research approach presented in Figure 1

in order to identify factors that might influence the successful implementation of ISS strategy in organizations.

Figure 1. Research Approach for Identifying Factors Influencing the Implementation of ISS Strategy

This approach is composed of 3 phases. At the first phase, we identified a number of factors as many as possible from various literatures, and then put them into the pool. We reviewed factors from the viewpoint of implementation of enterprise information systems architecture. We used Zachman’s perspectives framework [25], the most well-known organizational representation of enterprise architecture, for our purpose. This phase was necessary because extracted factors are going to be used for building an architecture of ISS

strategies, which implies that they need to be examined using organizational, architectural, and information systems standpoints. In addition, this phase offered opportunity to identify new factors missed at literature review. The third phase has been to classify these filtered factors into the framework of factors discussed below.

III. FRAMEWORK FOR CLASSIFYING THE FACTORS An initial examination of factors found in our literature

review reveals that the factors can be grouped based on their features and roles. Factors influencing the selection of appropriate strategy for successful implementation of ISS strategies in organization can be categorized from six perspectives:

• Economical factors (or financial factors) are known as one of the critical factors in implementing information security in organizations;

• Organizational factors take the contextual view into account. They typically handle organizational decisions such as defining the objective and goal of employing the strategies, determining the direction and scope of utilizing them, and deciding the degree of effectiveness to achieve;

• Structural factors deal with design of the architecture of ISS strategies - a blueprint. Details include how many strategies will be hired, how to divide and unite strategies, where to locate the designated one, what the relationship among existing IT infrastructures, strategies and new architecture is;

• Operational factors are associated with the functions and actions of each strategy and combination of them;

• Technological factors reflect technical considerations for realizing conceived architecture. Architect needs to check how to assure seamless flow of data, what the technical constraints are, and how can each stand-alone strategy can be combined together; and finally,

• Environmental factors include considerations from surrounding circumstances such as extension of business concerns, emergence of new threats.

Note that the current framework does not yet help us to rank the factors in order to determine which factors are more important in particular types of organizations or particular security environments. We expect to accomplish this through the use of focus groups in the next phase of our research

IV. FACTORS INFLUENCING THE SELECTION OFINFORMATION SECURITY STRATEGY

A. Economic Factors and Requirements 1) Cost: Strategies have to be cost-effective in order to be

employed in organizations. Financial resources have always been one of the critical factors in implementing an information system [7, 26]. This is certainly true of information systems security [16, 27, 28]. Torres, Sarriegi, Santos, and Serrano [23]

identified budget as a success factor for information systems security. While some organizations have been changing their attitude on funding for security from “expense” to “investment” [29], the cost of maintaining security is currently still a problem and this obstructs further investment. The cost of implementing a strategy can include the cost of the acquisition of security applications, the installation (including configuration), operation and maintenance, administration (including upgrading) and recovery from any incidents [30, 31].

2) Time: For a security strategy to be effective, timing of the implementation is critical [30, 32]. Current security planning in organizations is often long-term. Unfortunately, information security threats and attacks are changing rapidly in accordance with the swift change of information security environment, such as information technology, security countermeasures, and security vulnerabilities. Security has become a time-critical issue in this rapidly changing environment. Ruighaver, Warren, and Ahmad [33] suggests that strategies need to encourage a more agile approach to information security, with small short-time security projects that provide immediate benefits to the organization. In addition to these issues, the time required for training the security personnel is also a time-related consideration.

B. Organizational factors and Requirements 1) Alignment: In order to successfully and effectively

implement information security strategies, organizations have to support enterprise objectives and comply with business and information systems strategies. Organizational context has a strong relation to ISS strategies. Goodhue & Straub [34] and Kankanhalli, Teo, Tan, and Wei [21] discovered that the type of industry is related to concern, effort and investment of information security. The role and use of information security requirements are different from industry to industry [21]. Successful implementation of strategies has to contribute to the achievement of objective(s) of the organization. ISS strategies also need to be aligned to organizational IT directions, which is the target as well as the base on which the strategies are to be built at the same time.

2) Balance: When considering the employment of strategies in organizations, these strategies have to be balanced in three ways. First, there has to be a balance in the functionality of the types of strategies used. For example, to ensure that organizations react to the circumvention of preventive controls, prevention must be complemented with detection [17]. Similarly, proactive strategies are recommended to be employed together with reactive ones even though details of them have to be determined according to the situation and threats the organization is facing. Second, the extent to which strategies are applied in the organization has to be balanced as well. If the organization applies one strategy strictly which results in a high level of security (for that strategy) then a lack of enforcement of another strategy might lower the security level significantly. This does not mean that the numbers of the

countermeasures have to be the same for every part of the organization or they have to be positioned at the same location such as at every corner of every floor. Strategies have to be implemented in a logically balanced manner according to their function and purpose on the one hand, and in according to the criticality and value of the assets on the other. Finally, organizations need to balance security and business [35]. There must be trade-offs between protection and productivity when security is concerned. Too much emphasis on security may inconvenience the employees in doing their jobs and cause loss of business performance or opportunity. On the other hand, less stress on security may elevate the business risks by bring leakage of important information on customers, contracts, and business strategies, affecting depreciation of business competence as a result.

3) Effectiveness: Strategies have to be chosen according to how effective they are against specific threats and attacks. Once a strategy is employed, the organization has to see positive outcomes such as an increase in blocking or detection of unauthorized access attempts, better detection of intrusion attempts, expansion of protection coverage, and/or elimination of previous blind spots. They must aim to contain incidents both partially and fully, minimize the potential for damage and use the environment to maximize their defensive strengths whilst minimizing advantages to potential attackers [36].

C. Structural factors and Requirements 1) Multiplicity: Organizations, for the sake of productivity,

are forced to extend their information systems and adopt more information technologies than ever before. As a result their information systems have become more complex. In this environment, a single strategy is likely to be insufficient on its own in defending an organization’s information infrastructure. Therefore, multiple strategies need to be used together for effective defense [24, 37]. This is especially the case in an age where attack skills and techniques are developing rapidly, and threats are emerging as a form of zero-day attack. As previously mentioned, organizations may need to consider a deterence strategy and prevention strategy at the same time. Futher, individual prevention strategies such as authoritative controls, screening, zoning, and patch and update need to be employed for their own purposes respectively.

2) Modularity: Considering that implementing more than one strategy is inevitable, it would be useful if each strategy could be designed, acted upon, and treated as a building block to improve the scalability of an organization’s strategy architecture. That will allow individual strategies to be added, substituted, or eliminated, for enterprise or security reasons. In any case, strategy needs to be modularized and this will support the dynamic nature and agility as well as ease of implementation. To be modular, the philosophy, objective, protection target, function, and basic mechanism of the strategy has to be simple and clear.

3) Coupling: Multiple use of strategies implies that cooperation among them is necessary in terms of sharing of

objectives and goals, of data used for defensive measures and status indication, and of roles and responsibilities. Combined use of strategies often may be useful to enhance the security by removing blind spots and covering the gaps, those can be emerged when each strategy is used individually [18, 19, 32, 38]. For example, a vulnerability scanning strategy and an update and patch strategy can be used together to reduce vulnerabilities in systems. Once the scanner has found some vulnerabilities in a system as a result of applying vulnerability scanning strategy, then an update and patch cycle can be launched in order to install security update(s) of the operating system aiming at patching the vulnerabilities. Then, scanning strategy can be applied again to test for new vulnerabilities. This scan-update cycle can be continued until the scanning strategy finds that there are no known vulnerabilities at that time. When new strategies are added to existing set of strategies, later ones need to be checked for their coupling with existing ones as well as information systems in terms of interoperability and integration to established intention(s) and objectives. They also need to be integrated existing information systems and security countermeasures/strategies.

D. Operational factors and Requirements 1) Dynamic Nature and Agility: As previously discussed,

the current attack and defence situation has been changing rapidly. Information technology and software are getting more complex and changing rapidly as well. As a result, security countermeasures need to be coupled tightly with new technologies and require continuous updating. Further more, attacks and threats are also evolving trying to circumvent existing countermeasures. As threat strategy, tool, technology, and technique change, security strategies for countering them need to be updated as well. Hence, strategies need to support a dynamic security posture to enable the organization to take swift action in accordance with the change of situation [13, 39].

E. Technological factors and Requirements 1) Ease of Implementation: It is important that the

implementation of a strategy can be achieved with relative ease [36]. Even if the strategy that offers the best protection was identified, it is certain that lesser strategies would be favoured if the implementation of the better strategy is too hard. Implementation of strategy here includes all the relevant requirements that could make the strategy work and be effective as intended which include installation, (re)configuration, operation, administration of countermeasures, education and training of security personnel and users, change of guidelines and manuals, and alteration of business and security procedures. Any employment of a security strategy will inevitably also affect the surrounding environment. Consequently, the ease of implementation will need to be considered from two aspects: the strategy itself and its impact on the environment. Additionally, the implementation has to be easy to understand as well.

F. Environmental factors and Requirements 1) Situation Change and Speed of Change: As mentioned

above, the security situation is continuously changing. Threat and attack targets, tools, techniques, mechanisms, strategies and tactics always change and evolve. Attacks are becoming more sophisticated and intelligent everyday. Accordingly, security strategies and countermeasures have to be able to adapt as well. The IT environment also changes as organizations accept new technologies and software, update old systems, and extend system/network capability and bandwith to increase their productivity and profit. This also affects the security as more potential targets for attack become available and previously unknown or unpresented vulnerabilities are revealed. With respect to the business, future changes of enterprise objective and focus, reorganization of internal structure, and external competitive relationship also need to be considered in the selection of security strategies.

V. CONCLUSION In the current security environment it has almost become

impossible to offer absolute protection to information systems in organizations. Therefore, security will always be a work in-progress. Currently one of the biggest obstacles organizations encounter in their pursuit of practical and better security is a lack of a strategic approach to security. Security strategies are especially important as organizational security currently is limited by available security resources, such as information security experts, funds, and technology. As human beings have experienced during centuries of warfare, strategy helps an army to gain a victory over its adversaries, letting it overcome the shortage of technologies, numbers, arms, equipment, support, etc. - Information security is no exception.

The growing complexity of information security means that a simple application of one or two strategies will not be viable. Hence, to encourage the use of strategies in organizational information security, we are developing an architecture of security strategies, which will help an organization in selecting strategies based on their needs.

This study identifies factors that influence the selection and implementation of strategies for an architecture of security strategies, and discusses the classification of these factors. We developed a framework from Zachman’s well-known organizational representation of enterprise architectures then classified our factors into six categories using this framework. The contributions of this study are development of a theoretical framework to categorize influencing factors and their identification.

For further development of the current framework, we are planning to refine and prioritize the identified factors using a focus group. The next step after the focus group will be to use these factors in the design of an initial simple architecture of strategies for medium sized organizations.

REFERENCES [1] M. Gerber, and R. v. Solms, “From Risk Analysis to Security

Requirements,” Computers & Security, vol. 20, no. 7, pp. 577-584, 2001.

[2] R. Richardson, 2008 CSI Computer Crime & Security Survey, Computer Security Institute, 2008.

[3] FSB, Inhibiting Enterprise: Fraud and Online Crime Against Small Business, Federation of Small Businesses, 2009.

[4] Symantec, Managed Security in the Enterprise (U.S. Enterprise), Symantec, 2009.

[5] R. Anderson, "Why Information Security is Hard - An Economic Perspective," in 17th Annual Computer Security Applications Conference (ACSAC), pp. 358-365, 2001.

[6] R. A. Caralli, Managing for Enterprise Security, Technical Note CMU/SEI-2004-TN-046, Carnegie-Mellon University, 2004.

[7] P. Ein-Dor, and E. Segev, “Organizational Context and the Success of Management Information Systems,” Management Science, vol. 24, no. 10, pp. 1064-1077, Jun., 1978.

[8] G. Dhillon, and J. Backhouse, “Current Directions in IS Security Research: Towards Socio-Organizational Perspectives,” Infomation Systems Journal, vol. 11, pp. 127-153, 2001.

[9] J. Nolan, and M. Levesque, “Hacking Human: Data-Archaeology and Surveillance in Social Networks,” ACM SIGGROUP Bulletin, vol. 25, no. 2, pp. 33-37, 2005.

[10] L. A. Gordon, M. P. Loeb, W. Lucyshyn et al., 2006 CSI/FBI Computer Crime and Security Survey, Computer Security Institute, 2006.

[11] A. B. Ruighaver, S. B. Maynard, and S. Chang, “Organisational Security Culture: Extending the End-user Perspective,” Computers & Security, vol. 26, pp. 56-62, 2007.

[12] B. v. Solms, “Information Security- The Fourth Wave,” Computers & Security, vol. 25, pp. 165-168, 2006.

[13] W. Tirenin, and D. Faatz, "A Concept for Strategic Cyber Defense," in MILCOM '99, pp. 458-463, 1999.

[14] S. Edwards, and M. C. Willimas, "The Need for In-Depth Cyber Defence Progrmmes in Business Information Warfare Environments," in 2nd Australian Information Warfare and Security Conf. 2001, pp. 56-63, 2001.

[15] O. S. Saydjari, “Cyber Defense: Art to Science,” Communications of the ACM, vol. 47, no. 3, pp. 53-57, Mar., 2004.

[16] E. E. Anderson, and J. Choobineh, “Enterprise Information Security Strategies,” Computers & Security, vol. 27, pp. 22-29, 2008.

[17] A.B. Ruighaver, “Organisational Security Requirements: An agile approach to Ubiquitous Information Security”, in 6th Australian Security management Conference, Perth, Australia, 2008.

[18] D. W. Straub, “Effective IS Security: An Empirical Study,” Information Systems Research, vol. 1, no. 3, pp. 255-276, 1990.

[19] D. W. Straub, and R. J. Welke, “Coping with Systems Risk: Security Planning Models for Management Decision Making,” MIS Quarterly, vol. 22, no. 4, pp. 441-469, Dec., 1998.

[20] D. S. Alberts, Defensive Information Warfare: NDU Press Book, National Defense University, 1996.

[21] A. Kankanhalli, H.-H. Teo, B. C. Y. Tan et al., “An Integrative Study of Information Systems Security Effectiveness,” International Journal of Information Management, vol. 23, pp. 139-154, 2003.

[22] S. Park, and T. Ruighaver, "Strategic Approach to Information Security in Organizations," in 2008 IEEE International Conference on Informarion Science and Security (ICISS 2008), Seoul, Korea, pp. 26-31, 2008.

[23] J. M. Torres, J. M. Sarriegi, J. Santos et al., "Managing Information Systems Security: Critical Success Factors and Indicators to Measure Effectiveness," in ISC 2006, pp. 530-545, 2006.

[24] C. C. Wood, “Information Systems Security: Management Success Factors,” Computers & Security, vol. 6, pp. 314-320, 1987.

[25] J. A. Zachman, “A Framework for Information Systems Architecture,” IBM Systems Journal, Reprint of Vol. 26, No. 3, 1987, vol. 38, no. 2&3, pp. 454-470, 1999.

[26] L. Raymond, “Organizational Context and Information Systems Success: A Contingency Approach,” Journal of Management Information Systems, vol. 6, no. 4, pp. 5-20, 1990.

[27] L. A. Gordon, and M. P. Loeb, “Budgeting Process for Information Security Expenditures,” Communications of the ACM, vol. 49, no. 1, pp. 121-125, 2006.

[28] N. Sklovos, and P. Souros, “Economic Models and Approaches in Information Security for Computer Networks,” International Journal of Network Security, vol. 2, no. 1, pp. 243-256, 2006.

[29] R. A. Caralli, The Critical Success Factor Method: Establishing a Foundation for Enterprise Security Management, CMU/SEI-2004-TR-010, ESC-TR-2004-010, Carnegie Mellon University, Pittsburgh, PA, 2004.

[30] J. T. Hamill, R. F. Deckro, and J. M. Kloeber-Jr., “Evaluating Information Assurance Strategies,” Decision Support Systems, vol. 39, pp. 463-484, 2005.

[31] J. Sherwood, “SALSA: A Method for Developing the Enterprise Security Architecture and Strategy,” Computers & Security, vol. 15, pp. 501-506, 1996.

[32] T. Grance, K. Kent, and B. Kim, Computer Security Incident Handling Guide, 800-61, National Institute of Standards and Technology, 2004.

[33] A. B. Ruighaver, M. Warren, and A. Ahmad, “The Ascent of Asymmetric Risk in Information Security: An Initial Evaluation,” in

10th Australian Information Warfare & Security Conference, Perth, Australia, 2009.

[34] D. L. Goodhue, and D. W. Straub, “Security Concerns of System Users: A Study of Perceptions of the Adequacy of Security,” Information & Management, vol. 20, no. 1, pp. 13-27, Jan., 1991.

[35] S. Olmstead, and A. Siraj, “Cyberterrorism: The Threat of Virtual Warfare,” The Journal of Defense Software Engineering, no. Nov./Dec., pp. 16-18, 2009.

[36] A. Ahmad, “Tactical Analysis of Attack in Physical and Digital Security Incidents: Towards a Model of Asymmetry,” in 10th Australian Information Warfare & Security Conference, Perth, Australia, 2009.

[37] S. Liu, J. Sullivan, and J. Ormaner, “A Practical Approach to Enterprise IT Security,” IEEE IT Professional, vol. 3, no. 5, pp. 35-42, Sep./Oct., 2001.

[38] D. Reiter, “Military Strategy and the Outbreak of International Conflict: Quantitative Empirical Tests, 1903-1992,” The Journal of Conflict Resolution, vol. 43, no. 3, pp. 366-387, Jun., 1999.

[39] J. S. Nye-Jr., “Soft Power,” Foreign Policy, no. 80, Twentieth Anniversary, pp. 153-171, Aut., 1990.