Security in Modern Business: Loopholes of Current Information Security Practices

Daniel W K Tse

Department of Information Systems City University of Hong Kong

iswktse@cityu.edu.hk

Abstract From the statistics of recent years of computer crime and the vulnerable nature of business information, there are problems in current information security practices. Everyone knows or has heard that IT can bring much benefit to the organization, but they may not know where and how to deploy IT. ‘What are the loopholes and what are their natures?’ are the research questions that I seek to answer in this paper. I used a questionnaire survey to obtain current security practices and measure them against different expected security policies to ascertain the width of the security gap and to test whether groups of respondents had significant differences in security practice attitudes. Finally, I conducted a focus group discussion to explore the nature of the problems. Due to space limitation, further details of data analysis can be furnished only upon request. Keywords: Security practices, Security loopholes, Security attitudes 1. Introduction

Information, by nature, is a virtual object that can be easily copied, modified, destroyed, and ‘touched’. Because of its characteristics of fluidity, size, logical access, easily replication, the data communication protocol, volatility, downsizing, and changes of form, computer systems are vulnerable to many threats that can inflict various types of damage that result in significant business and financial losses. In addition to this, in electronic business world, computers are networked that would make the above situation more complicated since the networked organization (TNO) can ease the transmission of information while it can bring vulnerabilities of and threats to business information. Thus, there are loopholes in current information security. 2. Methodology

Two methods were used to conduct this research: a questionnaire and focus-group discussions. The questionnaire obtained general representations of current information security practices and the focus-group discussions explored the nature of the worst practice problems.

2.1 Survey Questionnaire

The assessment of security practices is usually determined by the audit results of conformance to security policies (Weber 1999), thus this questionnaire, based on the security policies used by most practitioners, consisted of twelve sections: ‘General Policy’, ‘Physical Security’, ‘Access Control Security’, ‘Data Security’, ‘Application Security’, ‘Network and Communication Security’, ‘Security Risk Assessment and Auditing’, ‘Security Incident Management’, ‘Recovery and Contingency Plan’, ‘Personal Profile’, ‘Company Profile’, and

2044

‘Information Technology Profile’. The first nine sections used Likert-scale type questions, and the last three sections used short questions. Of the first nine sections, each question had seven possible responses with codes to represent their real meanings: ‘1: Never’, ‘2: Seldom’, ‘3: Sometimes’, ‘4: Often’, ‘5: Always’, ‘IR: Irrelevant’ and ‘DK: Don’t Know’. The ‘1: Never’ to ‘5: Always’ formed a Likert-scale to measure the difference in practice.

2.2 Focus-Group Discussion

The questionnaire survey could allow me to know more about the current status of industry practice but it could not give me the reasons for such practice. Through focus group discussions, the nature of the problems could be explored so that prescriptions could be devised for my future research paper.

3 Analysis of questionnaire survey data 3.1 Research Questions

A test was conducted to ascertain whether there were differences in the responses with respect to the following independent variables. J6: Respondent’s personal profile – ‘Corporate Management’, ‘IT Management’, or ‘End-

User’ K3: Company industry classification – ‘Trading’, ‘Manufacturing’, ‘Services’, ‘Financial’,

‘Education’, or ‘Government’ K8: Either an e-business ready organization or not L7: Either Internet-enabled IT or not L9: Reasons for not having security policy or seeing it as irrelevant – ‘No money’, ‘Low

priority’, ‘No knowledge’, ‘No concern’, or ‘No tangible benefits’ 3.2 Reliability Analysis Using Cronbach’s Alpha Values

Tests were conducted on different data sections and the overall data items. All alpha values were greater than 0.7. In other words, the survey data had high consistency of results.

3.3 Factor Analysis

Factor analysis (Principal Component Analysis with the Varimax rotation method) was used to simplify the numerous data items. The number of dependent variables was reduced from 78 to 20. As the loadings of all selected components exceeded |0.3|, the selected members of the components had high validity.

3.4 One-way ANOVA

This instrument was used to test the following independent variables. J6: Respondent’s personal profile – ‘Corporate Management’, ‘IT Management’, or ‘End-

User’ K3: Company industry classification – ‘Trading’, ‘Manufacturing’, ‘Services’, ‘Financial’,

‘Education’, or ‘Government’ L9: Reasons for not having security policy or seeing it as irrelevant – ‘No money’, ‘Low

priority’, ‘No knowledge’, ‘No concern’, or ‘No tangible benefits’ From the results for J6, the significance of BB (Physical Security), EA (Application

Security), GA (Security Risk Assessment and Auditing) and HA (Security Incident Management)

2045

were less than 0.05, i.e. significant at the 95% level. In the Scheffe post hoc test results, they differed significantly at the 95% level.

From the results for K3, the significance of BA (Physical Security), BB (Physical Security), CB (Access Control Security), CD (Access Control Security), DC (Data Security), HA (Security Incident Management), and IA (Recovery and Contingency Plan) were less than 0.05, i.e. significant at the 95% level. In the Scheffe post hoc test results, they differed significantly at the 95% level.

From the results for L9, the significance of AA (General Policy), BB (Physical Security), CA (Access Control Security), CB (Access Control Security), CE (Access Control Security), DB (Data Security), EA (Application Security), FA (Network and Communication Security), FE (Network and Communication Security), GA (Security Risk Assessment and Auditing), and HA (Security Incident Management) were less than 0.05, i.e. significant at the 95% level. In the Scheffe post hoc test results, they differed significantly at the 95% level.

3.5 Independent t-test

This instrument was used to test the following dependent variables. K8: Either an e-business ready organization or not L7: Either an internet-enabled IT or not

From the results for K8, the significance of AA (General Policy), BA (Physical Security), BB (Physical Security), CA (Access Control Security), CB (Access Control Security), CC (Access Control Security), CD (Access Control Security), DA (Data Security), DB (Data Security), DC (Data Security), EA (Application Security), FA (Network and Communication Security), GA (Security Risk Assessment and Auditing) and HA (Security Incident Management) were less than 0.05, i.e. significant at the 95% level.

From the results of L7, the significance of DA (Data Security) was less than 0.05, i.e. significant at the 95% level.

3.6 Conclusion

There were significant differences in the ‘Application Security’ and ‘Security Risk Assessment and Auditing’ aspects according to the respondent’s profile. This implied that different positions inside an organization would foster different attitudes toward these two aspects of security practice.

There were significant differences in the ‘Physical Security’, ‘Access Control Security’, and ‘Recovery and Contingency Plan’ aspects with respect to industry classification. This implied that different industry sectors would foster different attitudes towards these three aspects of security practice.

There were significant differences in the ‘General Policy’, ‘Access Control Security’, ‘Application Security’, ‘Network and Communication Security’ and ‘Security Incident Management’ aspects with the different negative attitudes to these five aspects of security practice.

There were significant differences in the ‘General Policy’, ‘Physical Security’, ‘Access Control Security’, ‘Data Security’, ‘Application Security’, ‘Network and Communication Security’, ‘Security Risk Assessment and Auditing’ and ‘Security and Contingency Plan’ aspects in terms of the organizational readiness of e-business. This implied that whether or not an organization was ready for e-business would affect attitudes toward nearly all aspects of security practice.

2046

There were significant differences in the ‘Data Security’ aspect in terms of Internet-enabled status. This implied that whether an organization IT infrastructure was internet-enabled would have affect attitudes toward this aspect of security practice. 4. Evaluation of questionnaire survey results

Responses of ‘5: Always’ to all other questions indicated that best security practice was in use. However, the maintenance of such a high degree of best practice requires more resources than most SMEs in Hong Kong can afford. Hence, to strike a balance between protection cost and vulnerability risk, a practice of ‘3: Sometimes’ and ‘4: Often’ should be acceptable to some business organizations that do not much depend on information networks. As a result, ‘1: Never’ and ‘2: Seldom’ practices are highlighted as worst cases in the following analyses.

The percentage distribution of these two responses is summarized in the following chart.

Frequency Distribution of Response Types "Never" & "Seldom"

8 912

8 8

1311 11

1920

16 15 15 16 15

19 19 18

05

10152025

Genera

l Poli

cy

Physic

al Sec

urity

Acces

s Con

trol S

ecuri

ty

Data S

ecuri

ty

Applic

ation

Sec

urity

Network

& C

omm Sec

urity

Securi

ty Risk

Asses

s & A

udit

Securi

ty Inc

ident

Mgt

Recov

ery &

Con

tinge

ncy P

lan

Response Types

% o

f Res

pons

es

NeverSeldom

Figure 1 - Frequency Distribution of Response Types “Never” & “Seldom”

Business information security was very vulnerable, especially (using the highest percentages of ‘1: Never’ responses) in the areas of ‘Recovery and Contingency Plan’, ‘Network and Communication Security’, and ‘Access Control Security’.

In addition to this measurement, the skewness of the percentages distribution to the worst practice tail also revealed very important vulnerabilities in particular aspects. These aspects include questions A6, C5, C14, F4, F8, and I2. These aspects have distribution skewed toward the tail of response ‘1: Never’, which is the worst practice. ‘Why do they behave like that?’ and ‘what are the natures of their problems?’ are the further research questions that will be discussed in the next section.

2047

5 Presentation and Analysis of Focus Group Survey Results

5.1 “A6: Do staff members who perform security-related tasks directly have their background checked thoroughly before recruitment?”

It was not easy to find qualified personnel in this area, and senior management did not care much about the qualifications that were required in performing these tasks.

5.2 “C5: Are users alerted of their last login date/time when they login each time?”

They commonly used one password even though they were assigned different passwords. They found this common use of password very useful because they did not need to remember so many passwords and they thought that all password users were internal users who were trustworthy.

5.3 “C14: Are users required to change their passwords at least in a set period?”

Some were concerned about whether they could complete a job in time if they could not login to the system after changing a password. Others said that their objectives were to complete their assignments but not to protect their company’s assets; using a single password brought flexibility

5.4 “F4: Is the blocking of non-business web sites carried out as much as possible?”

Their companies’ network access to the Internet was so free that they could do what they liked. The main reason was to provide flexibility to the staff. Having restrictions on Internet access would hinder work progress.

5.5 “F8: Is the forwarding of electronic mails to any external address allowed without the

information owner agreeing in advance or without the information clearly being public in nature?”

They did not do in this way; instead, they attached a short message at the end of each email alerting the recipient of the confidentiality of the email message. Their objective was to complete assignments in time and they did not care about the origins of information.

5.6 “I2: Are periodic rehearsals conducted with users for familiarization and testing of

disaster recovery procedures?” Some said that they did not have such procedures because of high costs or a lack of

knowledge. Some who had such procedures said they had never tested them because they had not encountered any problem so far. Others said that his boss wanted to have the basic security infrastructure to show that their company’s image, but he did not want to spare too many resources to obtain intangible benefits. 6. Discussion 6.1 Respondents’ profiles

Different positions inside an organization foster different attitudes toward these two aspects of security practices. IT people would obviously be more aware of the importance of security practices than end-users, and corporate management would not differ from end-users because they usually rely on IT management’s recommendations. ‘Application Security’ is such a big

2048

and obvious area that much manpower and technical management attention have been spent on it. ‘Security Risk Assessment and Auditing’ is a high-level management function for which senior management usually depend on IT management to have higher awareness than end users. 6.2 Industry Classification

Different industry sectors fostered different attitudes toward these three aspects of security practice. In terms of ‘Physical Security’ concerns about security perimeter protection, the government is a big organization that carefully considers all aspects of physical access, and the financial sector has very important documents that demand careful consideration of physical access. Hence, these two industries have a different degree of security perimeter protection than does the trading sector.

‘Access Control Security’ concerns logical access, so it is very similar to ‘Physical Security’ except that the former is the physical and the latter is a logical method of protecting the security perimeter. The ‘Recovery and Contingency Plan’ aspect concerns backup and support for business continuity. As different industries have different survival needs and degrees of dependence on information systems, there are significant differences in these aspects among different industries. The trading sector is mainly comprised of SMEs that usually have resources constraints, so it has many differences in attitude when compared to other sectors. However, financial and government organizations displayed no better attitudes toward the ‘Access Control Security’ and ‘Recovery and Contingency Plan’ aspects, which is disappointing because it seems they just concentrated on physical security. As the business continuity of the education sector does not much depend on information security, it had poorer attitudes toward the ‘Recovery and Contingency Plan’ aspect than did other sectors.

6.3 Reasons of Worst Security Practices

‘No Concern’ was a common attitude in nearly all aspects, and was a more common response to the question about ‘Access Control Security’ than was ‘Low priority’. In terms of ‘Network and Communication Security’, ‘Low priority’ was a more common attitude than ‘No Tangible Benefits’. Different core reasons would have had different natures: ‘No money’ and ‘No knowledge’ may have meant that the entrepreneurs wanted to protect business information but had insufficient resources to do so; and ‘Low priority’, ‘No concern’, and ‘No tangible benefits’ may have meant that the entrepreneurs did not protect their business information on purpose because they afforded it a low value.

6.4 Organizational Readiness of e-business

Whether or not an organization was ready for e-business would foster different attitudes toward nearly all aspects of security practice. These results seem normal because readiness for e-business should foster a higher level of awareness about security issues. However, the non-parametric data analysis revealed that all participants used worst practice in all of the areas. Whether or not an organization is e-business ready should not affect its security practice, because insiders cause the majority of security breaches. 6.5 IT Infrastructure Internet-enabled Status

The Internet connectivity status of an organization’s IT infrastructure should seemingly affect attitudes toward data security. However, this was not the case with the participants. In this regard, I suspect that the businesses have not taken special care of security once their IT

2049

infrastructure has been Internet-enabled. Similar to the previous case, Internet connectivity should not affect the commitment to security practice because insiders cause the majority of security breaches. 7. Conclusion

This research indicates that there is a very wide gap between policy and practice in current business information security. Three parties are responsible for this: businessmen, employees, and the government. Businessmen have the worst security practice and neglect the adverse effects that their selfish actions might have on other parties. Some of them are not knowledgeable enough or do not have enough resources to have good security practices. Because of employees’ poor sense of belonging, they choose the benefits of flexibility rather than to protect their organization’s information assets. Moreover, the government has no comprehensive program with which to educate people about information security, and no law enforcement to support such security. International society is also failing to pressure local businessmen to take up good security practices. As a result, an “I don’t care about what you care about” attitude and the messy phenomenon of business information vulnerability have emerged in the past few years. 8. References Gill, John & Johnson, Phil 1997, “Research Methods for Manager (2nd Edition),” Paul Chapman Publishing Sharma Subhash 1996, “Applied Multivariate Techniques,” John Wiley & Sons Weber, Ron 1999, “Information Systems Audit and Control,” Prentice Hall White, Anthony G. 1986, “Survey and Questionnaire Design,” John & Sons Inc.

2050