INFORMATION SECURITY

Information Security

Student Number

Student Name

Course

Supervisor's Name

Table of Contents

PART B3

Academic Question3

Aims3

Objectives3

PART C5

Introduction5

Literature Review6

PART D13

Project Progress13

Planned Progress15

PART E16

Part B

Academic Question

What is the perception of risk and the strategic impact of existing IT on information security strategy?

Aims

The aim of this research, therefore, is to explore the following three issues:

AIM 1: How do boards perceive information security risk?

AIM 2: What are the roles and responsibilities of the Board of Directors regarding information security?

AIM 3: How do these roles and responsibilities relate to other areas of the organisation?

Objectives

Information security is becoming increasingly more important as organisations are endangered by a variety of threats from both its internal and external environments. Many theorists now advocate that effective security policies should be created at senior management level. This is because executives are able to evaluate the organisation using a holistic approach as well as having the power to ensure that new systems and procedures are implemented in a timely manner. There is, however, a continuing lack of understanding regarding the strategic importance of managing information security. In addition, there is a gap in the literature on the relationship between directors and information security strategy. This paper attempts to close this gap by exploring how directors perceive their organisation's security and what factors influence their decisions on the development and implementation of information security strategy. The research is based on constructivist grounded theory. Forty-three interviews were conducted at executive level in 29 organisations. These interviews were then coded and analysed in order to develop new theory on directors' perception of risk and its effect on the development and implementation of information security strategy.

Part C

Introduction

Information security has become an increasingly important factor for many organisations. Over the past decade, there has been a rapid diffusion of electronic commerce and a rising number of interconnected networks, resulting in an escalation of security threats. In addition, many organisations today see information as an important asset and therefore it is essential that the confidentiality, integrity and availability of this resource are kept intact. Thus, due to the growing risk and value of information, there has been a call for greater responsibility to be undertaken by the board of directors regarding information security issues. Indeed, if the firm has not exercised due diligence in protecting its information assets, it will encounter significant corporate, and possibly personal, liability.

Unfortunately, research has shown there is still too often a lack of understanding of the strategic importance of managing information security. Over half the companies that they surveyed devolved information security to lower levels, normally to functions or departments with a technical orientation. The roles and responsibilities of board members and senior executives for information security have received little attention in the academic literature to date. Consequently, the purpose of this paper is to investigate the actions undertaken by directors and senior executives that pertain to their organisation's information security. In addition, the paper aims to explore how boards perceive information security and how this perception influences their own actions as well as the development, adoption and ...