MANAGING INFORMATION SECURITY RISK

Managing Information Security Risk



Abstract

With the popularity of electronic commerce, many organizations are facing unprecedented security challenges. Security techniques and management tools have caught a lot of attention from both academia and practitioners. However, there is lacking a theoretical framework for information security management. This paper attempts to integrate security policy theory, risk management theory, control and auditing theory, management system theory and contingency theory in order to build a comprehensive theory of information security management (ISM). This paper suggests that an integrated system theory is useful for understanding information security management, explaining information security management strategies, and predicting management outcomes. This theory may lay a solid theoretical foundation for further empirical research and application.

Table of Content

Chapter One: Introduction4

Chapter Two: Literature Review5

Chapter Three: Methodology8

References9

Chapter One: Introduction

Understanding security risk in management information systems is an important and rapidly evolving topic . In this report we analyze the information risk posed by file sharing. We show that confidential and potentially damaging documents have made their way onto these networks. We also show that attackers actively search P2P networks hoping to find information that they can exploit. First, we describe the P2P security issues, establishing the vulnerabilities these software clients represent. Then we examine the vulnerability, threat, and potential consequences through an analysis of documents we found circulating on these networks. Focusing on the top 30 U.S. banks, we analyze a set of leaked documents collected throughout the supply chain, including suppliers, customers, and the banks themselves.

We also analyze user-issued search information on these same institutions, finding an astonishing number of searches targeted to uncover sensitive documents and data. For our sample of banks, we analyze tens of thousands of relevant searches and documents. We characterize the nature of these searches and files and the underlying drivers of file leakage and movement. We find statistically significant links between leakage, firm employment base, and the number of retail accounts. We also find a link between firm visibility and threat activity. More importantly, we find that the firms experiencing greater leakage also experience increased threat. Finally, we discuss managerial implications and propose a simple benchmarking technique to compare leakages. Our analysis clearly reveals a significant information risk firms and individuals face from P2P file-sharing networks.

Chapter Two: Literature Review

To begin with, information security is open to many definitions. For example, the goal of information security is mainly to detect and prevent the unauthorized acts of computer users (Gollmann, 1999). And the broad objectives of a computer security policy are to ensure the data confidentiality, integrity and availability within information systems (ISO/IEC 17799, 2000; Schultz et al., 2001; Smith, 1989). Information security issues cover information security policy, risk analysis, risk management, contingency planning and disaster recovery (Von Solms et al., 1994). From users' perspective, if software runs smoothly as they expect, the system will be described as “a secure system” (Simson and Gene, 1991). Therefore, information security is defined in this paper as to apply any technical methods and managerial processes on ...