Network Security

Network Security

Introduction

The process of network security management is necessary to the appropriate functioning of an organization's computer infrastructure. Network security is implemented specifically to protect this infrastructure from known and unknown risks. Yet no single component of an organization is allowed to function without limitations, such as financial resources and the oversight of management and shareholders. Therefore, network security is usually associated to risk assessment, where network security specialists identify specific risks, the potential impact of these risks, and whether the type and potential impact of a given risk qualifies it as a threat to the network. Nevertheless, security network risk assessment is a subjective process that is affected by multiple distinctive variables (Schneier, 2006). These variables include the priorities set by the network security supervisors; the capabilities of the security systems that have been implemented to target threats; the culture that arises within the organization itself (Haimes, 2005); and managerial attention (Parker, 1981). Therefore, to implement an effective network security system, it is necessary to approach these distinctive elements and identify how sensible, appropriate risk assessment can be conducted. This indicates that all network security specialists must take into account the costs and the benefits of preventing one specific type of risk; identify the priorities within the organization; and provide risk management strategies to meet these. On the other hand, since security specialists are not responsible for an organization's general priorities and are not usually allowed to lead policy development, a strong cooperation between security specialists and management is needed.

Older studies indicated that a large number of managers do not regard security as important (Straub, 1990), resulting in security falling below the top twenty priorities list (Brancheau et al., 1996). However, with the usage of information systems in more and more areas of our life, with the amount of information stored on them, and with all the increased media attention about security related incidents and the effects that might have, management's attitude towards security is changing. In fact, it is believed that this is a growing trend in management culture, where management recognizes that network security is a complex process and they are willing to permit the network security specialists to make the necessary infrastructure and maintenance decisions. This is illustrated in a study of information management systems in Malaysian educational institutions (Saad et al., 2005).

More recently, a large number of information system researchers and practitioners indicate there is lack of empirically based research to explore the rationale that governs implementation of information systems and network security expenditures and effectively analyze the perceptions held by management and by security specialists, and the degree to which these perceptions are similar (Kotulic and Clark, 2004; Jahankhani and Nkhoma, 2005).

In this paper, we attempt to fill in the gap identified in the literature. In particular, based on an empirical case study focused on a large national bank, we explore the rationale that governs implementation of information systems and network security expenditures. In doing so, we identify the various perceptions held by management ...