The volume covers the managerial landscape of information security. It deals with how organizations and nations organize their information security policies and efforts. It covers how to strategize and implement security, with a special focus late in the volume on emerging technologies.
It shows wherein lie our strengths. It also shows where there are weaknesses. It points out our wealth of security technologies, particularly since the dawn of the Internet and 9/11. It likewise indicates as clearly as possible that the likely problem today is not the lack of technology, but its intelligent application. The management of information security is in its infancy, whereas the development of security technologies has reached a much more advanced state of maturity.
In attempting to cover the terrain of a broad subject that already has had a long history (however checkered), it is inevitable that much will be left out. So the subject matter selected for this volume calls for a rationale since there must be reasons why some topics were chosen and others were not, and the tale of the choosing says something about what should be valued most highly.
Before engaging in this exercise, though, it is useful to define and elaborate the term “information security” (InfoSec). The term “information” receives the initial stress since we feel strongly that the rendering of data into meaningful statements and comparisons, which we take to be information, has received light attention in both the academic and trade presses. Most of the work on security has been at the technological level, the level of protecting data bits and bytes from unauthorized interception and misuse while little work has focused on protecting these binary digits once they have been manipulated, formatted, and stored for managerial use. There are volumes of work on encryption algorithms and how to make these unbreakable, for example.1 Hence the prevalence of terms in this technical literature on technologies described under rubrics like “data/database security,” “computer security,” “cyber/Internet security,” and “network security.”
In short, information is a managerial and organizational tool, and the protection of information from the managers’ (and organizations’) point of view has not been subject to the same intense scrutiny as have security technologies. Not only are the policies that protect this information much less frequently discussed, but the processes that lead to effective policies are even less favored by scientists and practitioners. Broad social issues, such as international laws, standards, and agreements that affect security of information, are part of a wide range of environmental issues that also receive scant attention. There are numerous technical working papers dealing with such matters, but assessments of this scattered work have not been forthcoming. Many of these papers have direct organizational impacts, but even those with indirect effects bear watching and understanding.
Focusing on organizational needs, therefore, is the first way in which we scoped the topics covered. What we know at this time and where research should be moving in the future to address lightly examined areas represent the basic goals of the volume.
The term “security” cries out for some definition as well. By security, we most often mean the protection of assets from unauthorized use, but the term is often extended to cover situations where mechanisms to protect assets are similar whether the damage that is inflicted comes from either a malicious, accidental, or a natural source. Organizations need to protect themselves from information losses whether these are caused by a terrorist or a tornado. Either will physically wipe out a firm’s data center. The recovery procedures are only distinctive in terms of whether insurance or criminal investigations require a forensic analysis. In both cases, there would be loss of life of mission-critical employees as well as loss of information and the ability to produce information. As tragic as such events are, it would be a further loss if stakeholders who depend on the firm—employees and their families, shareholders, suppliers, customers, and the surrounding communities—were to continue to suffer from organizational unpreparedness.
Thus security as we define it includes business continuity planning, especially regarding information. Malicious elements need to be considered in scenarios in this planning effort, but equal attention must be placed on accidental and natural causes.
PARTS AND CHAPTERS
The perspective taken in this book is at an organizational level. Whether governmental, commercial, not-for-profit, or other, decision makers in organizations confront the need to specify organizational policies, define organizational processes, and manage organizational practices that assure the organization’s information security. Table 1.1 lists an inventory of the various influences that drive these decisions.
Perhaps at the most global level are the regulations that emerge from non-governmental organizations. These include the recommended standards and practices of professional organizations (such as the Information Systems Audit and Control Association, which promotes an InfoSec framework called COBIT), industry standards and practices (such as the MasterCard and Visa collaboration that mandated a payment card industry data security framework), standards set by international agencies such as the International Standards Organization, and international agreements on issues such as personal data privacy through agencies like OECD and the UN.
Governments, aside from being organizations that must set their own internal policies, processes, and practices, are organizations that drive laws and regulations requiring conformity within their territorial borders. These laws and regulations define computer crimes, including insufficient protection of private personal data and insufficient transparency of information necessary for informed public decisions about organizations (such as disclosure of investment risks). With their mandate for national security, governments may regulate advanced information technologies with military applications (such as cryptography) and set national policies to establish sufficient information security in key industry groups like finance, transportation, and energy. Such government regulation drives processes, policies, and practices in a very widespread range of commercial and private organizations (the effects of which may even be extraterritorial). Even the setting of internal government organizational processes, policies, and practices may have a widespread effect, as these may drive conforming requirements of government contracting organizations, or become regarded as emblematic standards of “due care” in InfoSec.
Table 1.1
Drivers Influencing Organizational Information Security Policies, Processes, and Practices
Non-governmental regulation |
International treaties |
International standards |
Industry standards and practices |
Professional standards and practices |
Government regulation |
Computer crime |
Privacy protection |
Public disclosure requirements |
National security |
National information infrastructures |
Government internal policy |
Organization |
Economics of security |
Costs and benefits |
Functionality—Security tension (guns or butter) |
Ethics of security |
Mandated or optional (due care) |
Technological |
Computer security |
Network security |
Cryptology |
Vicious circle |
There are also internal drivers that determine organizational policies, processes, and practices. For example, improvements to organizational InfoSec usually require resources; an investment in InfoSec is therefore an economic decision. Costs and benefits are managed through risk analysis, and like any investment decision, improvements in InfoSec move forward under the shadow of their opportunity costs. Should the organization invest in improved information systems performance or instead invest in improved security for its existing systems? The “guns or butter” nature of the decision often pits systems performance advances against systems security advances. These conflicting goals bring forward the ethical dimensions of decisions about organizational InfoSec policies, processes, and practices. Where InfoSec features are mandated by regulations, the ethical aspects are clear. But in organizational systems where InfoSec is not required by regulation, organizations are left to follow their own ethical lights: instituting InfoSec policies, processes, and practices because these represent the measure of due care that a wide range of stakeholders would regard as responsible management of information.
Information technology is itself a driver of InfoSec management processes. Not only do newer technologies bring challenging new problems for security, but security for existing technologies is a vicious circle of technical developments. New InfoSec technologies lead adversaries to develop new techniques to defeat the new security technologies, forcing the need for even newer and even better InfoSec technologies. This is a constant race for effective technical solutions in areas like computer security, network security, and cryptology.
Table 1.2
Situating the Parts of Our Volume Among the Drivers Influencing Organizational Information Security Policies, Processes, and Practices
Part I. The Terrain of Information Security |
Part II. Security Processes for Organizational Information Systems |
Organization |
Economics of security |
Costs and benefits |
Functionality—Security tension (guns or butter) |
Ethics of Security |
Mandated or optional (due care) |
Part III. Processes for Securing the Extra-Organizational Setting |
Non-Government Regulation |
International treaties |
International standards |
Industry standards and practices |
Professional standards and practices |
Government Regulation |
Computer crime |
Privacy protection |
Public disclosure requirements |
National security |
National information infrastructures |
Government internal policy |
Part IV. Forces and Research Leading to Future Information Security Processes |
Technological |
Computer security |
Network security |
Cryptology |
Vicious Circle |
Indeed, the vicious circle involves more than just technology. The causal directions of the entire set of drivers are not straightforward. Various InfoSec events, like compromises and massive losses, occur within their contemporary frameworks, including the drivers noted in Table 1.1 and the various organizational InfoSec policies, processes, and practices. Such events lead to revisions in regulations and organizational values, as well as technologies. As a result, these drivers also set the stage for their own revisions, a form of self-remaking or autopoisis.
How does the work at hand fit into this landscape? We can ...