Article Preview
TopIntroduction
According to an Ernst & Young Global Information Security Survey (Bandyopadhyay et al., 2009) organizations are increasingly recognizing information security risks and are improving the effectiveness of their information security programs. However, a large portion (64%) of the survey respondents indicated that the level of employee security awareness was either a significant or a considerable challenge in meeting their information security initiatives. Lack of compliance with information security policies is a major problem (Siponen & Vance, 2010). In addition, outsider threats, such as viruses and system penetration attacks continue to increase in cost and complexity.
Traditionally, IS security research has focused on its technological aspects. However, the problem has a “behavioral root” (Workman & Gathegi, 2007) and is subject to both psychological and sociological actions of people (Parker, 1981). Recent research has focused on insider threats (Sneha & Varshney, 2009). Since users interact with information systems on a regular basis in their business activities, how they use the systems and whether they follow established measures will ultimately influence the overall security of an organization’s information systems.
Information security is a phenomenon that occurs in waves, progressing from technical to managerial to institutional and finally to information security governance (von Solms et al., 1994). Although methods of research in information security have been proposed and compared at length (Siponen, 2005), there exist few organizational level studies that employ theoretical rigor. Organizational systems are less secure if top managers, middle managers, and employees neglect information security procedures (Straub & Welke, 1998). Studies have shown that issues become more complex when executive management is unable to view risk from all perspectives (March & Shapira, 1987). For example, management may not consider risk takers motivated by factors other than personal incentives. They may also believe that organizations generally inhibit risk taking.
Security risk management (SRM) refers to a series of mechanisms put in place by an organization to counter or prevent information security related events (Blakley et al., 2001). Examples of such mechanisms include implementation of clearly defined information security policies and secure computing practices (Spears & Barki, 2010). An information security event may include factors such as insider threat, malware, and unauthorized access. Since SRM impacts the organization as a whole and focuses on confidentiality, integrity, and availability of data, it is imperative that effective SRM policies and practices be established and followed.
The overall objective of SRM is to enable an organization to handle information and data adequately. As such, data and information should be safe from potential threats. SRM is not a standalone activity. Instead it should be an integral part of the processes throughout an organization (Dhillon, 2007). This includes addressing potential threats, educating personnel in security awareness, and establishing and executing security policies. Considering the overarching impact of an SRM program, it is surprising to note that little research has been conducted in this area.