Abstract
This chapter describes a two-step decision-support risk model that focuses on investment in information technology security. In the first step, the risk level of each of the system's components is mapped with the goal of identifying the subsystems that pose the highest risk. In the second step, the model determines how much to invest in various technological tools and workplace culture programs to enhance information security. The mode is applied to an information system in an academic institution in Israel. This system comprises 10 subsystems and the three that are responsible to most of the risk are identified. These findings are then used to determine the parameters of the investment allocation problem and find the optimal investment plan. The results of the model's application indicate that monetary incentives and grade cheating are the greatest threats to the system's security. In addition, the results provide support to the claim that information security officials tend to overinvest in security technological tools and underinvest in improving security workplace culture.
TopIntroduction
The task of strengthening information security poses a serious dilemma for universities. On the one hand, universities store valuable and personal information in their systems that must be protected diligently. On the other hand, universities are missioned with promoting inclusiveness, openness and the dissemination of information and knowledge (Doherty, Anastasakis, & Fulford, 2009; Mensch & Wilkie, 2011). Increased security protocols inevitably hinder these missions. Furthermore, being public institutions the challenges that universities face with information security are exacerbated by budgetary and regulatory constraints. The budget, therefore, must be used efficiently to pursue strategies and purchase technological tools that achieve the “best bang for the buck”.
In order to determine the optimal investment scheme while avoiding an overreaching security system, it is important for the security staff to identify the riskiest elements of their information system and determine the best tools to improve the security of these elements. Doing so provides the following benefits to the institution:
- 1.
It enables the dissemination of academic knowledge without allowing malicious entities from exploiting this welcoming environment. This is achieved by strengthening security only on the riskiest and most sensitive modules, leaving the majority of the information system less restrictive to users;
- 2.
It enables the information technology (IT) department’s management to place higher emphasis on the technological tools and security policies that affect mainly the components that are in the most need of improved security;
- 3.
It allows university managers to use this knowledge to improve their understanding of the nature of the information-related threats that they face. For example, it is possible that student hacking and cheating may pose a bigger threat to the university than issues of propriety rights ownership (i.e. industrial espionage), people’s privacy and so forth.
The study described in this chapter has two main goals:
- 1.
The first goal is to develop a two-step IT risk-management decision support model. This model emphasizes breaches and risks that are related to the human factor, with further stress on inside-users;
- 2.
The second goal is to apply the decision support model to an academic institution in Israel to identify the security-related investment needs according to the model’s results. To achieve this goal, a two-step risk management model to identify the critical components of an academic institution’s information system is proposed. In the first step, the subsystems of the institution’s information system are identified with the riskiest subsystems further highlighted using a composite risk index model. In the second step, a mixed-integer optimization problem is developed. The goal of the problem is to determine the budget allocate that maximizes the IT security. The model is then applied in a technology-oriented academic institution and its output is used to help security managers identify the riskiest components of their system and decide on how to distribute their investment in improving their system security.
The main finding of the study is the practical recommendation of how to allocate investment among the menu of possible technological tools and workplace culture programs. In addition, two theoretical contributions can be made based on the results of the application. First, the results indicate that student-related hacking is a major security concern to the organization together with the more “traditional” risks motivated by monetary reasons. Second, by comparing the current investment scheme with the model’s recommended investment scheme the results suggest that security officers place more emphasis on technological tools rather than improve workplace culture.
Key Terms in this Chapter
Risk Management: The practice of identifying and analyzing potential risks in advance and taking precautionary steps to limit risk.
Composite Risk Model: A risk analysis model that identifies a limited number of factors whose combination predicts the adverse outcome.
Integer Optimization or Integer Programming: A mathematical optimization (or feasibility) program in which some or all the variables are restricted to be integers.
Security Hacker: A computer expert who uses their technical knowledge to break into computer systems.
Decision Support System: An information system (computer programs and the relevant data) that supports decision-making activities of the organization.
Human Factors: Incorporating psychological and physiological principles into the engineering and design of products, processes, and systems.
Mixed Integer Optimization: A mathematical optimization (or feasibility) program in which the variables may be either real or integer numbers.