SECR 5000 Webster University Information Security Strategy Article Analysis HW

User Generated

tubfgevqre27

Writing

SECR 5000

Webster University

SECR

Description

I need a one page for each article attached for course:5000. This is a peer review.

Unformatted Attachment Preview

Effective Information Security Requires a Balance of Social and Technology Factors Effective Information Security Requires MIS Uarterly a Balance of Social and Technology xecutive Factors1,2 Q E Tim Kayworth Baylor University (U.S.) Dwayne Whitten Texas A&M University (U.S.) Executive Summary 2 Industry experts have called for organizations to be more strategic in their approach to information security, yet it has not been clear what such an approach looks like in practice or how firms actually achieve this. To address this issue, we interviewed 21 information security executives from 11 organizations. Our results suggest that a strategically focused information security strategy encompasses not only IT products and solutions but also organizational integration and social alignment mechanisms. Together, these form a framework for a socio-technical approach to information security that achieves three objectives: balancing the need to secure information assets against the need to enable the business, maintaining compliance, and ensuring cultural fit. The article describes these objectives and the security alignment mechanisms needed to achieve them and concludes with guidelines that can be applied to ensure effective information security management in different organizational settings. INFORMATION SECURITY HAS BECOME A STRATEGIC ISSUE Information security continues to be a major concern among corporate executives. The threat of terrorism, a growing dependence on the Internet, globalization, and new government regulations requiring companies to protect data have heightened awareness of the need for effective corporate governance of information security. Further, the staggering financial and reputational loss associated with large-scale data breaches has made executives acutely aware of the need to protect corporate information assets. Not surprisingly, corporate IT executives consistently rank information security and privacy as a key organizational issue.3 Since information security is rapidly becoming a core business issue, many firms have sought to elevate the security function through hiring security executives, expanding budgets, or evaluating security investments based on ROI.4 However, the question remains as to what is the most effective organizational approach or strategy for information security. MISQE is Sponsored by Historically, companies have followed a technically focused information security strategy that emphasizes the primary role of technology in designing effective security solutions.5 Such a strategy places a premium on sophisticated technologies and technically competent security specialists capable of applying various technologies to secure information assets. Moreover, technology—rather than people—is used as the 1 Bob Zmud is the accepting Senior Editor for this article. 2 The authors wish to acknowledge the Center for Management Information Systems at the Texas A&M University Mays Business School for its support of this project. 3 Luftman, J. and Ben-Zvi, T. “Key Issues for IT Executives: Difficult Economy’s Impact on IT,” MIS Quarterly Executive (9:1), March 2010, pp. 49-59. 4 Brenner, B. “Why Security Matters Now,” CIO Magazine, October 15, 2009; The Global State of Information Security 2010, PriceWaterhouseCoopers. 5 Siponen, M. “An Analysis of the Traditional IS Security Approaches: Implications for Research and Practice,” European Journal of Information Systems (14:3), 2005, pp. 303-315. © 2010 University of Minnesota MIS Quarterly Executive Vol. 9 No. 3 / Sep 2010 163 Kayworth and Whitten / Effective Information Security Requires a Balance of Social and Technology Factors basis of explanation when security breaches occur.6 And since security is perceived to be a technical issue, the information security group in organizations following this strategy tends to be positioned as a lowlevel technical function operating independently from the business.7 The lack of integration between the security group and the business may result in security policies and budgets not reflecting the needs of the business.8 In such an environment, security tends to be reactive, investment decisions are driven by shortterm priorities rather than well-conceived strategic priorities, and security may receive little executive attention.9 The more current view is that an effective information security strategy must be balanced, emphasizing both the importance of technology and, when designing and implementing security solutions, the organization’s socio-organizational context.10 Such a socio-technical security strategy as proposed by Siponen emphasizes the importance of integrating security into mainstream aspects of the business11 and of taking account of the human element in designing effective security programs.12 Such a strategy will be strategically focused or business driven and thus ensure that security becomes integrated into the fabric of the organization and is perceived as an important core business issue. While technology is still important, it represents just part of an overall solution that must also include the social-organizational elements of the business.13 An effective information security strategy must therefore incorporate two key elements, the first of which is technical competence. Technical competence must be complemented with a strategy to align 6 Dodds, R. and Hague, I. “Information Security - More Than an IT Issue?,” Chartered Accountants Journal, December 2004, p. 56. 7 Berinato, S. and Ware, L. C. “The Global State of Information Security,” CIO Magazine, September 15, 2005. 8 Siponen M. “A Review of Information Security Issues and Respective Research Contributions,” The DATA BASE for Advances in Information Systems (38:1), 2007, pp. 60-80; Straub D., Goodman S., and Baskerville R. “Framing of Information Security Policies and Practices,” in Information Security Policies, Processes and Practices (eds. Straub, D., Goodman, S., and Baskerville, R.), M. E. Sharpe, 2008. 9 Berinato, S. and Ware, L. C., op. cit., 2005; Wylder, J. Strategic Information Security, CRC Press, 2004. 10 Siponen, M. and Oinas-Kukkonen, H. “A Review of Information Security Issues and Respective Research Contributions,” The DATA BASE for Advances in Information Systems (38:1), 2007, pp. 60-80. 11 Siponen, M., op. cit., 2007; Baskerville, R. “Information Systems Security Design Methods: Implications for Information Systems Development,” ACM Computing Surveys (25:4), 1993, pp. 375-414. 12 Goles, T., White, G., and Dietrich, G. “Dark Screen: An Exercise in Cyber Security,” MIS Quarterly Executive (4:2), June 2005, pp. 303318. 13 Siponen, M. and Oinas-Kukkonen, H., op. cit., 2007; Siponen, M., op. cit., 2005. 164 MIS Quarterly Executive Vol. 9 No. 3 / Sep 2010 security both organizationally and socially as part of an overall socio-technical strategy to information security. The benefits of such an approach include improved compliance, security spending and policies better aligned with the business, and fewer security incidents.14 The aim of our research was to gain a deeper understanding of how an effective information security strategy manifests itself in practice. Specifically, we explored the types of mechanisms firms use to align security both organizationally and socially to the enterprise. To address these issues, we interviewed information security executives and managers from a cross-section of industries15 representing a range of security risks, concerns, and maturity (our research methodology is described in the Appendix). Finally, we identified a set of guidelines for information security management. THREE PRIMARY OBJECTIVES FOR AN INFORMATION SECURITY STRATEGY There are three primary objectives all security executives must address regardless of the organizational context: balancing the need to secure information assets against the need to enable the business, ensuring compliance, and maintaining cultural fit. 1. Balancing Information Security and Business Needs A major challenge faced by security executives is the requirement to balance the need to enable the business against the need to secure information assets. For example, if salespeople are to be given access to client data through portable devices, what is the value of providing this data to the sales force weighed against the need to secure valuable client data from unauthorized access or theft? Hypothetically, risks could be eliminated by locking down servers and providing no access to corporate data by salespeople. While this option would effectively secure corporate data, it would also hinder business operations. So an effective information security strategy must be 14 The Global State of Information Security 2005, PriceWaterhouseCoopers. 15 The organizations in the research are referred to throughout this article by pseudonyms: FinServ, Petro 1, Petro 2, Distribution, TechServ, ITProducts, Retail 1, Retail 2, TechConsult, OilServ, and Energy. © 2010 University of Minnesota Effective Information Security Requires a Balance of Social and Technology Factors business driven, simultaneously securing information assets while still enabling the business. Conversations with security executives revealed three characteristics of a business-driven approach. First, such an approach must align with corporate goals and objectives: “When I say alignment, what I mean is that we understand the business unit strategy, they understand the accountability we have to protect the corporation as a whole … we’ve been able to reconcile those two different sets of requirements into something that allows the business to continue operating. So it’s not all about mitigating the risk. For us it’s about both.” (Director of Global Security, Petro 1) Second, being business driven also means it is the responsibility of the business—not the security function—to determine acceptable levels of security risk. Thus for a company like TechServ (which provides technology services), the Product Design Team would be responsible for assessing the level of security risk acceptable for a new product launch. The security team would then take this information and weigh it against the overall security risks to the organization as well as against any government compliance requirements. The third aspect of a business-driven security strategy concerns risk contingencies. Our interviewees were unified in their opinion that an effective security strategy is not “one-size fits all”; rather, it takes into account the varying risk factors that may be associated with different industries, product lines, or geographic locations. When designing security policies and standards, planners must therefore take account of how business requirements for security may differ even within the same organization. Such differences were evident in TechServ: “I may not need the level of security tools in a manufacturing plant that I need in a health claims operation. The implementation of security tools has to be tailored to the industry.” (Chief Privacy Officer, TechServ) 2. Ensuring Compliance The second objective is to ensure that the design and implementation of information security policies comply with any number of external legal requirements: “Information security is not exclusively about risk mitigation; rather it is a balancing act © 2010 University of Minnesota among operations [business requirements], governance [security requirements], and compliance [legal requirements]” (Director of IT Security, Retail 1) Increasingly, security managers are faced with the complex challenge of meeting multiple compliance requirements from a growing array of federal, state, and industry standards. FinServ, for example, has to comply with federal compliance legislation (SarbanesOxley and the Gramm-Leach-Bliley Act). Since FinServ is publicly traded, Sarbanes-Oxley requires it to deploy comprehensive IT security controls to ensure the accuracy and reliability of public disclosures and to regularly assess the effectiveness of these controls, reporting such results to the Securities and Exchange Commission. It is also subject to the Gramm-Leach-Bliley Act, which requires financial institutions to develop information security plans describing how the company is prepared for and plans to continue to protect clients’ nonpublic personal information. Finally, FinServ also has to comply with the Payment Card Industry (PCI) standards, which outline certain controls companies must implement to ensure the safety of credit transactions. 3. Maintaining Cultural Fit The third objective for security executives is to maintain cultural fit, to ensure that underlying values about information security mesh with the values of the organization. Since an organization’s staff members tend to behave in ways consistent with corporate values,16 cultural conflict may occur when the values associated with an information security program don’t match those of the company. If security programs do not fit the organizational culture, individuals may act inconsistently with information security policies and standards. The importance of cultural fit was evident at both Petro 1 and Petro 2. The security manager at Petro 2 characterized the company’s organizational culture by using adjectives such as “conservative,” “riskaverse,” “bureaucratic,” and “non-trusting.” Consistent with this culture, Petro 2 self-characterized its security function as being “more secure than the government,” and an independent consultant noted that “control is in their DNA, so their efforts in information security are prodigious.” In contrast, Petro 1’s organizational culture can be described as “open” and “trusting.” Consistent with its open 16 Posner, B. Z. and Munson, J. M. “The Importance of Values in Understanding Organizational Behavior,” Human Resource Management (18:3), Fall 1979, pp. 9-14. MIS Quarterly Executive Vol. 9 No. 3 / Sep 2010 165 Kayworth and Whitten / Effective Information Security Requires a Balance of Social and Technology Factors culture, this organization’s security strategy has been characterized as being more relaxed and open: “Yes, we do have a security culture, and it is very much informed by our overall company culture. The company as a whole has a very trusting culture. The information security culture is very much tied to that.” (Security Standards and Controls Manager, Petro 2) Both of these firms have been able to deploy security programs in harmony with the prevailing cultural values of their organizations. To do otherwise would potentially create conflict between the demands of the security program and the values of the firm, leading to employee resistance of security policies. AN ORGANIZATIONAL STRATEGY FOR ACHIEVING INFORMATION SECURITY OBJECTIVES An effective information security strategy will enable a firm to achieve all three of the objectives described above. Achieving these objectives will ensure the security function is strategically focused, business driven, and aligned with the organization. Of particular interest is the strategy used to accomplish these objectives. The firms we studied have achieved this through a socio-technical strategy that includes three types of critical risk management mechanisms: organizational integration, social alignment, and technical competence (Figure 1). With this approach, technology represents one key element of the overall strategy, which must also include organizational mechanisms to integrate security with the mainstream business and social alignment mechanisms to align security with the firm’s social context. We identified nine organizational integration and four social alignment risk management mechanisms, which we describe below. (We do not describe technical competence risk mechanisms in this article because there is a wealth of published material in this area of information security.) Organizational Integration Risk Management Mechanisms The nine organizational integration mechanisms identified in our research are summarized in Figure 2. Each mechanism can be classified as either a formal organizational structure or a coordinating mechanism. Coordinating mechanisms can be further broken down into coordinating structures and coordinating processes. Formal Organizational Structures. All firms had a formal information security organization headed by a Chief Information Security Officer (CISO) with management accountability over the entire security function. Regardless of the structure of the companies we studied, virtually all security functions were centralized so they could develop and deploy uniform enterprise-wide policies and standards. In terms of Figure 1: A Strategic Framework for Effective Information Security Risk Management Mechanisms Organizational Integration Social Alignment Technical Competence Objectives for an Information Security Strategy Balancing Security and Business Needs Ensuring Compliance Maintaining Cultural Fit Effective Information Security 166 MIS Quarterly Executive Vol. 9 No. 3 / Sep 2010 © 2010 University of Minnesota Effective Information Security Requires a Balance of Social and Technology Factors Figure 2: The Nine Organizational Integration Mechanisms Mechanism Description Purpose Formal Organizational Structures Information security organization A formal organizational unit within the larger enterprise whose mission is to secure the firm’s information assets. To develop and deploy corporate standards and policies governing corporate-wide information security. Information security executive Senior-level security executive with leadership responsibility over the information security function. To facilitate strategic alignment between business and security objectives. A formal organizational unit that operates independently from the information security function. To conduct independent assessment of information security controls and policies and to report audit results to senior management. Information security steering committee A cross-functional committee comprised of information security executives and managers from the firm’s various business units. To facilitate communication of strategic business needs, plans, and funding priorities between the business and the information security function. Information security liaisons Information security specialists who work in a matrix format with responsibility both to business units and to the corporate information security function. To represent the interests of the corporate security function by assisting business units in the areas of risk assessment and providing security consulting consistent with corporate security policies. Separation of security governance from operations Those responsible for developing security policies maintain operational independence from those responsible for implementation of policy. To maintain independence between policy makers and implementation personnel and to keep policy makers from being distracted with implementation details. Top-down security Detailed security operating procedures are derived in a top-down fashion from high-level business requirements. To ensure that detailed security standards and technologies are linked to business requirements. Information security embedded within key organizational processes Information security becomes a core element of certain business processes like software development and new product development. To integrate security into new products, services, and software systems upfront rather than after the fact. Flexible application of uniform standards Adhering to uniform security policies across the organization and at the same time allowing for some flexibility in how such standards are deployed. To allow security policies to be slightly customized to different cultural and geographic contexts. Internal audit function To drive the strategic agenda for information security. Coordinating Structures Coordinating Processes reporting relationships, each security organization was part of the corporate IT function with the CISO reporting at most two levels from the CIO. These CISOs can therefore regularly participate in security planning processes that are subject to review by the CIO or higher levels in the corporate chain of command. This contrasts with other firms, where the © 2010 University of Minnesota security function operates as an isolated technical group. The danger of such isolation is that: “You’re off in left field somewhere, and you don’t get the [executive] support you need. You have a lot of people doing things they don’t MIS Quarterly Executive Vol. 9 No. 3 / Sep 2010 167 Kayworth and Whitten / Effective Information Security Requires a Balance of Social and Technology Factors understand [nor realize] the [business] value of.” (Manager of IS Security, Retail 2) Each organization had an internal audit group whose primary role is to conduct independent assessments of information security controls and policies and to convey these results to management. As mentioned by the security manager at TechServ, “A very strong corporate audit function is required to ensure that the operational [controls] are meeting the requirements of the strategy.” ITProducts’ internal audit group develops an annual audit plan for information security and then subsequently spends two to three months auditing the security function. At Petro 2, the information security function receives a detailed report from internal audit providing its assessment on security controls and policies. This report forms the basis for subsequent actions taken by the security function to ensure the controls and policies are compliant with internal standards. One of the main benefits of a strong internal audit function is its availability to assist with security issues from the inception of a project right through to its implementation. Coordinating Structures. The firms we studied were very deliberate in their use of information security steering committees as a means to facilitate security planning and budgeting processes, and to ensure that the security function maintains alignment with business strategy. Through this structural mechanism, the information security function is able to gain valuable insights from the business to facilitate strategic decision making. Additionally, steering committees provide a forum for the security function to communicate security pressure points to business managers. Comments from security managers attest to the importance of these steering committees: “We [information security] basically report to an executive committee that’s made up of representatives from three business units. [We] talk about capital we’re about to spend over the next five years; our strategic capital plans and our tactical plans are developed from there.” (Manager of IS Security, Retail 2) “We go to [the steering committee] to gain alignment, to understand what the strategies are for the business and then to present back to them—here are the pressure points that we’re seeing, and what steps should we take, if any, to mitigate those?” (Director of Global Security, Petro 1) 168 MIS Quarterly Executive Vol. 9 No. 3 / Sep 2010 A second coordinating structure is the use of information security liaisons to represent the interests of the corporate security function among the various business units. This practice was most evident at Petro 1 and Petro 2, which deploy security liaisons physically among business units to act as advisors and consultants on security-related matters. For example, a security liaison on a firewall support team might report administratively to IT operations and functionally to corporate security for oversight of firewall policies and standards. At Petro 2, security advisors are responsible for promulgating corporate security standards and for making sure that such standards are embedded into any new products or services offered by business units. A third universal coordinating structure in the firms in our study was to maintain separation between security policy making and operations (i.e., between policy making and execution). The typical arrangement was for the corporate security function to be responsible for setting security standards and policies with either the IT organization or other business units’ IT personnel responsible for the execution of these policies. For example, ITProducts’ corporate security organization creates the security policies, which are then subjected to a technical review and subsequent approval by a corporate security advisory team and final approval by the CIO. Once the policies are approved, the IT organization is responsible for their execution. The benefit of this separation is that it keeps security planners from being distracted by operational details: “When we were contemplating splitting up governance and operations, at the time, I was very much opposed to it. [But] having lived [with] it now for a year, I recognize that, because I was consumed with a lot of operations activities, we had policy making and compliance activities that were getting too little attention. I do think that this is a good structure for information security.” (Director of Global Security, Petro 1) A second benefit of separating security governance from operations is that it helps to maintain independence between those tasked with making policy decisions and those responsible for executing the decisions: “When our firewall team gets a request to open up a specific port, they will come to my team to ask, ‘Is this appropriate?’ We’ll do the appropriate risk assessments, and then we’ll make the ruling on whether or not it should © 2010 University of Minnesota Effective Information Security Requires a Balance of Social and Technology Factors be done. If we say yes, then they execute that. But they’re not accountable for making the decisions; they’re only accountable for executing the decision.” (Director of Global Security, Petro 1) Coordinating Processes. The firms in our study were using a top-down security process that enabled them to generate detailed security requirements based on actual business needs. To accomplish this, they start by defining high-level business requirements for information security and then refine these to progressively more detailed technical specifications. Both Petro 2 and TechServ provide excellent examples of this top-down approach. At Petro 2, the security strategy is informed by a set of guiding principles originating outside the security function. This framework provides a basis for developing more detailed security practices and, finally, detailed operating procedures. Similarly, at TechServ, the security function bases its strategy on a set of guiding principles that, in turn, drive general requirements, specific security standards (about 500), and, finally, technology-specific security implementation procedures (e.g., how to implement password security in a Linux environment). Thus the security programs for both of these firms are formulated at the very highest levels based on business needs and then refined further to the level of technically detailed security implementation guidelines. The Chief Privacy Officer at TechServ sums up the elegance of the business-driven top-down approach to information security strategy: “The best thing that we put in place was a strong policy and standards structure that did not address specific technologies but did address the [business] issues that we’re dealing with. But if you have not put together a good structure of policy and standards which really define your [security] strategy, then, operationally, you’ll be all over the place. I think that’s probably one of the things we did right to begin with.” Another coordinating process is the practice of embedding security within key organizational processes, such as the IT project management life cycle, with key deliverables required for each life cycle phase. By considering security before and during the development of a project, it is much easier, more effective, and cheaper to successfully integrate security into the project or process. Commenting on © 2010 University of Minnesota this approach, the Director of Technology Advisory Services at TechConsult noted: “Your systems are riddled with vulnerabilities, and you can have a much bigger problem later than if you had been more thorough in your development standards in the beginning. By considering these issues early on, you won’t be in that position.” The Director of Data Center Operations at Retail 2 described a recently completed project that was one of the first to use the new project management security procedures: “The key thing is to make sure that security was involved at every part of the project, not just after it was implemented. So in each of the phases—requirements, design, development, implementation—we have particular deliverables from a security standpoint that are required.” The final coordinating process we identified is the flexible application of uniform standards. Those companies in our study with international operations tended to apply security policies uniformly across global operations. The advantage is that consistent application of uniform security policies provides an environment that is easier to manage from a security executive’s standpoint: “It is important to have a consistent framework and foundation for high-level security policies. This helps from a management and enforcement point of view. As people travel and rotate assignments internally, they also know what is expected of them regardless of where they work.” (IT Security Manager, ITProducts) The downside, however, is that implementing security policies uniformly across geographic regions may prove challenging, particularly when there are significant cultural differences. To reconcile these differences, firms provide some level of local flexibility in the application of uniform standards: “What we’re finding is that the policy itself is universal; we expect everyone to adhere to the same policy, but our compliance program is different in different parts of the world. In the U.S., it’s primarily employees who are expected to live up to their responsibilities, and we really don’t go looking, for the most part, for evidence of impropriety unless there’s something that causes us to suspect MIS Quarterly Executive Vol. 9 No. 3 / Sep 2010 169 Kayworth and Whitten / Effective Information Security Requires a Balance of Social and Technology Factors something. We flip that on its head outside the U.S.; in certain locations, we spend a lot of time actively looking for evidence. The policy itself is fine, but the implementation and the compliance activities around it will be quite different in different regions.” (Director of Global Security, Petro 1) Social Alignment Risk Management Mechanisms Another aspect of aligning information security with the business is to develop a culture that embraces the value and importance of security. By promoting such cultural awareness, employees will be motivated to follow corporate security practices willingly rather than through tough control and monitoring practices: “Security groups who want to control everything will fail.” (IT Security Manager, ITProducts) Similarly one of the interviewees from Petro 1 remarked: “At the end of the day, when you think about what makes an information security program work properly, you can legislate, you can monitor for compliance, but as with a lot of things, you’re really counting on all of your employees and contractors to do the right thing in the situations they’re presented with.” (Director of Global Security) The social alignment mechanisms used by the firms in our research to align security from a social perspective fall into two categories—cultural and leadership. We identified three cultural mechanisms and one leadership mechanism (see Figure 3). Cultural Mechanisms. The first mechanism for establishing the required culture, used by all the firms we interviewed, is to deploy some type of formal security awareness training and educational program. The programs were varied in nature and included such techniques as web portals, newsletters, ad-campaigns, and security-awareness programs. These programs tend to be formal in nature and driven from the top down rather than in a more organic fashion. The second mechanism is for security managers to develop their own informal networks. Our interviewees are very active and adept at forging strong relational ties with key organizational constituents and external partners. In contrast to topdown awareness programs, this activity is organic in nature as security managers and executives seek to build collaborative relationships with other key stakeholders on security-related issues. Figure 3: The Four Social Alignment Mechanisms Mechanism Description Purpose Cultural Security awareness programs Organizationally sponsored security awareness, training, and education programs. To increase the overall awareness of information security and to improve compliance-related behaviors. Informal networks Information security personnel engage in boundary-spanning activities to develop close informal relationships with key stakeholders both internally (e.g., IT audit) and externally (e.g., security vendors). To enhance the level of collaboration between information security and other key stakeholder groups. The practice of providing informal consulting and advisory services to other areas of the company. To create greater security awareness and buy-in and enhance the likelihood of organizational members seeking advice on security-related issues. Senior management actively supports information security as a vital enterprisewide function. To establish strong organizational values regarding the importance of information security. Information security mentoring To improve knowledge sharing on security-related issues among organizational constituents. Leadership Executive commitment 170 MIS Quarterly Executive Vol. 9 No. 3 / Sep 2010 © 2010 University of Minnesota Effective Information Security Requires a Balance of Social and Technology Factors Prior research17 suggests that security managers may benefit from close, informal social networks in terms of enhanced communication, improved knowledge sharing, and a greater ability to solve complex security, related issues. Further, such networks lead to greater acceptance of security policies and, ultimately, the success of the security program: “Social networks and relationships are critical to the success of our security program. In fact, I would argue the number one reason for my success is due to the relationships I have strengthened over the years. You cannot emphasize this enough as a requirement for success. Ultimately, everything eventually comes down to people following the rules or implementing the technology. If people trust you, they will follow the spirit of the policies. They will also start to take the initiative on security issues rather than waiting for the security group to dictate action by policyor compliance-enforcement activities.” (IT Security Manager, ITProducts) Our interviewees identified numerous social networks they had initiated both internally and externally. Internal networks typically involve information security personnel and groups such as IT audit, IT project teams, and other business units. Interviewees had also established external networks through such groups as the Information Systems Security Association, the Information Security Forum, and (for energy companies) the American Petroleum Institute. Participating in such networks enables security managers to hear how peer companies handle various security issues and, in the words of the Director of Global Security at Petro 1, to “validate when we may be out of alignment with our peers.” Firms also network informally through vendors and suppliers, and these relationships have provided excellent advice: “We network when we go out and buy security products … we have to talk to three different vendors, and, also, we have to have vendor references … we contact the vendor references, and we network that way.” (Manager of IS Security, Retail 2) 17 Wasko, M. M. and Faraj, S. “Why Should I Share? Examining Social Capital and Knowledge Contribution in Electronic Networks of Practice,” MIS Quarterly (29:1), 2005, pp. 35-57; Nahapiet, J. and Ghoshal, S. “Social Capital, Intellectual Capital and the Organizational Advantage,” The Academy of Management Review (23:2), 1998, pp. 242-266. © 2010 University of Minnesota The third cultural mechanism we identified is that security managers engage in a great deal of informal mentoring and advising. Such mentoring activity forms a significant part of their jobs and occurs organically; it is crucial to building organizational awareness of security issues. For example, Petro 2’s Security Architect indicated he spends about 50% of his time advising and consulting with internal stakeholders. Members of ITProducts’ security team stated that their primary role as a centralized corporate resource is to collaborate with and advise the rest of the organization on critical information security issues. A benefit of information security mentoring activities is that business partners are more likely to approach trusted mentors and advisors on vital security issues: “Three years ago, we used to have hundreds of people fall for virus and phishing attacks. Now, when a new threat comes out, I get hundreds of people contacting me to make sure I’m aware of the situation. What a turn-around! We have had zero internal outbreaks this year.” (IT Security Manager, ITProducts) The level of influence security managers have when mentoring others on security policy highlights the need to maintain separation between security policymaking and operations, to prevent abuses from occurring. Leadership Mechanism. Senior executive commitment to information security is another crucial social alignment mechanism: “You’ve got to have the senior management or executive management backing as well as funding.” (Director of IT Security, Retail 1) This finding is consistent with research in the information systems field that links executive commitment to IS with the ability of organizations to align business and IT strategy.18 Executive leaders can demonstrate commitment in a variety of ways, including funding, allocation of human and financial resources, promotion of buy-in, and stressing the importance of security to other groups within the company.19 One interviewee at ITProducts specifically mentioned that the support from the CIO and CFO had enabled the company to take a more proactive approach to information security. As a result, ITProducts’ security 18 Chan, Y. “Why Haven’t We Mastered Alignment? The Importance of the Information Organization Structure,” MIS Quarterly Executive (1:2), June 2002, pp. 97-112. 19 Trent, R. and Monczka, R. “Achieving Excellence in Global Sourcing,” MIT Sloan Management Review (47:1), Fall 2005, pp. 2432. MIS Quarterly Executive Vol. 9 No. 3 / Sep 2010 171 Kayworth and Whitten / Effective Information Security Requires a Balance of Social and Technology Factors group tended to be allocated a greater level of resources to invest in security personnel, awareness programs, and security-related infrastructure. GUIDELINES FOR INFORMATION SECURITY MANAGEMENT Organizations are faced with a dynamic information security environment characterized by constantly changing business requirements, technology risks, and legal compliance issues. Within this environment, they must plan to achieve the three competing objectives for a security strategy described earlier: balancing the security of information assets against the need to enable the business, ensuring compliance, and maintaining cultural fit. Firms that achieve these objectives will have a highly effective information security function and related strategy that is business driven and strategically focused. Our research has examined how companies achieve a strategically focused information security strategy and what such a strategy looks like in practice. From our findings, we have distilled five guidelines for information security management. 1. Determine the Appropriate Balance Between Enabling the Business and Protecting Information Assets justifiable business case can be made for access. In contrast, Petro 1’s orientation was characterized as “Anytime-Anywhere,” meaning that users would automatically be given access to information provided it could be done safely. So while Petro 2 emphasized the relative importance of securing information assets, Petro 1 emphasized the opposite.20 In spite of these differences, both firms were judged to be among the most effective at information security. This example illustrates a key point for security managers: what works for one company may not work for another. Since aspects of different firms’ security environments may be unique, their perceptions of the relative importance of enabling the business and protecting information assets may vary widely. Because of this, security managers should be cautious about adopting “out-of-the-box” security solutions and security practices from other organizational contexts without first examining their own combination of business, security risk, compliance, and cultural factors. 2. Use a Balanced Approach to Achieving Information Systems Security Objectives One of the primary tasks security managers face is to determine the balance between enabling the business and securing information assets. Overprotection through strict controls may inhibit business responsiveness, while lax controls may create unacceptable risks for information assets. As security managers seek to determine the optimum balance between these competing objectives, they must consider a multitude of factors, such as the organization’s culture and specific compliance requirements as well as certain information risk factors that are industry- or even firm-specific. The way in which they reconcile these two competing objectives may be idiosyncratic in nature and linked closely to specific contextual factors at the industry or firm level. The end result is that the security orientation may seem paradoxical and look considerably different from one company to the next, even for firms within the same industry. Security objectives cannot be achieved through following a purely technically focused strategy. Instead, companies must adopt a balanced sociotechnical approach that emphasizes equally the importance of technology and of the socioorganizational context as key elements of an effective security strategy. When pursuing their risk management strategies, security managers must be adept both at applying technology and also at applying organizational integration and social alignment mechanisms to ensure that information security aligns with the business organization and culture. The balanced socio-technical approach will result in the alignment crucial to facilitating convergent intentions, in shared understandings and in coordinated procedures between information security and other organizational constituents.21 The firms we studied clearly achieved alignment through multiple organizational and social alignment mechanisms targeted at numerous levels of the organization to mutually reinforce the mission, plans, and objectives of information security with the business.22 A prime example is the different security orientations we observed at Petro 1 and Petro 2. The security manager at Petro 2 characterized the company’s orientation as “Deny by Default”—access to information was automatically denied unless a 20 Interviewees indicated that the respective cultures of Petro 1 and Petro 2 were a major factor in these different orientations. 21 We draw from Chan’s (2002) discussion of business-IT alignment to adapt to the context of information security alignment with the business organization. 22 Chan, Y., op. cit., 2002. 172 MIS Quarterly Executive Vol. 9 No. 3 / Sep 2010 © 2010 University of Minnesota Effective Information Security Requires a Balance of Social and Technology Factors 3. Implement Formal Structures to Achieve Security Objectives Companies must institute formal organizational structures to define decision-making rights and responsibilities for information security. Putting in place an information security organization, a top security executive (the CISO), and an internal audit function will help to facilitate the organizational integration needed to achieve security objectives. Further, these types of structures signal the importance of information security at the enterprise level. However, since all the security managers we interviewed reported to the corporate IT function, our results could potentially be biased in favor of this approach. Other types of formal structure appropriate to achieving security objectives may exist for firms where the security function doesn’t report to the IT unit. 4. Complement Formal Structures with Coordinating Mechanisms While formal structures are important, our research suggests that, by themselves, they are not sufficient for achieving security objectives. The formal structures must be complemented by both coordinating structures and coordinating processes to facilitate decision making and communication among the different groups performing distinct tasks related to information security.23 More specifically, a range of coordinating structures and processes are needed to facilitate decision making and communication among constituents such as the CISO, IT audit, the CIO, senior management, and various other business managers. The firms we studied had developed welldefined coordinating mechanisms to complement their formal structures as a means of facilitating the level of integration needed to achieve security objectives. 5. Recognize the Importance of the Social Environment Security managers and executives must recognize that a social environment conducive to security is vitally important to the overall security program. Developing a social environment through the application of social alignment mechanisms should therefore be a key element of any security strategy. However, we believe social alignment is one of the most overlooked aspects 23 Malone discusses the importance of coordinating mechanisms as a means to coordinating work among multiple organizational stakeholders. See Malone, T. W. “Modeling Coordination in Organizations and Markets,” Management Science (33:10), 1987, pp. 1317-1331. © 2010 University of Minnesota of security and also one of the most challenging and elusive to accomplish. Part of the challenge is that social alignment is a multi-faceted activity achieved through both formal organizational programs and informal organic mechanisms. The primary formal social alignment mechanism we identified was organizationally sponsored security awareness programs. All the firms we studied had such programs and used a wide range of tactics to build awareness among organizational members of the importance of information security. Our interviewees suggested that informal social alignment mechanisms are equally important as formal awareness programs. Foremost among these is executive leadership. Those interviewed indicated top management was keenly aware of the importance of information security and very supportive and engaged in security initiatives. Such interest signals the importance of information security to the rest of the organization and helps to establish a strong value system surrounding security. The message conveyed to the firm’s stakeholders when they see top management championing the cause of information security may be as important a part of the firm’s security program as are the objectives, policies, procedures, and technologies. Leadership is also important at the level of information security executives. Security executives must be business-savvy and have the social skills to interact with constituents both inside the firm and externally in boundary-spanning roles to build informal social networks. Forging such relationships provides a social framework for the mutual transfer of knowledge pertinent to security and for security professionals to mentor their business counterparts in sound security practices. Additionally, the social capital developed through such mentoring relationships is likely to result in business partners being more likely to approach security professionals for advice. While technical skills are important, they do not appear to be the primary qualification for being an effective security executive.24 CONCLUDING COMMENTS There is no “silver bullet” for effective information security; no single technology or mechanism is 24 The CISO of Petro 2 had a financial/accounting background. While not having technical expertise, he had access to others in the security team with deep technical knowledge. MIS Quarterly Executive Vol. 9 No. 3 / Sep 2010 173 Kayworth and Whitten / Effective Information Security Requires a Balance of Social and Technology Factors sufficient to ensure success. Rather, effective security is achieved holistically through the application of multiple organizational and social alignment mechanisms combined with competence in technology as part of an overall socio-technical strategic focus to information security. Because of the multifaceted nature of this approach, information security executives and senior management alike should consider information security as a business issue— not a technical one.25 This focus underscores the importance of having business-savvy CISOs and senior managers who recognize the importance of a strategically focused enterprise-wide information security program. As security executives seek to develop such programs, they should focus on the application of the general management guidelines provided in this article. Given the context-specific nature of information security, these guidelines can be applied to ensure effective information security management in different organizational settings. APPENDIX: RESEARCH METHODOLOGY To achieve our goal of understanding effective information security governance practices, we chose to conduct field research through interviewing corporate IT executives and security managers from firms judged to be highly effective in their security programs. A specific interview protocol was designed to gain insights about features of the security strategy as well as specific organizational processes, structures, and social relationships that facilitated the security strategy.26 All companies in the sample had security managers reporting to the IT function. The companies selected for the research were identified through the objective ratings of a thirdparty consultant to ensure they were effective in their approach to information security. The consultant’s rating was based on the degree to which each firm’s information security program was judged to be comprehensive in terms of having an overall security strategy and top management support. As a secondary measure of effectiveness, we relied on self-reported data from the security executives interviewed. All respondents were relatively satisfied with the effectiveness of their security programs using “a lack of reported incidents” as their primary 25 Goles, T., White, G., and Dietrich, G., op. cit., 2005. 26 A full list of interview questions is available by request from the authors. 174 MIS Quarterly Executive Vol. 9 No. 3 / Sep 2010 metric.27 Finally, we selected mostly large, complex organizations in the belief that such organizations would have fairly mature information security functional groups. As the table on the next page shows, we interviewed one or more people from 11 organizations, 5 of which were Fortune 100 companies and 3 Fortune 500 companies. ABOUT THE AUTHORS Tim Kayworth Tim Kayworth (timothy_kayworth@baylor.edu) is Associate Professor and Department Chair of Information Systems at Baylor University’s Hankamer School of Business. His research focuses on understanding the role, value, and governance of information technology in organizations. His work has been published in MIS Quarterly, Journal of Management Information Systems, European Management Journal, DATABASE, and other leading MIS journals and conferences. Dwayne Whitten Dwayne Whitten (dwhitten@mays.tamu.edu) holds a D.B.A. from Louisiana Tech University and is an Assistant Clinical Professor of Information Systems in the Mays Business School at Texas A&M University. His research interests include IT security, IT outsourcing, and service quality. His research has been published in journals including the Harvard Business Review, Journal of Operations Management, Decision Sciences Journal, European Journal of Information Systems, Journal of Strategic Information Systems, Journal of Management, Information & Management, Communications of the AIS, and International Journal of Human Resources Management. 27 There is some evidence indicating cyber security incidents might go unreported or at least under-reported. See Predictions for Security and Privacy Report, Aberdeen Group, January 7, 2003. © 2010 University of Minnesota Effective Information Security Requires a Balance of Social and Technology Factors Description of Participating Organizations and Managers Interviewed Organization Type Organization Pseudonym Participant Titles Fortune 100 Companies Financial Services FinServ • Security Director Petroleum Petro 1 • Security Lead to Global Operations Services Group • Director of Global Security Petroleum Petro 2 • Security Standards and Controls Manager • Security Architect • Security and Consulting Manager Food Distribution Distribution • Director of Security Technology Services TechServ • Chief Privacy Officer Hardware Manufacturing ITProducts • • • • • Clothing Retailer Retail 1 • Director of IT Security Clothing Retailer Retail 2 • Director of Data Center Operations • Manager of IS Security and Quality Assurance Technology Consulting TechConsult • Director of Technology Advisory Services • Partner Oilfield Services OilServ • Security Operations Manager • Global Operations Manager - Information Security Gas and Oil Energy • Information Security Manager Fortune 500 Companies IT Security Manager IT Security Architect IT Auditor Network Security Manager Security Analyst Other Companies © 2010 University of Minnesota MIS Quarterly Executive Vol. 9 No. 3 / Sep 2010 175 Copyright of MIS Quarterly Executive is the property of MIS Quarterly Executive and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. Page 57 THE ROLES OF POSITIVE AND NEGATIVE EXEMPLARS IN INFORMATION SECURITY STRATEGY Richard G. Taylor, Texas Southern University Sammie L. Robinson, Texas Southern University ABSTRACT The strategic approach used to manage organizational security is strongly influenced by management’s perception of risk. These perceptions often lead executives to focus on the use of technology based solutions. Such solutions, aimed primarily at keeping data safe from outsiders, overlook the potential that more severe security breaches may be perpetrated by trusted insiders. Behavioral concepts such as ethnocentrism, group membership and intergroup bias, form the basis of an investigation that is aimed at developing our understanding of information security as a social issue. This paper considers the influence of in-group trust and out-group distrust, and the potential impact that positive and negative exemplars have on information security strategies. Keywords: Information security, ethnocentrism, intergroup bias, exemplars INTRODUCTION On September 11, 2001 two planes crashed into the World Trade Center in New York City. Most of us can recall where we were on that morning. For many of us, hearing the date, or remembering 9/11 evokes strong emotions, causing us to automatically feel fear, sadness, hate…or an overwhelming sense of patriotism. However, by contrast, another date, August 2, 1988 probably doesn’t have the same effect. What thoughts come to mind when you think of the name Barack Obama? Again, does the name evoke strong emotions, both positive and negative, depending on your political views? For many African-Americans his name evokes a sense of accomplishment and a belief that anything is possible. Each of these can be considered exemplary; a representative example of what typifies a person, group, event or instance (Zhou, 2008). Exemplary people and events have such an impact that when encountered, they trigger or activate an automatic affective response. This paper will examine how such exemplars, both positive and negative, play a role in an important organizational context: information security strategy. Evidence gathered since the 1980s suggests that organizations continue to be victims of serious incidents that put their information at risk (Hoffer & Straub 1989; Taylor, 2006; Taylor & Brice, 2012). Occurrences of information security breaches continue to be an issue even though Academy of Information and Management Sciences Journal, Volume 17, Number 2, 2014 Page 58 there are continually highly publicized events that amplify the risk potential to organizations (Kasperson et al., 1988). These breaches should serve as wake-up calls for managers. Security breaches by some specific individuals (i.e. Edward Snowden) are well-known by company executives, and understandably, cause them to reflect on the level of information security of within their organizations. These executives become concerned that their organization could be vulnerable to the same type of attacks. However, many of security breaches are perpetrated by individuals who still remain unknown, such as the 2013 event that exposed Target customer information Even though the names of the perpetrators are not known; the representative nature of such events, as exemplars (Zhou, 2008) leads executives to question their vulnerability. These recent high profile incidents support the contention that information security is currently not being adequately addressed, leaving many organizations critically exposed. Clearly, security remains a top concern for IS managers, who acknowledge escalating risks to organizational information resulting in financial losses for their organizations. To address the issue of vulnerability to information security threats, organizations must change their current perspective on information security and adopt a new view. The current view of information security is very technology oriented (Taylor, 2008). As a result organizations spend heavily on technology-based solutions to protect organizational information. These technology solutions include firewalls for perimeter security, anti-virus software to prevent viruses and worms, and intrusion detection systems to discover potential abusers (Cavusoglu, et al., 2005). Properly installed and maintained these hardware and software solutions do create a solid foundation for effective information security. However, these technology-based solutions are primarily intended to prevent outsiders from gaining access to organizational information and are thus inadequate to prevent all security breaches. This can ultimately create a false sense of security for an organization (Frolick 2003, Taylor 2006, Taylor & Brice, 2010). The authors’ position is that along with these technologybased solutions, organizations must also adopt a human-based approach to address the information security risks introduced by the social and cultural aspects of the human element (Frolick 2003, Taylor, 2008). Understanding information security as a social issue calls for an investigation of organizational behavior issues that may affect information security. While several such issues may merit consideration this paper will consider the influence exemplars, both negative and positive, associated with group membership. CLASSIC ETHNOCENTRISM & GROUP MEMBERSHIP Ethnocentrism is part of a “family of constructs” (Raden 2003, p.803) in the general area of prejudice. Classic ethnocentrism is a special and distinctive form of bias. According to Hewston, Rubin, and Willis, (2002), intergroup bias refers to the tendency to evaluate members of one’s own group (designated the in-group) more favorably than non-members (designated the outgroup). This group-serving tendency involves favoring the in-group--“us” and/or derogating Academy of Information and Management Sciences Journal, Volume 17, Number 2, 2014 Page 59 “them”-- the out-group. The term “bias” implies that this favoring and/or derogation involves an interpretive judgment that may be unfair and unjustifiable (Brewer & Brown 1998). Throughout history societies have formed group relationships for the purpose of survival, thus creating in-groups. Those not associated with one’s in-group were considered the out-group. Sumner (1906) coined the term ‘ethnocentrism’ to refer to positive sentiments toward one’s ingroup—pride, loyalty, and perceived superiority. Being attached to an in-group does not necessarily mean there is hostility toward the outgroup (Allport, 1954); it may simply represent a preference for one’s in-group. Raden (2003, p.805) characterizes this absence of hostility as forms of ethnocentrism involving “simple in-group bias” and “mere in-group preference”. However, hostility toward the out-group is not uncommon. If out-group members are perceived as posing a threat, strong intergroup bias will exist (Stephen & Stephen 2000). Threats can involve the in-group’s social identity, values, or goals, and may or may not be realistic (Esses, Jackson, & Armstrong 1998). Derogation of an out-group is often associated with fear of the outgroup members (Stephan & Stephan 2000). In its classic formulation, (Sumner, 1906) the connection of favorable evaluations of one’s own group with negative evaluations of other groups as when an in-group rates itself favorably and an out-group unfavorably on the same traits is central, even essential. According to Raden (2003, p.803-804), “the distinguishing feature of the ethnocentrism construct continues to be that it jointly involves attitudes (emphasis added) of the in-group toward both the in-group and the outgroup”. Research in the area of intergroup bias has also established the concepts of in-group trust and out-group distrust (Allport 1954; Brewer 1979; Brewer 1999). Favoring takes the form of trust in and among in-group members; derogation occurs because there is distrust of out-group members. The psychological expectations of in-group members result in a high level of interpersonal trust in and among “us” in-group members. “… in-groups can be defined as bounded communities of mutual trust and obligation that delimit mutual interdependence and cooperation. An important aspect of this mutual trust is that it is depersonalized, extended to any member of the in-group whether personally related or not. Psychologically, expectations of cooperation and security promote positive attraction toward other in-group members and motivate adherence to in-group norms of appearance and behavior that assure that one will be recognized as a good or legitimate in-group member” (Brewer 1999, p. 431). In-group-trust and out-group-distrust can also be attributed to the “homogenous effect” (Judd & Park 1988). Members of an in-group are seen as homogeneous with behavioral expectations based on positive exemplars, while members of the out-group are also seen as homogeneous, however behavioral expectations are highly influenced by negative exemplars. Academy of Information and Management Sciences Journal, Volume 17, Number 2, 2014 Page 60 EXEMPLARS & EXEMPLIFICATION OF GROUP MEMBERSHIP The concept of exemplars has been used extensively in psychology, communications studies, organizational behavior, and strategic management research (Brauer, 2000; Thomas, Schermerhorn and Dienhart, 2004; Lockwood, et.al. 2005; and Zhou, 2008). An exemplar is a representative example of a type of object or thing; a model that is typical of a person, group, event or instance. An exemplar can be an individual, that person’s situation, or an event happening to and/or around the individual if it models shared group attributes (Zhou, 2008). Exemplars offer concrete information about typical individuals and representative experiences that raise issues in a given setting (Zhou, 2008). Exemplars are activated during attitude assessment (Sia et al., 1997), and they offer heuristics to simplify and expedite information intake and utilization (Brosius, 2003). This process is especially pertinent in organizational contexts where evaluation and judgments are often made and responsive behavior and actions are the result. Conceptually, exemplars represent an idea or mental image that allows for items that share common properties to be grouped together or categorized as either person or event based. Exemplar representation “may be constructed on the basis of actually perceiving the stimulus object, imagining it, being told about it second-hand, etc” (Smith, 1998, p. 411). As Reisberg (2006) notes, the more frequently an item is encountered, the more stored representations of it will be held in memory. Research on the characteristics of exemplars often focuses on their vividness and salient nature to explain effects (Zillman & Brosius, 2000). Vividness can come from the power of the language used to describe the exemplar, the imagery it evokes or the emotional value attached to the instance when it occurs. Salience refers to those aspects of the exemplar that draw more attention since they stand out because of their unusual character. The use of emotion-evoking imagery has been found to create perceptions and dispositions that actually gain strength over time. The presence of exemplars automatically activates affective responses. This exemplar activation is unintentional (Macrae, et.al, 1998). POSITIVE EXEMPLARS A positive exemplar, as an individual, is one whose conduct should be emulated. A positive exemplar can also be an instance or event that is worthy of being repeated. As the representation of an ideal, an exemplar is worthy of imitation, serves as a pattern or archetype and deserves to copied (Merriam-Webster, 2014). An example of a positive exemplar is Dale Beatty, a 2013 CNN Hero of the Year, who founded an organization that built or modified homes for disabled veterans. A single exposure to a positive exemplary act is a sufficient condition for the influence process to occur; a series of such events can help build mindful behavior in areas such as ethics (Thomas, Schermerhorn & Dienhart, 2004), workplace safety (Gyekey & Salminen, 2005) or any area of strategic emphasis (Zillman, 1999). Thomas, Schermerhorn & Dienhart (2004, p. 57) showed that leaders who are viewed as positive exemplars can influence a substantial majority of an organization’s membership. However, it should be noted that individuals may consider themselves to be the positive exemplar. In such instances, therefore, that individual’s judgments Academy of Information and Management Sciences Journal, Volume 17, Number 2, 2014 Page 61 about fellow in-group members are based on their own self-perceived positive behavior (Brauer, 2000; Judd & Park, 1998; Park & Rothbart, 1982). NEGATIVE EXEMPLARS In contrast, negative exemplars represent behavior or situations that are undesirable (Reisberg, 2006). In the case of a negative exemplar, recipients can give disproportional attention to an errant actor or a concrete, often vividly displayed event that engages the emotions. Negative exemplars can motivate others to avoid a specific behavior or an event that may result in an unpleasant fate (Lockwood et al., 2005). For example, the recent death of actor Paul Walker, who died in a car accident attributed to excessive speed, may motivate others to avoid fast driving, especially when he (Paul Walker), or the actual event, is recalled. Lockwood et al. (2005: p. 1) describe an advertising campaign featuring an overweight teen named Eddy, who “has a passion for burgers, butts and his sofa”, that is aimed at encouraging teens to eat healthy. The purpose was to depict Eddy as a negative exemplar whose behavior, if emulated, would result in becoming overweight. The strategic use of exemplification in addressing issues is effectively the starting point in that the world of exemplars, examples, or representations influences perceptions of and judgments about phenomena and issues encountered in the organizational context. Their vividness, salience and affective characteristics explain how groups of people will blindly trust members of their ingroup, while out-group members are shrouded by suspicion, distrust, and hate, even when little is known about the actual members of the out-group (Insko, Schopler, Hoyle, Dardis & Graetz, 1990). Exemplars, both positive and negative, and exemplification theory form the basis of this investigation of the influence of group membership on managers’ perceptions of information security risks in their organizations. The discussion in the next section raises and addresses the connections between managers’ biased perceptions and information security behavior. GROUP MEMBERSHIP AND INFORMATION SECURITY RISK Past research on intergroup bias was primarily focused on societal level biases; however, these same principles can be applied to business organizations and the philosophies they use to create their information security strategies. We expand the concept of ethnocentrism to include not only beliefs or attitudes, but expectations about practices, actions and behaviors that members of a group are likely to perform. This research investigates what happens when biases based on group membership leads to in-group trust (favoritism) and out-group distrust (derogation). In the information security context on which this paper is based, the in-group is composed of persons who are employed by the organization while the out-group members consist of everyone else. Members of an in-group are expected to act one way, generally in compliance with security measures and accepted industry standards of practice. Members of the out-group, however, are subject to suspicion based on the perception that they are likely to engage in behaviors that are Academy of Information and Management Sciences Journal, Volume 17, Number 2, 2014 Page 62 detrimental to the maintenance of information security. Such suspicion is grounded in the forms of bias (e.g. in-group trust and out-group derogation or distrust) that are described in the preceding paragraph. Perceived threats from outsiders seem to be the driving factor for an organization’s information security strategy (Taylor, 2008). Hence, out-group distrust is evident in most aspects of an organization’s security strategy. Management utilizes physical security measures to keep the organization protected from outsiders through the use of door locks, electronic entry systems, video cameras, and security guards. Information security management is approached in the same manner. Technological solutions such as firewalls and intrusion detection systems are put in place for the primary purpose of keeping an organization’s information protected from outsiders—the out-group. Internal Information security measures directed toward in-group members are generally less stringent. Managers may require employees (members of the in-group) to change passwords, attend security awareness training, and review policies and procedures on an annual basis. These practices reflect managers’ overall beliefs about the willing compliant behavior of subordinates, who represent in-group members. Both in-group and out-group members can be the source of information security threats. However, group membership influences management’s perception of both the source and severity of the threat posed to information security. Perceptions about the existence or severity of threats which underlie organizational information security management are based largely on group membership. According to Park and Rothbart (1982) in-group judgment can be group level or based on a particular member of the group, including the self. This notion can be applied to perceptions about security behavior of ingroup members. Positive security behavior can be influenced by positive exemplars. Often the manager(s) who are ultimately responsible for security management (the self) represent positive exemplars. Managers trust that employees are reading information security policies and adhering to established norms to protect the organization’s information. These expectations exist because the manager him/herself follows policies and norms and therefore blindly trusts that other employees (in-group members) will do the same. In organizations, as well as society, such ingroup trust (as well as out-group distrust) can also be attributed to the “homogenous effect” (Judd & Park 1988). Members of an organizational in-group (the employees) are seen as homogeneous whose behavioral expectations are “similar to” and based on a positive exemplar (e.g. the manager). In-group trust is a significant contributor to information security risks. For example, research (Dhillon 2001. Taylor, 2006; Taylor & Brice 2012) confirms that in-group trust is grossly overlooked as a factor in information security management. Ingroup-trust can result in fewer information security countermeasures and lower levels of employee monitoring (Dhillon 2001), both of which have been identified as factors in increased information security risks (Straub & Welke 1998). In this research, IT Managers are considered positive exemplars and in-group members are expected to follow their behavior example (e.g. security practices). As a result, managers perceive fewer risks associated with information security breaches by in-group members. Academy of Information and Management Sciences Journal, Volume 17, Number 2, 2014 Page 63 We posit that such trust increases the potential for internal threats due to the gap between the expectations held by a positive exemplar and employees’ actual behaviors and actions. Managers whose trust in employees’ information security behavior is based on their confidence in fellow in-group members are the focus of our first hypothesis. H1: Management perceptions of themselves as positive exemplars increase Information Security risks. As with in-group members, members of the out-group are also viewed as being homogeneous, that is sharing common within-group attributes and attitudes. Perceptions about security breaches by out-group members are influenced by the presence of negative exemplars. Although security breaches are carried out by individuals, for the most part it’s the threat of external security events that represents the negative exemplar, as these are what guide management’s information security decisions. Accounts of high-profile security breaches, such as those mentioned earlier in this paper, identify events as the outside factors that can be characterized as negative exemplars. In other words, perceptions of threats posed by out-group members are based largely on the characteristics of the events with which these outsiders become identified, after those events take place. The perceived likelihood is that negative exemplars (events) will be perpetrated by outsiders. Therefore, managerial expectations regarding behaviors for out-group members are highly influenced by persons such as Snowden or the anonymous hackers in the Target Stores case whose actions trigger major events. This is supported by Linville et al. (1987), whose research showed that information about an individual member of an out-group or a specific event associated with an out-group is stored in memory and subsequent group judgment can be made when these memories are recalled. It can be expected that when managers recall Snowden (the actual individual) or the Target Store incident (the event) they will likely consider the potential risk to their operation and thus evaluate their organization’s information security protection against the specifically triggered event. The second hypothesis addresses the impact of management’s assessment of negative exemplars and perceptions of the associated risks. H2: Management perceptions of negative exemplars decrease Information Security risks. METHODOLOGY As a research tool, the case study method is both appropriate and effective for investigating a complex subject such as information security, especially when the study offers a unique opportunity to observe what is becoming an increasingly important focus of organizational and management studies. Yin (1993) presents the domain of management information systems as an application for employing the case study method as a research strategy. He reports that management scholars have successfully extended the use of case studies beyond their traditional use as teaching tools (1993, p 64). The growing interest in case studies as research tools serves a useful purpose for a phenomenon that (a) is broad and complex, (b) needs a holistic, in-depth investigation, and (c) cannot be adequately studied outside the context in which it occurs (Benbasat et at. 1987; Bonoma 1985; Feagin et al. 1991; Yin 2003). Academy of Information and Management Sciences Journal, Volume 17, Number 2, 2014 Page 64 The case study makes it possible to “retain the holistic and meaningful characteristics of real-life events such as [the] organizational and managerial processes...”(Yin, 1984 p14) that accompany the continued expansion of management information systems. A holistic, in-depth investigation which follows a naturalistic approach to generating a qualitative understanding of information security concerns, certainly offers advantages. Lincoln & Guba (1985) outline a method that takes into account time, context and human social interaction, factors that foster a holistic view of the problem domain, especially within the scope of the networked organizational forms, instead of the simplistic, one-dimensional, explanation, more suitable for hierarchically structured organizations (Dhillon & Backhouse 2001). The case research strategy allows for a great deal of flexibility and individual variation (Cavaye 1996). This makes the case study an ideal methodology for investigating the concerns of information security. Management information systems security is difficult to study outside the context in which it occurs (Benbasat, Goldstein, and Mead 1987). It may be difficult to get honest answers to questions regarding information security. Therefore the case study method allows the researcher to conduct probing interviews as well as engage in ethnographic observations of information security practices within the organizational context. For this case study, access was granted to a financial institution. THE ORGANIZATION Financial One (not the organization’s real name) is a financial institution located in a major metropolitan area in the southern United States. There are seven Financial One branches throughout the metropolitan area, consisting of approximately 200 full and part-time employees. Of the seven branches, one branch is housed at the Financial One headquarters. At this location are the executive offices, the information technology (IT) department, accounting, credit card services, wire transfers, and other back-office and support services. This organization was chosen for several important reasons. First, financial institutions are at greater risk because of the potential gain for perpetrators who steal or corrupt organizations’ information assets (Yeh & Chang, 2007). For example, information systems in the financial services industry can provide access to customer credit card and account information. Second, the presence of both federal and state information security regulations put pressure on affected organizations to ensure proper security measures are being taken. For these reasons financial institutions would be more likely to emphasize information security than organizations in other industries (e.g., a restaurant chain). Finally, one of the authors served as an executive in this industry for over 10 years before entering the academic community, therefore providing additional insight into the organizational environment and the issues facing the industry. Being considered an industry insider provided a high level of legitimacy with the Financial One staff, resulting in employees’ willingness to divulge information and permit greater access to organizational resources (Malone, 2003). Case study research requires a high degree of ethical consideration (Roth, 2005), especially when the research involves a sensitive subject such as information security. The CEO and CIO of the Financial One served as “gate-keepers” who allowed access to the organization and its Academy of Information and Management Sciences Journal, Volume 17, Number 2, 2014 Page 65 employees (Miller and Bell, 2002). It was important to keep these two individuals updated on a constant basis. Each staff interview was conducted where only the primary researcher and the subject employee were present. Document review was conducted by the researcher alone after the documents were provided by the CIO. All other events were conducted with the CIO present. After each phase of the investigation, the CEO was briefed on the findings, and additional consent was sought (and granted) before moving ahead to the next phase of the research. Schwandt (1997) defines such briefings as member or respondent validation. These member checks were initially made to establish the current level of information security. Their baseline perception formed a risk assessment of information security systems that were in place. As the investigation progressed, these briefings were used to share and corroborate findings. These research activities establish what Lincoln and Guba (1985) refer to as the credibility of the process and help ensure the trustworthiness of findings. These authors developed four criteria that serve as case study research equivalents for internal and external validity, reliability and objectivity (Schwandt, 1997). Careful steps were taken to assure that interviewee observations that are used to support results match the respondents’ views of the organization. Finally, the results reported herein are linked directly to the interview data in order to establish that findings are not simply products of the researchers’ imaginations. In accordance with the suggestion of Yin (2003) the authors concluded that conducting the case study within Financial One would be an effective method to obtain in-depth data and generate rich analysis needed to apply existing theory to a phenomenon in a different context, which is what we are doing. We seek support for hypotheses that address the influence of positive and negative exemplars as the source of intergroup bias as applied to information security risks within organizations. RESULTS Table 1. Managers as Positive Exemplars Positive Exemplar Analysis Employee Exec 1 Exec 2 Exec 3 Exec 4 Exec 5 Exec 6 Exec 7 Exec 8 H1 Will Give Out Password (exemplars/managers) Others Will Give Password Would Fall For Social Engineering (exemplars/managers) Others Would Fall For Social Engineering Reviews IS Policies (exemplars/managers) NO NO NO NO NO NO NO NO NO NO NO NO NO NO NO NO NO NO NO NO NO NO NO NO NO NO YES NO YES NO NO NO YES YES YES YES YES YES YES YES Others Review IS Policie s YES YES YES YES YES YES YES YES Management perceptions of themselves as positive exemplars increase Information Security risks. Academy of Information and Management Sciences Journal, Volume 17, Number 2, 2014 Page 66 Executives at Financial One were in unanimous agreement that their organization operated with a high level of information security. This belief was expressed in their personal observations, documented in reports from outside audit firms, and even based on “intuition”. According to the CFO: “I believe our information security is solid. My opinion is not based on our IT department, but based on what the so-called experts have told me. That’s where my decision is coming. Not that I have any concerns with our IT department, but if I hear it from an expert what else am I to believe?” The executives at Financial One considered themselves positive exemplars (Table 1). Because they believe that “our employees are well trained” in information security issues (CEO of Financial One), these executives believed their information security behavior was emulated by the other employees, who are considered members of the in-group. They expressed confidence that their employees read Information security policies, would not share their password with anyone, and were not vulnerable to social engineering involving the gathering of confidential information through lying or other types of deception. Evidence in support of this hypothesis comes from the application of exemplar theory to in-group and out-group trust in Financial One. The positive exemplar analysis of eight executives in this setting demonstrates that these managers (1) acted in accordance with (1) their beliefs in their strength as positive exemplars and (2) an illusion of control that produced an optimistic bias that employees, as in-group members, would act accordingly. To verify the accuracy of management’s perceptions, employees throughout the organization were interviewed. Employees have been shown to be the best source for understanding the behavior and actions of other peers (Murphy & Cleveland, 1991). Behavior that is observed by employees is different than that observed by management, because employees have opportunities to see a wider range of behaviors of which managers may not be aware. Policies Organization security models have stressed the importance of the establishment and implementation of security policies (Segev et al., 1998). Security policies at Financial One were posted on the company’s intranet and updated continually as needed. All employees were encouraged to read the security policies. Every year employees were required to sign a document verifying that they had done so. Because of the existence of policies that had been established to protect organizational information, management perceived that these policies were being followed by the staff. It was also perceived that department supervisors were effective in the enforcement of these policies. The executives who were interviewed were aware of organizational information security policies and procedures. As positive exemplars, they believed that others would be also. Furthermore, these executives regularly reviewed and followed information system policies and assumed that the employee in-group members did so also. Academy of Information and Management Sciences Journal, Volume 17, Number 2, 2014 Page 67 Statements made by employees, didn’t, however, confirm the executives’ belief regarding reading policies. One employee admitted receiving the handbook, and was aware that it was online, but stated: “I haven’t read the handbook to be honest with you. I guess I might have pulled it up to find the answers to thing that I have questions to…but it’s going to be on something that interest me like wage compensation, raises…merit raises…stuff like that…but not security stuff.” This sentiment was confirmed by other employees within the organization. When one was asked about reading security policies she replied: “For someone that has been here for five or six years then they know it…they know what they are supposed to do.” Yet, when the same employee was asked if she was aware that it was against company policy to give out her password, she replied, “…our company has a policy like that?....no [I was not aware of it]”. Interviews with other employees at Financial One provided additional support for the hypothesis. Interview data also supports previous findings that managers may feel overly optimistic regarding their employees’ awareness of organization security policies (Taylor & Brice, 2012). When interviewed, the executives also pointed to the existence of a policy that stressed the importance of shredding sensitive information. “Anything dealing with customers’ accounts goes to that shred bin and it’s kept locked up in a back room with the door shut and the cleaning people don’t go into. We are pretty good about putting things in shredder bins. Could I 100% say there is nothing in there [the trash], but all in all the chances of it happening are very slim.” To emphasize the importance of this policy, each employee workstation was equipped with a trash can (black) and a shred can (blue). According to the security policy, each employee was responsible for emptying their blue shred can each night into a larger shred bin that was located in a secured area. However, after personal observation by the first author of this paper, who was allowed to remain on the premises afterhours while the CIO was present elsewhere in the building, it was noted that employees did not empty their shred cans into the dedicated shred bin. It was also further noted that the evening cleaning crew stopped at each desk, where both the black trash can and the blue shred can were emptied into a single trash receptacle. Contents of that receptacle were then bagged and thrown into the outside dumpster. Employees expressed surprise when asked about this the next day. They assumed that their blue shred cans were being picked up each night and taken to the dedicated shred receptacle. Academy of Information and Management Sciences Journal, Volume 17, Number 2, 2014 Page 68 Passwords Notably, there is another security policy at Financial One that requires employees not to share or reveal their system passwords to anyone. When asked if they thought employees would give out or share their system password, management unanimously declared that employees would not. Managers felt that employees were well aware of existing policies and that they fully understood the importance of protecting their system passwords. “I wouldn’t sit here and tell you that it would be 100%, depending on who was asking, some people would probably offer it up, but overall most would not.” Based upon interviews with Financial One employees it was noted that although most employees were aware of the policy, it was not an uncommon practice to share passwords if deemed necessary. An employee confirmed that she would give her password to anyone in the IT department, to the VP of Branch Operations, and to her Branch Manager. She stated that she had shared her password on several occasions. Employees of the IT department also admitted to sharing passwords among themselves when it was necessary for one of them to access a system they did not generally have access to. To further test whether employees would give out their password, the IT department was asked to call 60 employees (in-group members) from all levels of the organization, and simply ask them for their password. Of the 60 calls that were made they obtained 10 voicemails and 50 passwords. Employees who surrendered their passwords had their passwords automatically reset, forcing them to change it immediately. Two of the passwords were received from executives who stated they would not give out their password (as shown in Table 1). When informed of this, the CEO expressed both surprise and concern: “It’s like IT was saying here’s a lollipop give me your password…but they weren’t even giving them a lollipop….they just asked for it.” Social Engineering Infamous hacker, Kevin Mitnik stated that he rarely relied on hacking to access a company’s computer system because technology controls were getting better to prevent outside access, and even though he could still get through most of the controls it took a lot of effort. However, with social engineering, he said it was like taking candy away from a baby (Mitnik & Simon, 2002). Executives at Financial One were asked if they would fall for social engineering attacks. They each gave assurances that they would not. Again, relying on themselves as positive exemplars, they believed their employees were also too well trained and would not fall for the deceptive tactics. Notable exceptions were the two executives mentioned in the preceding section, who didn’t have the same level of confidence in their employees, presumably because they had violated the password policy (Table 1). Financial One employees were told about a scenario used by infamous hacker Kevin Mitnik in which he would randomly place CD-ROMs throughout an organization in areas, such as restrooms, where he was allowed and that employees would typically go. The CDs would be Academy of Information and Management Sciences Journal, Volume 17, Number 2, 2014 Page 69 labeled “Employee Salaries”. Any employee, who was tempted to look at this CD, would have keystroke capture software installed on that. The results were then emailed to Kevin, which would automatically give him access to the organizations computer system. In response to hearing the scenario, one employee offered this observation, “I think you have people that would be nosey enough to stick it in their CD ROM and try to look at it.” A second social engineering scenario was presented to the employees: Someone claiming to be an employee of their primary information system vendor called and described a fictitious problem that required the employee’s password to correct. The vendor thus tricked the employee to revealing their password to them. In response, a different Financial One employee observed, “Wow…that’s pretty good…I bet at least half of the people would fall for that.” When given the two social engineering scenarios, most of the employees admitted that that would fall for one or both of them, again providing support for the hypothesis. Further additional support for this hypothesis comes from the fact that researchers consistently found evidence of blind trust for the in-group employees. The fact that these executives were dealing with employees who were known to them personally as individuals compounded the risks of insider threats to information security. “Most of the guys have been here for almost as long as I have or a lot longer…so I would tend to trust them more than someone brand new walking in the door.” The CEO believed that the ingroup members were displaying good security behavior based on his perception that employees followed his own exemplary behavior: “We have a lot of in house expertise and I think we have devoted a lot of resources trying to provide good security. I think that we have had pretty good performance down the line. It’s more intuitive than data based”. As seen in the previous quote, the CEO’s expressed optimism that employees were performing well when it came to information security was based totally based on his intuition. This lack of concern about security risks was rooted in the confident optimistic perception that employees would follow his exemplary security behavior example. These findings demonstrate that management was clearly unconcerned with negative employee behavior insofar as information security. Due both to the executives perceptions of their influence as exemplars, and their beliefs that their employees’ (in-group members) behavior was not a threat, the issue of information security was not adequately addressed. Management put too much trust in their employees, resulting in a lack of monitoring and supervision which ultimately increased information security risks within their organization, thus providing support for Hypothesis 1. H2 Management perception of negative exemplars decreases Information Security risks In this case the negative exemplars are actually events that trigger the affective response. Findings in this study indicate that negative exemplars affect managers’ perceptions of threats to Academy of Information and Management Sciences Journal, Volume 17, Number 2, 2014 Page 70 information security posed by out-group members. Thus, threats posed by out-group members increased awareness of the probability of their occurrence which ultimately leads to increased security measures. Consider these observations by both the CEO and COO of Financial One: “When you’re working out front, seeing people come in with long coats and skimasks on is typically a bad sign. With online stuff, you can’t distinguish who will try to get into your system. Could be some kid, an ex-employee, or some professional hacker. There’s no way to know.” The impact of the media can also have “lasting effects on impressions, beliefs, and associated disposition” (Zillman, 1996, p. 70) which heighten the executives’ awareness of security threats. “I hear stories on the news or read about them in the paper…they really concern me. I remember one night on the news where people’s cancelled checks showed up in gift baskets. They were shredded….but they could easily be put back together.” When information security incidents occur in a manner that the executive is more closely associated with, a personal connection is made which further strengthens the impact of the negative exemplar (Aust & Zillmann, 1996). In this instance, the CEO has an increased affective reaction because the incident occurs in the same industry, and even more so because it is in close proximity to him. “We always think it won’t happen to us, but it still hits home when I read in the newspaper or see on TV that a bank has had a security incident…especially if it’s local. If it can happen to them it can surely happen to us.” In each of these instances, the negative exemplar was an event (e.g. shredded cancelled checks showing up in gift baskets, security incidents). Only after a security breach occurs (Snowden) or when an event compromises or threatens information security (Target Department stores), identifying the perpetrator and characteristics of the individual and outgroup becomes an important consideration as part of the effort to minimize the potential for a similar incident to occur at their organization. The possibility of such negative exemplars affects management’s perceptions of the threats and influences their decisions related to avoiding breaches and maintaining information security. When managers’ perceptions and expectations of the likelihood and severity of negative exemplars increase so does distrust of persons associated with such events. The lack of information in decision making is a psychological reality and can weigh heavily on the decisions that ...
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Attached.

Article Review, Outline
Article 1: The Roles of Positive and Negative Exemplars in Information Security Strategy


Richard Taylor and Sammy Robinson wrote this article to examine the elements that inform
information security strategy in organizations. Taylor and Robinson reckon that strategy
management comes up with to secure their information depends on what they perceive to
be an information risk.



Taylor and Robinson (2014) examine the behavioral concepts of ethnocentrism, intergroup
bias, and group membership and how they contribute to information security strategies.



The authors chose a case study as a research tool. A case study is appropriate for this kind
of research because information security is a complex topic. It is broad, requires extensive
investigations, and needs to be studied within its context of occurrence.

Article 2: Effective Information Security Requires a Balance of Social and Technology
Factors


Tim Kayworth and Dwayne Whitten wrote this article in 2010. They aimed to underscore
the idea that for information security to be effective, organizations must endeavor to strike
a balance between social factors and technology factors.



Kayworth and Whitten (2010) say that historically, many organizations and companies
have been focused on ...


Anonymous
Just what I needed…Fantastic!

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Related Tags