Information Security Management System in Business Organizations in Saudi Arabia - Thesis Proposal Example

?Research Proposal: Information security management system in business organizations in Saudi Arabia Information is considered to be an important asset for any business organization in the modern competitive world. Along with the advancement and benefits of technology, new methods and techniques also prevail that threaten the confidentiality, availability and integrity of data. Incompetent business processes and operations also threaten the intellectual assets of the organization. It is due to these reasons that the information security management systems have become vital for organizations. Saudi Arabia is considered to be in the initial phases of the integration of technology in their business organizations. The paper will evaluate the status of the integration of information security in the organizations and the reasons for minimal adaptation of the respective system in the region. The paper will also include some productive techniques that can improve the position of information security management systems in Saudi business organizations. 1. Problem Statement The advent of computers has caused revolutionary changes in the way businesses are run. Information management systems have given a structured format to the business processes and operations. The intellectual assets of the company get organized into standard formats due to the integration of information technology. However, along with these benefits of IT incorporation, there exist concerns regarding the security and privacy of the intellectual assets that are maintained by the IT infrastructure. Confidentiality of the data is feared as the exposure of company’s data (to malicious intent users) can cause serious harm to the organization’s position in the market. Integrity of the data is valuable to the organization so that it is not modified by any source and thus, does not mislead the organization into making wrong decisions. Availability of the data is important to make it useful in the hour of need by the concerned authorities for effective decision making. It is due to some of these concerns that information security management systems have been devised and widely implemented in business organizations around the world. According to Tipton and Krause (2008); information security management system is defined as the set of steps that are undertaken to manage and safeguard the confidentiality, integrity and availability of the intellectual assets and data of the organization. Over the years, information security management systems have gained much fame and acceptance since all organizations want to ensure that their data is not threatened and manipulated at any level. The domain of information security management system has mostly been researched and adapted by Western countries like USA, UK and Australia. Countries like Saudi Arabia are relatively behind these developed countries in the criteria of incorporating technology in their business organizations. 2. Research Objectives The research of the proposed title will be conducted according to the following research objectives: To investigate the level of awareness of the Saudi business organizations about the need of implementing an information security management system. To research the different aspects that might be the cause of variation of endeavours for the integration of information security management systems between the Western countries and Saudi Arabia. To investigate the organizational processes that can increase the awareness and applications of information security management systems in Saudi business organizations. 3. Literature Review Before the proposal of some effective strategies, it is important to analyze the reasons of non-compliance with the information security management procedures in business organizations in Saudi Arabia. The respective country has shown commitment towards the incorporation and progress of information technology in their region. According to Ministry of Communications and Information Technology (2006), they even developed a National Communication and IT plan in 2005. It comprised of a five year plan and a ten year plan to ensure consistent growth in the respective field. Many of the organizations have opted for information management systems to manage their business processes; however, Hill, Loch, Straub and El-sheshai (1998) stated that there exists a lack of commitment towards the information security in the Saudi Arabian culture. Alnatheer and Nelson (2009) pointed out that this vulnerability to their intellectual assets and data can cause serious threats to their business organizations and government agencies since technology has intervened in almost all fields of life. Hofstede (2001) stated that the national culture of any region influences the organizational behaviour and culture. Tamas (2007) explained the five dimensions of culture that are known as Hofstede’s dimensions; Power distance, the extent to which the people with lesser authority acknowledge their status in the society. It is also referred to as the degree of acceptance of the unequal distribution of power in the society. Individualism, the strength of the ties between the people in the society. Individualism also promotes the concept of being concerned with self interests more than the betterment of the whole group or society. Masculinity, the extent to which the traits of competitiveness and aggression are favoured more than the development of relations. Uncertainty avoidance, the extent to which the people in the society accept and tolerate uncertainty. It refers to the capability of the people of a certain culture to take risks. Long term orientation, the extent to which the people practice long term commitment to their customs and values. According to Chadhar and Rahmati (2004), Saudi Arabia has been witnessed to possess a culture with high power distance, high uncertainty avoidance, low individualism, low masculinity and high long term orientation. These aspects prove to be barriers in the implementation of new technologies in the organizations and transformation of the people of the society into competitive individuals who would strive for better and more secure organizational cultures. It has been found that culture has a relationship with the formulation of security policies and implementation of information security management. Schlienger and Teufel (2002) stated that culture tends to have an effect on the information security policies and measures to ensure privacy of individuals and their data. He also stated that the security culture of a region comprises of the social and ethical actions that are required to enhance the information security in organizations. The awareness and realization of the importance of security tends to change the behaviours of individuals in the organization and makes the security compliant actions as a part of their routine operations. CISCO (2007) explained that the development of a security culture in the organization is important for the implementation of an effective information security management system. Alfawaz, Nelson and Mohannak (2010) stated that the top management of the organization needs to show their consistent commitment towards the incorporation of information security management system in their organization. He also stated that effective training programs need to be organized to create awareness about the required security measures in routine business processes in the organization. He placed great stress on the compliance to the information security standards and formulation of information security policies. Alfawaz, Nelson and Mohannak (2010) agreed with the relation and influence of national culture on the incorporation of information security management in the organization. Therefore, he proposed that the environmental traits should be identified that prove to be barriers in the process and devise plans and policies to overcome them. Schlienger and Teufel (2002) proposed techniques on the same lines as Alfawaz, Nelson and Mohannak (2010) and stated that the eradication of the negative environmental effects can result in the formulation of an effective security culture in the business organization. 4. Research Procedure A deductive research approach will be used to evaluate the different reasons for minimum implementation of information security management systems in business organizations in Saudi Arabia. The cultural aspects and dimensions of Saudi Arabia shall be studied in further detail to highlight their possible effects, thus proving to be hindrances in the adoption of the respective systems. The information security management system of a Saudi business organization shall be studied in detail to evaluate its effectiveness as compared to the successful practices of western organizations. Most effective techniques and approaches shall be researched that can facilitate the formation of information security processes in a way that it becomes a part of the routine for the employees. 5. Research Resources The following resources shall be utilized for the study of the proposed topic of research: Case Studies: Several case studies shall be consulted for the knowledge of successful practices that are adapted by organizations for the incorporation of information security management systems. Literature Review: Research will be done with the help of secondary data (available in published papers and conference proceedings). Online and offline articles: Relevant management and information security magazines shall be utilized for the research of the proposed title. 6. Ethical Aspects of the Research It is assured that the content of the report will not be copied from any source or individual. The analysis of the research findings shall be a result of self-comprehension of the studied materials, whereas due credit will be given to the authors whenever their work is included in the research. Any organizational data will not be used for false purposes and its usage will be limited to the extent of this paper. References Alfawaz, S., Nelson, K & Mohannak, K 2010, ‘Information security culture: A Behaviour Compliance Conceptual Framework’, Australasian Information Security Conference (AISC), Vol 105. Alnatheer, M & Nelson, KJ 2009, ‘A Proposed Framework for Understanding Information Security Culture and Practices in the Saudi Context’, 7th Australian Information Security Management Conference, 1-3 December 2009, Kings Perth Hotel, Perth. Chadhar, MA & Rahmati, N 2004, ‘Impact of national culture on ERP systems success’, Second Australian Undergraduate Students’ Computing Conference, Melbourne, Australia. CISCO 2007, Measuring and evaluating an effective security culture, Cisco Public Information. Hofstede, G 2001, Culture's Consequences: Comparing Values, Behaviors, Institutions, and Organizations Across Nations. Thousand Oaks, Calif: Sage Publications Hill, C., Loch, K, Straub DW & El-sheshai, K 1998, ‘A Qualitative Assessment of Arab Culture and Information Technology Transfer’, Journal of Global Information Management, 6(3), 29-38 Ministry of Communications and Information Technology 2006, The National Communications and Information Technology Plan. The Vision towards the Information Society, viewed 26 February 2011, Schlienger, T & Teufel, S 2002, ‘Information Security Culture: The Socio-Cultural Dimension in Information Security Management’, Security in the Information Society: Visions and Perspectives. Tipton, HF & Krause, M 2008, Information Security Management Handbook, Sixth Edition, Volume 2, Auerbach Publications, New York. Tamas, A 2007, Geert Hofstede's Dimensions of Culture And Edward T. Hall's Time Orientations, viewed 27 February 2011, Read More