Managing information risk and security - Essay Example

?Topic of the Table of Contents Introduction …………………………………………………………………2 Risk and Actual Breach of Security………………………………………... 4 Cases of Cybercrimes ………………………………………………………4 Risks management and disaster recovery processes ………………………..6 Individuating Protection Motivation and Mandatory Responses ……………9 Management: Security and Control ………………………………………..15 Conclusion …………………………………………………………………18 Introduction Information technology and systems have provided companies and organization such exceptional innovation in data and information management deemed essential for organizational capacity development and corporate business strategizing. However, as much as it has fared sophistication in this knowledge-based economy, organizations have likewise put up imperative measures to safeguard critical IS assets from system abuse and misuse by constantly upgrading and installing firewalls, anti-virus, use of encryption keys, protectors, use of comprehensive monitoring system, and of scaling control from access. IT-based corporation has also made it as standard policy to restrict employees from breaching organizational rules and requirements in the use of information systems and security policy (ISSP) to ascertain that their behaviours are also aligned on the need to secure company’s database. This paper will qualitatively discuss the importance of managing information risk and security using peer-reviewed journals and books from online sources. Researcher will attempt to bridge the theoretical constructs to advance the need of improving security management control to attain, prevent and protect internet systems from security threats and from cyber-criminalities. Risks and Actual breach of security Recent research pertaining to internet study depicted information of data theft and establishment of malicious code to steal confidential information (Symantec Corporation, 2007). Most of these breached in the system were undertaken with gross negligence of employees in safekeeping the system. Computers and servers left open and accessible to those who have variant interests may make use of data base and information for negative actions. As IT has influenced business and government system in discharging their functions, the risks too doubled with the increasing number of hackers and cyber criminals. Cybercriminals refer to those web-based activities that include illegally downloading music files, stealing of millions of money from bank accounts, creating and distribution of viruses on other computers, and posting confidential information on internet, including sex videos that are illegally taped. The most modern form of cybercrime is identity theft where criminals use personal information from other users, including pictures. This is known technically as phishing and pharming (Techterms, 2013, p. 1). Criminals use others information to attract other users to fake websites appearing to be legitimate and where personal information are asked, such the use of usernames and passwords, phone numbers, addresses, credit card numbers, bank account numbers, and other information criminals can use to "steal" another person's identity (Techterms, 2013, p. 1). Many of this information are circulated on emailing system, thus, thousands are victimized and were unfortunately advantaged by those who are unscrupulous in using technology (Techterms, 2013, p. 1). Easy preys are those people with computers lacking antivirus and are bereft of spyware blocking software (Techterms, 2013, p. 1). Cases of Cybercrimes Some of the cybercrimes are also undertaken to embarrass governments due to resource-based conflicts with other nations. In effects, a number of government websites are defaced by group of hackers to embarrass the IT security management of the state and to advance their political agenda by posting their demands and their statements on the websites of agencies. This are cases that have been infamously done my Anonymous groups , perceived to be skilled and expert in information technology and are possessing deep knowledge on web engineering and decoding. Techopedia (2013) further explicated that cybercriminal are those persons who commit cybercrimes against specific target to sow malicious activities including virus distribution and to use its as conventional weapon for conventional crimes like spamming, introducing fraud, and causing illegal gambling (p. 1). Others use their computer to save stolen data and information. Specific definitions of cybercriminal activities include writing code or program for cybercriminal organizations; distributing stolen data and information; maintaining a cybercriminal organization's IT infrastructure (e.g. encryption technologies and databases); hacking and exploiting of systems and applications; defrauding and deploying spam schemes and phishing; hosting and providing services for sites with illegal contents; acting as cashier to account names to cybercriminals and controlling drop accounts; acting as money mule to manage bank account wire transfers; transferring and laundering illegal money using foreign exchange methods; leading an organization of cybercriminals and creating cybercriminals teams; and other roles and function s that are abetting and supporting cyber-based organized crime by breaking into the system for personal gratification, including such expertise to sell the services to highest bidder. Izzio (2008) cited that the craftiest cybercriminals are those who operate completely within the radar by the FBI and some law enforcement agency. Under the CyberCrime Hall of Fame, the best hackers and criminals are those who remained-at-large are highlighted as to have done The WANK Worm (October 1989) or the Worms Against Nuclear Killers which hit NASA offices in Maryland which ran a banner on the system to communicate their protest of the launching of the plutonium-fuelled, Jupiter-bound Galileo probe (Izzio, 2008, p. 1). Cleaning the crack cost NASA half of a million dollars in resources and the origin of the attack remained unknown although it was suspected that it may have come from Australia (Izzio, 2008, p. 1). In February of 1999, the Ministry of Defence Satellite was hacked by cybercriminals from England by controlling the MoD Skynet military satellite and signalled or controlled security intrusion as “information warfare” and hence, disrupted the military communications (Izzio, 2008, p. 1). The hackers were able to reprogram the control system before authorities are able to tract them. Although the Scotland Yard's Computer Crimes Unit and the U.S. Air Force made some investigations, but nobody was arrested (Izzio, 2008, p. 1). Another infamous cybercrime is the CD Universe Credit Card Breach in January 2000 when 300,000 credit card accounts were posted online as The Maxus Credit Card Pipeline (Izzio, 2008, p. 1). Maxim, suspected to be from Europe, stole all credit cards by stealing the credit card information by hacking the CDUniverse.com whilst using the information to gain $100,000 from the website (Izzio, 2008, p. 1). The case remained unsolved. In December 2000, Military Source Code, that can control missile-guidance systems, was stolen. Hackers breached into the Exigent Software Technology’s OS/COMET software and got two-thirds of the code intended for missile and satellite guidance (Izzio, 2008, p. 1). Intruder was name as Leaf as coming from University of Kaiserslautern in Germany (Izzio, 2008, p. 1). Beale Screamer, with FreeMe program, stripped some digital-rights-management security from music and video files (Izzio, 2008, p. 1). While Microsoft Windows Media hunted Beale, members of anti-DRM praised him for the crime done. These are just some of the few hacking incidences that have happened in the past (Izzio, 2008, p. 1). Risk management and disaster recovery processes On the threat of stealing information, IT organization ought to make use of systems’ components of information; either hardware or software, for security and to ensure that information security and its systems will behave as expected and with reliable results. However, to attain this security management, system solutions must be embed with anent effective security design information and policies. Human resources working in an IT institution must motivate people follow these policies and to be non-resistant on its rules. Such will ensure that organization will not be exposed to data loss and be risked to cybercriminals. The Federal Bureau of Investigation (2013) have certainly advanced their move to deny service attacks, network intrusions, and of state-sponsored hacking system that compromise national security (p.1). The cyber threat is growing, and in response, the Bureau must continue to strengthen its partnerships with other government agencies and private industry—and take the fight to the criminals. Network intrusions pose urgent threats to our national security and to our economy. If we are to confront these threats successfully we must adopt a unified approach that promotes partnerships and intelligence sharing—in the same way we responded to terrorism after the 9/11 attacks. Our mission was to use our skills and resources to identify terrorist threats and to find ways of disrupting those threats. This has been the mindset at the heart of every terrorism investigation since then, and it must be true of every case in the cyber arena as well. Partnerships that ensure the seamless flow of intelligence are critical in the fight against cybercrime. Within government, the National Cyber Investigative Joint Task Force, which comprises 19 separate agencies, serves as a focal point for cyber threat information. But private industry—a major victim of cyber intrusions—must also be “an essential partner (FBI Director Robert S. Mueller, FBI, 2013) The FBI has organized the National Cyber Forensics and Training Alliance, as model for collaboration between private industry and law enforcement (FBI, 2013, p. 1). There are 80 industry partners for instance, are now organized and are currently based in Pittsburgh (FBI, 2013, p. 1). They alliance is backed with financial services, telecommunications, retail, and manufacturing with string partnership with federal and international partners to provide real-time threat intelligence (FBI, 2013, p. 1). Another group is also organized and is dubbed as the Enduring Security Framework, a collaboration of group leaders which hailed private sector and the federal government partner with them by analysing potential threats pertaining to denial of service attacks, malware, and emerging software and hardware vulnerabilities (FBI, 2013, p. 1). Anent to these the Domestic Security Alliance Council, which consists of chief security management from more than 200 companies of critical infrastructure and business sector are also taking serious part of the network against cyber criminals (FBI, 2013, p. 1). Added to this is the InfraGard that has expanded into 88 chapters from 1996 to 55,000 members at a nationwide scale (FBI, 2013, p. 1). This year, the FBI conducted a 3-day National Cyber Executive Institute seminar to educate executives of leading industry against cyber threat awareness and information sharing (FBI, 2013, p. 1). The FBI rest on these initiatives to expand the channels of information sharing and collaboration as approach to resolve the threats posed on corporate cyber security-- that have caused extreme vulnerabilities for corporation, specially the banking industry (FBI, 2013, p. 1). The institution is pushing to eliminate the threats and deter or put behind bar those who are responsible of the crime whether they are state actors, organized criminal groups, or 18-year-old hackers. Aside from building defences, the FBI forged forward in building better relationships to bring at an urgent resolved brought by these threats (FBI, 2013, p. 1) Individuating/Collective Protection Motivation & Mandatory Response IT experts, on the other hand, posit that all IT workers should likewise be imbued with theoretical knowledge to enable them to become pro-active security manager of their own information network (I?nedo, 2012, p. 84). Research suggested that there are two types of motivation theory that can be inculcated in them as experts of IT system. These are protection motivation theory and the theory of planned behaviour (I?nedo, 2012, p. 84). Protection Motivation Theory (PMT) refers to the expanded the health-related belief model in the social psychology and health domains that drew expectancy-value theories and the cognitive processing theories (I?nedo, 2012, p. 84). The model was developed to vivify the fear appeals and is considered as one of the influential or powerful explanatory theories in predicting a person’s intention to be part of protective actions. (I?nedo, 2012, p. 84) The threat appraisal or evaluation motivates the coping mechanism, hence, protection appraisal (I?nedo, 2012, p. 84). It allows the person to describe the danger and threat posed by threatening events and can be illustrated in these two systems: (i) Perceived vulnerability i.e. an individual’s assessment of the probability of threatening events. In this study, threats resulting from noncompliance with ISSP. (ii) Perceived severity i.e. the severity of the consequences of the event. In this instance, imminent threats to organizational security’s information arise from non-compliance with ISSP. The coping appraisal aspect of PMT refers to an individual’s assessment of his or her ability to cope with and avert the potential loss or damage arising from the threat. (I?nedo, 2012, p. 84) This coping appraisal is made up of three sub-constituents: (a) self-ef?cacy factor that emphasizes the individual’s ability or judgment regarding his or her capabilities to cope with or perform the recommended behaviour. The person therefore is skilled in contextual research and refers to the sorts of skills or measures required to protect the information in one’s organizational IS; (b) response ef?cacy as factor that relates perceived bene?ts of the action taken by the individual. Hence, the compliance to the ISSP as perceived as an effective mechanism in detecting threat to one’s organizational IS assets; and (c) response cost as referring to the perceived opportunity costs in terms of monetary, time, effort, expended in adopting the recommended behaviour of complying ISSP (I?nedo, 2012, p. 85) Experts opined that PMT is useful in predicting behaviours pertaining to individual’s computer security behaviours both at home and in organizations for ISSP compliance (I?nedo, 2012, p. 84). The other protective and motivational theory is the planned behaviour theory. The Theory of Planned Behaviour (TPB) suggested that individual behaviour is in?uenced by attitude, norms, and of behavioural control (I?nedo, 2012, p. 84). It is considered as the one of the top most predictive persuasion widely used across differing domains (I?nedo, 2012, p. 84). It asserted that knowledge of a person’s intention that an individual’s intention to comply with ISSP is strongly in?uenced by attitude, subjective norms, and perceived behavioural control (I?nedo, 2012, p. 84). It is likewise used to determine and investigate the use of information system’s ethical behaviours and individual’s decision to adopt acceptable computer security measures and comply with ISSP (I?nedo, 2012, p. 84). The three components of TPB, (i) Attitude is de?ned as the individual’s positive or negative feelings toward engaging in speci?ed behaviour. In this study, it encapsulates attitude toward compliance with ISSP; (ii) Subjective norms describe an individual’s perception of what people important to them think about a given behaviour; and, (iii) Perceived behavioural control, the third component of TPB was in?uenced by Bandura’s (1991) self-ef?cacy in the social cognitive theory; it refers to an individual’s perceived ease or dif?culty of performing or facilitating a particular behaviour (I?nedo, 2012, p. 84) Research posited that positive attitude toward ISSP compliance augurs well for ISSP compliance behavioural intention, hence, positive values on organizational ISSP will gain favourable tendencies to comply with rules, requirements, and guidelines (I?nedo, 2012, p. 84). Conversely, the negative attitudes will reduce an individual’s ISSP compliance behavioural intention (I?nedo, 2012, p. 84). Such positive compliance bolsters self-efficacy toward positive effect on ISSP compliance behavioural intention (I?nedo, 2012, p. 84). It is likewise perceived that if information on money, resources and time are invested for considerable security measures; the person is likely to follow rules, protocols and security measures (I?nedo, 2012, p. 84). It is also contended that when a person is educated about the negative effects of non-compliance and the necessary effective behaviour required in coping some danger, the person would get onto an adaptive behaviour (I?nedo, 2012, p. 84). It could be considered truly effective if the persons are knowledgeable about the need to secure the organization’s ISSP based on the guidelines and coping mechanisms to avert threats and dangers based on contextual measures (I?nedo, 2012, p. 84). Knowledge and open communication among IT staffs is imperative to ascertain that the management will be able to exact successful compliance from them. It is therefore suggested that to seminar and trainings will be conducted to improve in-house IS security awareness and to shape the ISSP compliance behavioural intentions of employees (I?nedo, 2012, p. 84). Thus, Boss, Kirsch, Angermeier, Shingler & Boss (2009) asserted that information security should be accorded with necessary importance, albeit the prevalence of technical security measures, for corporate defences. If the staffs neglect by omission the security policies and procedures, there is wider tendency for cyber threats to access the data storage and ruin, if not, corrupt the system (p. 151). Still the degree on which the level of ‘mandatoriness’ is acknowledged and practiced by the individual in compliance to existing security policies and procedures is adhered to will also affirm the effectiveness in convincing individuals that security policies are mandatory. It will motivate an individual to opt security precautions (Boss, et.al., 2009, p. 151). Thus, it’s affirmed, The examination of the elements of control directly applies to security for two reasons. First, security policies and procedures are often specified and administered by technical managers with no ‘line’ responsibility for the individuals who must follow those policies. This means that specified controls, even if evaluated and rewarded, might be seen as optional as those enforcing compliance have no direct authority over those they seek to control. Second, security policies and procedures (specification) are put in place to regulate the behaviours of individuals to achieve (or prevent) a particular outcome. These policies can be seen, collectively, as a recipe that will endeavour to ensure a secure system not only at the present time, but also in the future. The result is that while policies are directed, in a general way, at individuals, how each individual follows those policies is to some degree discretionary and may vary widely, but the implications for the entire organization are serious (Boss, et.al., 2009, p. 151). Figure 1. Integrated framework for security policy compliance intention (Herath & Rao, 2009, p. 110) Management: Security and Control To make the security policy truly enforced to wager such necessary management control on its human resources, it is therefore imperative for the company to establish standard performance and criteria of action to improve their behaviour in IT system management and to contribute for asset protection. Classic obedience is exacted if the goals and policies are openly communicated to staff for compliance. On another plain, such ‘mandatoriness’ on information security policy must be communicated to mediate the relation between control and the managed human resources (Boss, et.al., 2009, p. 151). It is therefore imperative for all managers of an IT company or in a company with IT system to focus on behavioural solution aside from technical matters for information security. It was also suggested that management must be able to recognize the key position of the individual in their security efforts. Management should focus on the specification and evaluation of information security policies rather than introducing an additional incentive policy to motivate employees. A final implication for managers is that their approach to security is a key issue. When security is viewed (either explicitly or implicitly) as something that is ‘above and beyond’ individuals’ job descriptions, it is unlikely that much thought will be given to their part in information security. The results show that managerial attention is needed to craft meaningful information security policies and to motivate individuals to follow them. Managers should emphasize the specification of policies and evaluation of those policies for non-compliance, while giving less emphasis to reward (Boss, et.al., 2009, p. 151). The same concern is likewise affirmed by Herath & Rao (2009) pertaining to IS adoption and security (p. 106). Both also affirmed that protection-motivation theory, deterrence theory, and organisational behaviour, are essential in acculturating the fundamental premise that information security practices and policies is affected by organisational, environmental, and behavioural factors (Herath & Rao, 2009, p. 106). The development of an Integrated Protection Motivation and Deterrence model of security policy compliance within the context of Taylor-Todd’s Decomposed Theory of Planned Behaviour facilitate the development of behavioural change in IT and ISSP security management (Herath & Rao, 2009, p. 106). Using survey responses of 312 employees from 78 organisations, research suggested that (a) threat perceptions about the severity of breaches and response perceptions of response efficacy, self-efficacy, and response costs are likely to affect policy attitudes; (b) organisational commitment and social influence have a significant impact on compliance intentions; and (c) resource availability is a significant factor in enhancing self-efficacy, hence, served as a significant predictor of policy compliance intentions (Herath & Rao, 2009, p. 106). Researchers asserted, … information security is a multidimensional discipline and that various dimensions such as the human/personnel dimension and the policy/governance dimension have interconnected roles that impact overall organisational information security. As Dhillon & Backhouse (2001) have pointed out, there is a great need for more empirical research that uses socio-organisational perspectives to develop key principles for the prevention of negative events in order to help in the management of information security. Conclusion Empirical research pointed that in 2011, the Internet Crime Complaint Center (IC3) recorded 314,246 reported cases of information system breach including cyber-crime cases (Ic3.gov, 2013, p. 6). The losses have amounted to $485.3 million. Common cases are identity theft, advance fee fraud, and including complaints on alleged FBI-related scams (Ic3.gov, 2013, p. 6). The IC3 received and processed more than 26,000 complaints monthly and US-based cases alone showed that grave cases are monitored in California (34,169), Florida (20,034), Texas (18,477), New York (15,056) and Ohio (12,661) (Ic3.gov, 2013, p. 6). Victims in California lost finances of about $70.5 million and the victims have an average loss of $4,187 (Ic3.gov, 2013, p. 6). Aside from financial loses, damages as a consequence from breach will certainly add to internal crisis to an organization,; affecting performance and outputs. These figures simply depicted the need to strengthen the human resources of companies working over IS and ITs to tighten security control and management (Pahnilaa, Siponena, & Mahmoodb, 2007, pp. 1-5). There are many theories that can be disposed by the management to ascertain that workers will comply to performance standards and to keep tract on the facilitating conditions to contribute positive attitudinal impact by complying corporate policies in IT and ISSP security management (Pahnilaa, Siponena, & Mahmoodb, 2007, pp. 1-5). While its widely acknowledge that sanctions for employees who are negligent in complying security rules and protocols, but researcher acknowledge the need to educate them on the nature of their jobs and the entailing impact in case they are commit such omission in security management (Pahnilaa, Siponena, & Mahmoodb, 2007, pp. 1-5). As deliberated in the preceding parts of this study, the management must have clearly communicated the employees functions, roles, policies to abide to ensure that there is no breach of corporate mandates and to perfect IS security management (Pahnilaa, Siponena, & Mahmoodb, 2007, pp. 1-5). The threats of security breach are high and efforts must be enforced to make the human resources maintain such commitment to comply with IS security policies (Pahnilaa, Siponena, & Mahmoodb, 2007, pp. 1-5). …on technology use, it is important to IS security staff to get their organization’s employees into the habit of complying with IS security policy. The other factors, described next, are important in this process. To start with, practitioners need to make sure that guidance and help from superiors and security staff are easily available to employees, if they encounter difficulties in complying with IS security policies (facilitating conditions). On the basis of our empirical findings, it’s imperative that, practitioners should realize that positive social pressure (normative belief) towards IS security policy compliance from top management, immediate supervisor, peers and IS security staff is important for ensuring employees’ IS security policy compliance. This is consistent with the findings that social environment has an effect on individuals’ behaviour (Pahnilaa, Siponena, & Mahmoodb, 2007, pp. 1-5). However, aside from instilling security management consciousness to IT workers, the companies must also network with authorities to quell cybercrimes (via breaching internet security) to have collaborative efforts in preventing and arresting cybercriminals. Kshetri (2005) pointed that the flourishing synergy arising between organized crimes and the Internet increased the insecurity and threats of the digital world (p. 541). The hackers’ frame of actions, to pursue their criminal designs, should be drawn upon literatures on psychology, economics, international relation and warfare to address these problems (Kshetri, 2005, p. 541). But as countries across the world vary in terms regulative, normative and cognitive legitimacy to different types of web attacks (Kshetri, 2005, p. 541), each company must develop its own security management system. Putting all the necessary security software and changing the attitude or behaviours of IT experts can contribute well to the cyber wars and crimes that has habitually becoming part of the functions of those with the stocks of hacking skills due to affluence and economic opportunities (Kshetri, 2005, p. 541). For it has been constantly said that an attacking unit's selection criteria for the target network include symbolic significance and criticalness, degree of digitization of values and weakness in defence mechanisms (Kshetri, 2005, p. 541). Managerial and policy implications are henceforth essential to threat prevention. (Kshetri, 2005, p. 541). Thus, it was prescribed, End users operating in decentralized environments in which they share or maintain sole responsibility for their computing resources commonly receive input from others regarding the most effective information assurance practices. The intention of such guidance is to steer end user actions toward behaviours that are consistent with the assurance goals of management or of the firm. For high-level managers desiring reliable responses from their end user community, the use of persuasive communications may be especially appealing (Johnston & Warkentin, 2010, p. 549). References Boss, S.R., Kirsch, L.J., Angermeier, I., Shingler, R.A. & Wayne, R.,(2009). Boss, If someone is watching, I’ll do what I’m asked: mandatoriness, control, and information security, European Journal of Information Systems vol. 18, pp. 151–164. FBI,gov (2013). The Cyber Threat: Planning for the Way Ahead, US: Federal Bureau of Investigation, p. 1, Retrieved: http://www.fbi.gov/news/stories/2013/february/the-cyber-threat-planning-for-the-way-ahead/the-cyber-threat-planning-for-the-way-ahead Herath, T. & Rao, H. R., (2009). Protection motivation and deterrence: a framework for security policy compliance in organizations, European Journal of Information Systems, vol. 18, 106–125. I?nedo, P. (2012), Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & Security, vol. 31, pp. 83-95. Ic3.gov (2013), 2011 Internet Crime Report, US: Federal Bureau of Investigation, pp. 1-23, Retrieved: http://www.ic3.gov/media/annualreport/2011_IC3Report.pdf Izzio, C. (2008). The 10 Most Mysterious Cyber Crimes, PCMag.com, p. 1-2, Retrieved: http://www.pcmag.com/article2/0,2817,2331225,00.asp Johnston, A.C. & Warkentin, M. (2010). Fear Appeals and Information Security Behavior, MIS Quarterly, Vol. 34 No. 3, pp. 549-566. Techterms (2013) Cybercriminals, Techterms.org. p. 1 Retrieved: http://www.techterms.com/definition/cybercrime Techopedia.com. Cybercriminal, Canada: Janalta Interactive Inc., http://www.techopedia.com/definition/27435/cybercriminal Seppo Pahnilaa, Mikko Siponena, & Adam Mahmoodb, Employees’ Behavior towards IS Security Policy Compliance, Proceedings of the 40th Hawaii International Conference on System Sciences , Computers & Security, 2007 Kshetri, N., (2005). Pattern of global cyber war and crime: A conceptual framework, Global Security Risks and International Competitiveness, Journal of International Management, Volume 11, Issue 4, December 2005, Pages 541–562 Read More