Information Security Inside Organizations - A Positive Model and Some Normative Arguments Based on New Institutional Economics

This work develops an abstract, theory-founded understanding of organization-internal infor­mation security. For this purpose, established knowledge from the field of information security is restructured on the basis of two different dimensions: The historical dimension distinguishes three "eras" of information security and relates them to concurrent changes of prevailing computing paradigms. The "security triangle" identifies and characterizes three different "meta-measures" for realizing information security inside organizations and highlights the existence of a higher-level regulatory framework. Additionally, the work is based on principles from the field of New Institutional Economics. In particular, the concepts of information asymmetries, transaction costs and principal-agent relations are explicated as well as their relevance to the establishment of cooperation among individuals. Cooperation is in turn modeled as consisting of the two partial problems of coordination and motivation. These theoretical foundations are then merged into an economically inspired positive model of information security inside organizations. The model provides abstract and theory-founded explanations for the changes of prevailing information security practices that happened in the past. Besides this explanatory use, the positive model is also applied in a prospective manner. Current technological developments will presumably lead to increasingly "interwoven" compu­ting structures and thus to another change of the prevailing computing paradigm. The application of the model to the changed givens suggests that now-established practices like behavioral guidelines or those means usually associated with the term "security culture" will prove inefficient and thus inadequate in the future. Organizations will therefore have to use alternative approaches or to modify existing ones for realizing information security under the changed circumstances. Various possibilities for doing so have been suggested in the past. Some of these are evaluated on the basis of the economically inspired, positive model. This analysis leads to well-founded suggestions which of the approaches should be applied under what conditions. Furthermore, the economic understanding also supports the development of new approaches that have so far not been thought of. As a final aspect, the future role of the higher-level regulatory framework is illuminated. It is shown that this framework will have to be adopted to the upcoming changes in order to protect organizations from being forced to apply highly inefficient practices for compliance reasons alone. Overall, the positive model developed in this work provides explanations for what can be observed in the field of organization-internal information security, allows for well-founded predictions about what can be expected for the future and leads to normative arguments regarding necessary changes of established approaches and practices. It might therefore prove valuable for future research in a multitude of ways.

[1]  Adi Shamir Cryptography: State of the science , 2007 .

[2]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[3]  Adi Shamir,et al.  Weaknesses in the Key Scheduling Algorithm of RC4 , 2001, Selected Areas in Cryptography.

[4]  David W. Chadwick,et al.  How to Break Access Control in a Controlled Manner , 2006, 19th IEEE Symposium on Computer-Based Medical Systems (CBMS'06).

[5]  E. Ostrom Understanding Institutional Diversity , 2005 .

[6]  Jannis Kallinikos,et al.  The Consequences of Information: Institutional Implications of Technological Change , 2007 .

[7]  Erik Brynjolfsson,et al.  The Future of the Web: Beyond Enterprise 2.0 , 2007 .

[8]  F. Hayek The economic nature of the firm: The use of knowledge in society , 1945 .

[9]  Vijay Gurbaxani,et al.  The impact of information systems on organizations and markets , 1991, CACM.

[10]  J. March,et al.  Information in Organizations as Signal and Symbol. , 1981 .

[11]  John Ioannidis,et al.  Using the Fluhrer, Mantin, and Shamir Attack to Break WEP , 2002, NDSS.

[12]  Bart Nooteboom,et al.  Information technology, transaction costs and the decision to 'make or buy' , 1992 .

[13]  Vijay Gurbaxani,et al.  An Agency Theory View of the Management of End-User Computing , 2011, ICIS.

[14]  W. Scott,et al.  Institutions and Organizations. , 1995 .

[15]  Kenton O'Hara,et al.  Dealing with mobility: understanding access anytime, anywhere , 2001, TCHI.

[16]  E. Cheng Structural Laws and the Puzzle of Regulating Behavior , 2005 .

[17]  Mauro Brunato,et al.  WilmaGate: a new open access gateway for hotspot management , 2005, WMASH '05.

[18]  W. Dugger The Economic Institutions of Capitalism , 1987 .

[19]  Gregory D. Abowd,et al.  Securing context-aware applications using environment roles , 2001, SACMAT '01.

[20]  Wolfgang Haensch,et al.  Organisation , 1892, The Hospital.

[21]  Leonard Kleinrock Breaking loose , 2001, CACM.

[22]  Roy H. Campbell,et al.  Cerberus: a context-aware security scheme for smart spaces , 2003, Proceedings of the First IEEE International Conference on Pervasive Computing and Communications, 2003. (PerCom 2003)..

[23]  Amanda Andress,et al.  Surviving Security: How to Integrate People, Process, and Technology, Second Edition , 2001 .

[24]  Wei Li,et al.  Institutions, Institutional Change, and Economic Performance , 2009, SSRN Electronic Journal.

[25]  Xia Zhao,et al.  Information Governance: Flexibility and Control through Escalation and Incentives , 2008, WEIS.

[26]  H. Chesbrough The Era of Open Innovation , 2003 .

[27]  O. Williamson Comparative Economic Organization: The Analysis of Discrete Structural Alternatives , 1994 .

[28]  Mark Shepherd Special Feature Distributed Computing Power: a Key to Productivity* , 1977, Computer.

[29]  Mikko T. Siponen Secure-system design methods: evolution and future directions , 2006, IT Professional.

[30]  M. Castells Rise of the Network Society: The Information Age: Economy, Society and Culture , 1996 .

[31]  Herbert J. Mattord,et al.  Principles of Information Security , 2004 .

[32]  Rainer Böhme,et al.  Cyber-Insurance Revisited , 2005, WEIS.

[33]  C. A. Berry,et al.  Economics, organization & management by Milgrom, P. and Roberts, J. , 1994 .

[34]  Lawrence Lessig,et al.  Code and Other Laws of Cyberspace , 1999 .

[35]  David Bailey Managing complexity in secure networks , 1993, NSPW '92-93.

[36]  G. Becker,et al.  The Economic Approach to Human Behavior , 1978 .

[37]  Fredrik Björck,et al.  Institutional Theory: A New Perspective for Research into IS/IT Security in Organisations , 2004, HICSS.

[38]  Marek J. Sergot,et al.  Towards a Mechanism for Discretionary Overriding of Access Control , 2004, Security Protocols Workshop.

[39]  G. Hardin,et al.  The Tragedy of the Commons , 1968, Green Planet Blues.

[40]  Mikko T. Siponen,et al.  Information security standards focus on the existence of process, not its content , 2006, CACM.

[41]  David H. Benson A Field Study of End User Computing: Findings and Issues , 1983, MIS Q..

[42]  Joseph B. Evans,et al.  Wireless networking security: open issues in trust, management, interoperation and measurement , 2006, Int. J. Secur. Networks.

[43]  Hui Luo,et al.  WiFi: what's next? , 2002, IEEE Commun. Mag..

[44]  Robert Booker,et al.  Re-engineering enterprise security , 2006, Comput. Secur..

[45]  Russell C. Thomas,et al.  Incentive-based Cyber Trust - A Call to Action , 2007 .

[46]  Ernesto Damiani,et al.  Supporting location-based conditions in access control policies , 2006, ASIACCS '06.

[47]  Hadyn Ingram,et al.  Management Challenges for the 21st Century , 2000 .

[48]  Erik Tews,et al.  Breaking 104 Bit WEP in Less Than 60 Seconds , 2007, WISA.

[49]  R. Cooter The Normative Failure Theory of Law , 1996 .

[50]  Uskali Mäki The Methodology of Positive Economics , 2009 .

[51]  Amitai Aviram Network Responses to Network Threats: The Evolution Into Private Cyber-Security Associations , 2005 .

[52]  Kalle Lyytinen,et al.  Research Commentary: The Next Wave of Nomadic Computing , 2002, Inf. Syst. Res..

[53]  M. Spence Job Market Signaling , 1973 .

[54]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[55]  Lance J. Hoffman,et al.  Modern methods for computer security and privacy , 1973 .

[56]  Harry Surden,et al.  Structural Rights in Privacy , 2007 .

[57]  Michelle L. Kaarst-Brown,et al.  IT Governance and Sarbanes-Oxley: The Latest Sales Pitch or Real Challenges for the IT Function? , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[58]  E. Fehr,et al.  Cooperation and Punishment in Public Goods Experiments , 1999, SSRN Electronic Journal.

[59]  Paramvir Bahl,et al.  Wireless Hotspots: Current Challenges and Future Directions , 2005, Mob. Networks Appl..

[60]  Frank Pallas,et al.  Information Security and Knowledge Management: Solutions Through Analogies? , 2007 .

[61]  Kenneth L. Kraemer,et al.  The Impacts of IT on Firm and Industry Structure: The Personal Computer Industry , 2005 .

[62]  Evangelos A. Kiountouzis,et al.  Information systems security policies: a contextual perspective , 2005, Comput. Secur..

[63]  Munindar P. Singh,et al.  Service-Oriented Computing: Key Concepts and Principles , 2005, IEEE Internet Comput..

[64]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[65]  John F. Rockart,et al.  The management of end user computing , 1983, CACM.

[66]  G. T. Gangemi,et al.  Computer Security Basics , 2006 .

[67]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[68]  John Zahorjan,et al.  The challenges of mobile computing , 1994, Computer.

[69]  Namchul Shin,et al.  The impact of information technology on coordination costs: implications for firm productivity , 1997, ICIS '97.

[70]  N. Nisan Introduction to Mechanism Design (for Computer Scientists) , 2007 .

[71]  T. Eggertsson Economic behavior and institutions: Principles of Neoinstitutional Economics , 1990 .

[72]  Kenneth L. Kraemer,et al.  Exploring the Role of Information Technology in Organizational Downsizing: A Tale of Two American Cities , 2002, Organ. Sci..

[73]  Partha Dasgupta,et al.  Countering rogues in wireless networks , 2003, 2003 International Conference on Parallel Processing Workshops, 2003. Proceedings..

[74]  Bruce Schneier Information Security and Externalities , 2007 .

[75]  L. J. Camp Pricing Security , 2000 .

[76]  Peter G. Klein,et al.  The Make-or-Buy Decision: Lessons from Empirical Studies , 2004 .

[77]  Lawrence Lessig,et al.  The New Chicago School , 1998, The Journal of Legal Studies.

[78]  Geoffrey M. Hodgson,et al.  The Institutions , 2018, The Popular Arts.

[79]  Qiu-Hong Wang,et al.  Hackers, Users, Information Security , 2006, WEIS.

[80]  Samuel Bowles,et al.  Microeconomics: Behavior, Institutions, and Evolution , 2003 .

[81]  J. Rubenfeld The Right of Privacy , 1989 .

[82]  Katrin Ostertag Transaction cost economics , 2003 .

[83]  Manish Parashar,et al.  Dynamic context-aware access control for grid applications , 2003, Proceedings. First Latin American Web Congress.

[84]  C. Ménard A New Institutional Approach to Organization , 2005 .

[85]  H. Zimmermann,et al.  OSI Reference Model - The ISO Model of Architecture for Open Systems Interconnection , 1980, IEEE Transactions on Communications.

[86]  Ross J. Anderson,et al.  The Economics of Information Security : A Survey and Open Questions , 2006 .

[87]  Adam Shostack,et al.  The New School of Information Security , 2008 .

[88]  Christopher J. Alberts,et al.  Managing Information Security Risks: The OCTAVE Approach , 2002 .

[89]  JoAnne Yates,et al.  Virtual organizing: using threads to coordinate distributed work , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[90]  Vaduvur Bharghavan,et al.  Security issues in mobile communications , 1995, Proceedings ISADS 95. Second International Symposium on Autonomous Decentralized Systems.

[91]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[92]  Simon Singh,et al.  The code book : the secret history of codes and codebreaking , 2000 .

[93]  Jerome H. Saltzer,et al.  Protection and the control of information sharing in multics , 1974, CACM.

[94]  Jonathan O'Donnell,et al.  Mapping the mobile landscape in Australia , 2006, First Monday.

[95]  Partha Dasgupta,et al.  Secure wireless gateway , 2002, WiSE '02.

[96]  Richard A. Posner,et al.  Creating and Enforcing Norms, With Special Reference to Sanctions , 1999 .

[97]  Sanjay Bose,et al.  Impact of service-oriented architecture on enterprise systems, organizational structures, and individuals , 2005, IBM Syst. J..

[98]  Dean Povey Optimistic security: a new access control paradigm , 1999, NSPW '99.

[99]  Joseph Williams Providing for Wireless LAN Security, Part 2 , 2002 .

[100]  Bruce Potter Wireless hotspots , 2006, Commun. ACM.

[101]  G. Geis The Space between Markets and Hierarchies , 2008 .

[102]  Jan H. P. Eloff,et al.  Enhancing Optimistic Access Controls with Usage Control , 2007, TrustBus.

[103]  Daniel E. Geer,et al.  Information security is information risk management , 2001, NSPW '01.

[104]  B. Koops The Crypto Controversy: A Key Conflict in the Information Society , 1998 .

[105]  J. Hennart,et al.  Explaining the swollen middle : Why most transactions are a mix of market and hierarchy , 1993 .

[106]  JoAnne Yates,et al.  Electronic markets and electronic hierarchies , 1987, CACM.

[107]  David Lacey Inventing the future - The vision of the Jericho Forum , 2005, Inf. Secur. Tech. Rep..

[108]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[109]  Russell A. Henzel Some Industrial Applications of Minicomputers , 1971, Computer.

[110]  M. Castells The Information Age: Economy, Society and Culture , 1999 .

[111]  J. Laffont,et al.  The Theory of Incentives: The Principal-Agent Model , 2001 .

[112]  K. Arrow “ The Organization of Economic Activity : Issues Pertinent to the Choice of Market versus Non-market Allocation ” , 1969 .

[113]  Gareth R. Jones,et al.  The role of information technology in the organization: a review, model, and assessment , 2001 .

[114]  Frederick Hayes-Roth,et al.  Decision making in very large networks , 2006, CACM.

[115]  James B. D. Joshi,et al.  LoT-RBAC: A Location and Time-Based RBAC Model , 2005, WISE.

[116]  K. LaBar Beyond Fear , 2007, Current directions in psychological science.

[117]  William A. Arbaugh,et al.  Security problems in 802.11-based networks , 2003, CACM.

[118]  Kjell Jørgen Hole,et al.  Securing Wi-Fi Networks , 2005, Computer.

[119]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[120]  Thomas Peltier,et al.  Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital , 2006 .

[121]  William Murray Good security practice for personal computers , 1986, PCS '86.

[122]  J. Williams Providing for wireless LAN security. 2 , 2002 .

[123]  J. Reidenberg Lex Informatica: The Formulation of Information Policy Rules through Technology , 1997 .

[124]  Gurpreet Dhillon,et al.  Technical opinion: Information system security management in the new millennium , 2000, CACM.

[125]  Taya M. Malone,et al.  The Future of Work: How the New Order of Business Will Shape Your Organization, Your Management Style and Your Life , 2004 .

[126]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[127]  M. Oliverio Internal control—integrated framework: who is responsible? , 2001 .

[128]  Terry L. Wiant,et al.  Information security policy's impact on reporting security incidents , 2005, Comput. Secur..

[129]  D. Sappington Incentives in Principal-Agent Relationships , 1991 .

[130]  Richard A. Posner,et al.  Social Norms and the Law: An Economic Approach , 1997 .

[131]  Rebecca T. Mercuri Analyzing security costs , 2003, CACM.

[132]  Rahul Telang,et al.  Optimally securing interconnected information systems and assets , 2006 .

[133]  R. Coase The Institutional Structure of Production , 1992 .

[134]  Graham Palmer,et al.  De-Perimeterisation: Benefits and limitations , 2005, Inf. Secur. Tech. Rep..

[135]  Alexander Pretschner,et al.  Usage Control in Service-Oriented Architectures , 2007, TrustBus.

[136]  George A. Akerlof The Market for “Lemons”: Quality Uncertainty and the Market Mechanism , 1970 .

[137]  Leonard Kleinrock,et al.  Nomadic computing (keynote address) , 1997, Telecommun. Syst..

[138]  Robert C. Ellickson,et al.  Order Without Law: How Neighbors Settle Disputes , 1991 .

[139]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[140]  Phil Pinder Preparing Information Security for legal and regulatory compliance (Sarbanes-Oxley and Basel II) , 2006, Inf. Secur. Tech. Rep..

[141]  Claudio U. Ciborra,et al.  Reframing the Role of Computers in Organizations The Transaction Costs Approach , 1985, ICIS.

[142]  Joseph E. Stiglitz,et al.  PRINCIPAL AND AGENT , 1989 .

[143]  Louise Yngström,et al.  A systemic-holistic approach to academic programmes in IT security , 1996 .

[144]  Mike P. Papazoglou,et al.  Service oriented computing : Introduction , 2003 .

[145]  Peter J. Denning,et al.  Communications of the acm , 1989 .

[146]  M. Friedman,et al.  The Methodology of Positive Economics , 2010 .

[147]  Christopher J. Ball,et al.  Communications and the Minicomputer , 1971, Computer.

[148]  Stephanie Teufel,et al.  Information Security Culture: The Socio-Cultural Dimension in Information Security Management , 2002, SEC.

[149]  Sebastiaan H. von Solms,et al.  Information Security - The Third Wave? , 2000, Comput. Secur..

[150]  O. Williamson The economic institutions of capitalism , 1985 .

[151]  Barbara E. Bullock,et al.  Best Current Practices for Wireless Internet Service Provider (WISP) Roaming , 2002 .

[152]  Erik Brynjolfsson,et al.  Markets, hierarchies and the impact of information technology , 1988 .

[153]  Anindya Ghose,et al.  The Economic Impact of Regulatory Information Disclosure on Information Security Investments, Competition, and Social Welfare , 2006, WEIS.

[154]  Ioannis Mavridis,et al.  Security Issues in a Mobile Computing Paradigm , 1997 .

[155]  Timo Glaser,et al.  Culture and information security: outsourcing IT services in China , 2009 .

[156]  R. Coase The Nature of the Firm , 1937 .

[157]  Theodore D. Friedman,et al.  The Authorization Problem in Shared Files , 1970, IBM Syst. J..

[158]  B. McCarl,et al.  Economics , 1870, The Indian medical gazette.

[159]  Leonard Kleinrock,et al.  Nomadic computing—an opportunity , 1995, CCRV.

[160]  Robert M. Verburg,et al.  Managing Mobile Workinsights from European Practice , 2007 .

[161]  Lawrence A. Gordon,et al.  An Economics Perspective on the Sharing of Information Related to Security Breaches: Concepts and Empirical Evidence , 2002 .

[162]  Thomas A. D'Auria,et al.  Managing computing resources (panel session): the personal computer revolution , 1985, ACM '85.

[163]  Judith A. Quillard A study of corporate use of personal computers , 1983 .

[164]  D. Ricardo On the Principles of Political Economy and Taxation , 1891 .

[165]  Shane Markstrum,et al.  Securing nomads: the case for quarantine, examination, and decontamination , 2003, NSPW '03.

[166]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[167]  Portia Isaacson,et al.  The Oregon Report Personal Computing , 1978, Computer.

[168]  Michael P. Gallaher,et al.  Private Sector Cyber Security Investment: An Empirical Analysis , 2006, WEIS.

[169]  A. B. Ruighaver,et al.  Understanding Organizational Security Culture , 2002 .

[170]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[171]  Erik Brynjolfsson,et al.  Does Information Technology Lead to Smaller Firms , 2011 .

[172]  Lynn A. Karoly,et al.  Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification , 2010, Practice Management Consultant.

[173]  Matti Vartiainen,et al.  Mobile Virtual Work - A New Paradigm? , 2005 .

[174]  Steven M. Bellovin On the Brittleness of Software and the Infeasibility of Security Metrics , 2006, IEEE Security & Privacy Magazine.

[175]  Frank Stajano,et al.  Security policies , 2001, Adv. Comput..

[176]  Randy H. Katz,et al.  Secure Authentication System for Public WLAN Roaming , 2005, Mob. Networks Appl..

[177]  William Hugh Murray Security Considerations for Personal Computers , 1984, IBM Syst. J..

[178]  Willis H Ware,et al.  Security Controls for Computer Systems , 1970 .

[179]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[180]  N. Carr The end of corporate computing , 2005 .

[181]  O. Williamson,et al.  Markets and Hierarchies: Analysis and Antitrust Implications. , 1977 .

[182]  Bruno S. Frey,et al.  Economics and psychology : a promising new cross-disciplinary field , 2010 .

[183]  Dale A. Stirling,et al.  Information rules , 2003, SGMD.

[184]  Rahul Telang,et al.  Enterprise Information Security: Who Should Manage it and How? , 2006, WEIS.

[185]  L. R. Chao,et al.  An integrated system theory of information security management , 2003, Inf. Manag. Comput. Secur..

[186]  M. C. Jensen,et al.  Harvard Business School; SSRN; National Bureau of Economic Research (NBER); European Corporate Governance Institute (ECGI); Harvard University - Accounting & Control Unit , 1976 .

[187]  W. Powell Hybrid Organizational Arrangements: New Form or Transitional Development? , 1987 .

[188]  Marios Damianides Sarbanes–Oxley and it Governance: New Guidance on it Control and Compliance , 2005, Inf. Syst. Manag..

[189]  Richard Hackworth,et al.  OECD 'Guidelines for the Security of Information Systems" , 1993, Security and Control of Information Technology in Society.

[190]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[191]  Bruce Schneier,et al.  Architecture of Privacy , 2009, IEEE Security & Privacy Magazine.

[192]  Robert C. Ellickson The Evolution of Social Norms: A Perspective from the Legal Academy , 1999 .

[193]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[194]  Mike P. Papazoglou,et al.  Introduction: Service-oriented computing , 2003, CACM.

[195]  G. Becker,et al.  Nobel Lecture: The Economic Way of Looking at Behavior , 1993, Journal of Political Economy.

[196]  Andrew Jaquith Security Metrics: Replacing Fear, Uncertainty, and Doubt , 2007 .

[197]  Dennis D. Steinauer Security of Personal Computer Systems: A Management Guide. , 1985 .