improved security through information security Governance Within the modern, hyper-connected business landscape, organizations are constantly under attack. According to the 2005 Computer Crime and Security Survey, conducted jointly by the Computer Security Institute (CSI) and the San Francisco Office of the Federal Bureau of Investigation (FBI), 56% of respondents reported unauthorized computer system use during the past year. 2 These unauthorized uses include malicious acts such as theft or destruction of intellectual property, insider abuse and unauthorized access to information that results in a loss of data integrity and confidentiality, as well as malware threats such as viruses, spyware, worms, and Trojans. 2 Based on responses obtained from a sample of 700 security practitioners from government, financial, medical, business, and higher education institutions, the most frequently reported forms of malicious attack were virus attacks and insider abuse at a reported rate of approximately 75% and 50%, respectively. 2 Within the realm of the 639 respondents willing to estimate losses due to threats, the total costs associated with virus attacks were determined to be approximately $43 million, while insider abuse costs were nearly $7 million. 2 While these figures are an improvement over past years, clearly many firms still operate ineffective information protection programs. Ineffective protection can often be attributed to the manner in which firms go about planning their information security programs. 6 Far too many firms take a reactive approach to information security planning.6 Their strategies for asset protection are derived from the bottom up, based on incidents at the perimeter of the organization. As such, these firms segregate information security from their overall strategic directive, thereby creating a divide between the gover-nance of the firm and the management of information security. The results of such a disconnect can be disastrous, as management and employees may lose touch with the value of appropriate security actions and as business processes become bogged down with unnecessary or improper controls. In scenarios such as these, a different perspective for security planning is warranted. In this article, we examine information security planning at the strategic level of the enterprise and empirically assess its value in enhancing the quality of information security programs. Included in this examination is a survey of security professionals in which they report their perceptions of information security program quality within their respective firms. The results of this study allow us to compare the quality of information security programs implemented …
[1]
Enterprise Governance Getting the Balance Right Executive Summary
,
2022
.
[2]
Mikko T. Siponen,et al.
A conceptual foundation for organizational information security awareness
,
2000,
Inf. Manag. Comput. Secur..
[3]
D. Hall,et al.
Getting the balance right.
,
1985,
Nursing times.
[4]
D. Hambrick,et al.
Upper Echelons: The Organization as a Reflection of Its Top Managers
,
1984
.
[5]
Michael E. Whitman.
Enemy at the gate: threats to information security
,
2003,
CACM.
[6]
Detmar W. Straub,et al.
Coping With Systems Risk: Security Planning Models for Management Decision Making
,
1998,
MIS Q..
[7]
R. Power.
CSI/FBI computer crime and security survey
,
2001
.
[8]
Martin P. Loeb,et al.
CSI/FBI Computer Crime and Security Survey
,
2004
.