A Data Centric Security Cycle Model for Data Loss Prevention of Custodial Data and Company Intellectual Property

Review of data breach trends in the last five years reveal that data at rest, in use, and in motion, inside and over the extended network, is being increasingly affected. While organisations primarily focus on protecting sensitive customer financial information, the protection of custodial data and company secrets has been a back burner issue. Moreover, errors, mistakes and accidents on the part of the employees working/ travelling/ residing onsite and off-site with company media/data, have worsened the situation such that current technical and socio-technical controls are not adequate in preventing theft of media or the accidental or intentional misuse/loss of portable data. To overcome this issue, the security action cycle model of Straub and Welke (based on the general deterrence theory) is used as a theoretical lens to build a data centric security cycle model to safeguard the data that are “at rest, in motion and in use”. Finally, the paper discusses how the model can be further empirically validated using the updated IS success model of DeLone and McLean. Keywords-IS Security; data breaches; data centric security.

[1]  Michael E. Whitman,et al.  In defense of the realm: understanding the threats to information security , 2004, Int. J. Inf. Manag..

[2]  Rossouw von Solms,et al.  Information security obedience: a definition , 2005, Comput. Secur..

[3]  Jennifer Bayuk,et al.  Data-centric security , 2009 .

[4]  I. S. Herschberg,et al.  Computer security: The long road ahead , 1987, Comput. Secur..

[5]  Gurpreet Dhillon,et al.  Computer crimes: theorizing about the enemy within , 2001, Comput. Secur..

[6]  Chlotia Posey Garrison,et al.  A Longitudinal Analysis of Data Breaches , 2011, Inf. Manag. Comput. Secur..

[7]  George Stephanides,et al.  The economic approach of information security , 2005, Comput. Secur..

[8]  Jagdish Pathak,et al.  Internal Audit and E-commerce Controls , 2004 .

[9]  R. L. Lehmann Tracking potential security violations , 1981, SGSC.

[10]  E. Eugene Schultz,et al.  The human factor in security , 2005, Comput. Secur..

[11]  Richard T. Watson,et al.  Global comparisons of key issues in IS management: extending key issues selection procedure and survey approach , 2000, Proceedings of the 33rd Annual Hawaii International Conference on System Sciences.

[12]  Chris Sundt,et al.  Information security and the law , 2006, Inf. Secur. Tech. Rep..

[13]  Deborah Bunker,et al.  Circuits of Power: A Study of Mandated Compliance to an Information Systems Security De Jure Standard in a Government Organization , 2010, MIS Q..

[14]  Surya B. Yadav A Six-View Perspective Framework for System Security: Issues, Risks, and Requirements , 2010, Int. J. Inf. Secur. Priv..

[15]  Henri Barki,et al.  User Participation in Information Systems Security Risk Management , 2010, MIS Q..

[16]  Ephraim R. McLean,et al.  The DeLone and McLean Model of Information Systems Success: A Ten-Year Update , 2003, J. Manag. Inf. Syst..

[17]  Jerry N. Luftman,et al.  Key Issues for IT Executives 2009: Difficult Economy’s Impact on IT , 2010, MIS Q. Executive.

[18]  Christopher J. Novak,et al.  2009 Data Breach Investigations Report , 2009 .

[19]  Richard T. Watson,et al.  Key issues in information systems management: An international perspective , 1991, Inf. Manag..

[20]  Rossouw von Solms,et al.  A framework for information security evaluation , 1994, Inf. Manag..

[21]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[22]  Lawrence A. Gordon,et al.  Market Value of Voluntary Disclosures Concerning Information Security , 2010, MIS Q..

[23]  Hennie A. Kruger,et al.  Consensus ranking - An ICT security awareness case study , 2008, Comput. Secur..

[24]  Mikko T. Siponen,et al.  Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study , 2007, PACIS.

[25]  Maria Kjaerland,et al.  A taxonomy and comparison of computer security incidents from the commercial and government sectors , 2006, Comput. Secur..

[26]  Gerald V. Post,et al.  Accessibility vs. security: A look at the demand for computer security , 1991, Comput. Secur..

[27]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[28]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[29]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[30]  T. Julsrud Behavioral Changes at the Mobile Workplace: A Symbolic Interactionistic Approach , 2005 .

[31]  Julien Bourgeois,et al.  A Global Security Architecture for Intrusion Detection on Computer Networks , 2007, 2007 IEEE International Parallel and Distributed Processing Symposium.

[32]  Jerry N. Luftman,et al.  Key Issues for IT Executives 2010: Judicious IT Investments Continue Post-Recession , 2010, MIS Q. Executive.

[33]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[34]  Qiang Liu,et al.  IT Control in the Australian Public Sector: An International Comparison , 2005, ECIS.

[35]  Ephraim R. McLean,et al.  Key Issues for IT Executives , 2004, MIS Q. Executive.

[36]  Elizabeth F. Churchill,et al.  Work/place: mobile technologies and arenas of activity , 2001, SIGG.

[37]  Kevin McLean,et al.  Information Security Awareness - Selling the Cause , 1992, IFIP International Information Security Conference.

[38]  Jerry N. Luftman,et al.  Key Issues for IT Executives 2011: Cautious Optimism in Uncertain Economic Times , 2011, MIS Q. Executive.

[39]  Eirik Albrechtsen,et al.  Implementation and effectiveness of organizational information security measures , 2008, Inf. Manag. Comput. Secur..

[40]  John P. Baron,et al.  Mobile commerce's impact on today's workforce: issues, impacts and implications , 2005, Int. J. Mob. Commun..

[41]  D. Straub Computer abuse and security: Update on an empirical pilot study , 1986, SGSC.

[42]  Denis Trèek,et al.  An integral framework for information systems security management , 2003, Comput. Secur..

[43]  Benjamin Aziz,et al.  A Metadata Model for Data Centric Security , 2011, STA.

[44]  Ephraim R. McLean,et al.  Information Systems Success: The Quest for the Independent Variables , 1992, J. Manag. Inf. Syst..