Information security management: An information security retrieval and awareness model for industry

The purpose of this paper is to present a conceptual view of an Information Security Retrieval and Awareness (ISRA) model that can be used by industry to enhance information security awareness among employees. A common body of knowledge for information security that is suited to industry and that forms the basis of this model is accordingly proposed. This common body of knowledge will ensure that the technical information security issues do not overshadow the non-technical human-related information security issues. The proposed common body of knowledge also focuses on both professionals and low-level users of information. The ISRA model proposed in this paper consists of three parts, namely the ISRA dimensions (non-technical information security issues, IT authority levels and information security documents), information security retrieval and awareness, and measuring and monitoring. The model specifically focuses on the non-technical information security that forms part of the proposed common body of knowledge because these issues have, in comparison with the technical information security issues, always been neglected.

[1]  Rossouw von Solms,et al.  Information security awareness: educating your users effectively , 1998, Inf. Manag. Comput. Secur..

[2]  Paul Williams Information Security Governance , 2001, Inf. Secur. Tech. Rep..

[3]  Charles Cresson Wood Why information security is now multi-disciplinary, multi-departmental, and multi-organizational in nature , 2004 .

[4]  Rachel Kisin IT Security — Implementing ‘best practice’ , 1996 .

[5]  Charles Cresson Wood,et al.  Information Security Awareness Raising Methods , 1995 .

[6]  Sebastiaan H. von Solms,et al.  Information Security - A Multidimensional Discipline , 2001, Comput. Secur..

[7]  Deborah A. Frincke,et al.  Integrating Security into the Curriculum , 1998, Computer.

[8]  Edward Roback,et al.  SP 800-12. An Introduction to Computer Security: the NIST Handbook , 1995 .

[9]  Ed Crowley Information system security curricula development , 2003, CITC4 '03.

[10]  I S Kohane,et al.  Using the technology of the world wide web to manage clinical information , 1997, BMJ.

[11]  Marie A. Wright The need for information security education , 1998 .

[12]  R. Power CSI/FBI computer crime and security survey , 2001 .

[13]  Rossouw von Solms,et al.  Information Security Governance - A Re-Definition , 2004, IICIS.

[14]  Hassan Aljifri,et al.  International legal aspects of cryptography: Understanding cryptography , 2003, Comput. Secur..

[15]  Gurpreet Dhillon,et al.  Computer crimes: theorizing about the enemy within , 2001, Comput. Secur..

[16]  Joan Hash,et al.  Information Technology Security Awareness, Training, Education, and Certification | NIST , 2003 .

[17]  Cannady,et al.  Information Security Education , 1998 .

[18]  Thomas Finne,et al.  Information Systems Risk Management: Key Concepts and Business Processes , 2000, Comput. Secur..

[19]  Herbert J. Mattord,et al.  Principles of Information Security , 2004 .

[20]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[21]  Rossouw von Solms,et al.  A framework for the governance of information security , 2004, Comput. Secur..

[22]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[23]  FinneThomas Information Systems Risk Management , 2000 .

[24]  Eugene Schultz Security training and awareness - fitting a square peg in a round hole , 2004, Comput. Secur..

[25]  Mikko T. Siponen,et al.  Five dimensions of information security awareness , 2001, CSOC.

[26]  J. Stuart Broderick Information Security Risk Management - When Should It be Managed? , 2001, Inf. Secur. Tech. Rep..

[27]  Rossouw von Solms,et al.  From policies to culture , 2004, Comput. Secur..

[28]  Julie D Nosworthy,et al.  Implementing Information Security In The 21st Century Do You Have the Balancing Factors? , 2000, Comput. Secur..