Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis

Information is a critical corporate asset that has become increasingly vulnerable to attacks from viruses, hackers, criminals, and human error. Consequently, organizations are having to prioritize the security of their computer systems in order to ensure that their information assets retain their accuracy, confidentiality, and availability. While the importance of the information security policy InSPy in ensuring the security of information is acknowledged widely, to date there has been little empirical analysis of its impact or effectiveness in this role. To help fill this gap, an exploratory study was initiated that sought to investigate the relationship between the uptake and application of information security policies and the accompanying levels of security breaches. To this end, a questionnaire was designed, validated, and then targeted at IT managers within large organizations in the UK. The findings presented in this paper are somewhat surprising, as they show no statistically significant relationships between the adoption of information security policies and the incidence or severity of security breaches. The paper concludes by exploring the possible interpretations of this unexpected finding and its implications for the practice of information security management.

[1]  Thomas A. Wadlow,et al.  The Process of Network Security: Designing and Managing a Safe Network , 2000 .

[2]  James Backhouse,et al.  Risks in the use of information technology within organizations , 1996 .

[3]  Huong Ngo Higgins,et al.  Corporate system security: towards an integrated management approach , 1999, Inf. Manag. Comput. Secur..

[4]  Gurpreet Dhillon,et al.  Managing and controlling computer misuse , 1999, Inf. Manag. Comput. Secur..

[5]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[6]  S. J. Gaston Information security : strategies for successful management , 1996 .

[7]  Gurpreet Dhillon,et al.  Guest Editorial: the challenge of managing information security , 2004, International Journal of Information Management.

[8]  Izak Benbasat,et al.  The Influence of Multimedia on Improving the Comprehension of Organizational Information , 2002, J. Manag. Inf. Syst..

[9]  Charles Cresson Wood An Unappreciated Reason Why Information Security Policies Fail , 2000 .

[10]  Pamela Samuelson Reverse engineering under siege , 2002, CACM.

[11]  Ashish Garg,et al.  Quantifying the financial impact of IT security breaches , 2003, Inf. Manag. Comput. Secur..

[12]  Eugene H. Spafford,et al.  PFIRES: a policy framework for information security , 2003, CACM.

[13]  Mikko T. Siponen,et al.  Policies for Construction of Information Systems' Security Guidelines: Five Approaches , 2000, SEC.

[14]  Jan H. P. Eloff,et al.  Information Security Policy - What do International Information Security Standards say? , 2002, ISSA.

[15]  Rossouw von Solms,et al.  The evaluation and certification of information security against BS 7799 , 1998, Inf. Manag. Comput. Secur..

[16]  日本規格協会 情報技術 : 情報セキュリティ管理実施基準 : 国際規格 : ISO/IEC 17799 = Information technology : code of practice for infromation security management : international standard : ISO/IEC 17799 , 2000 .

[17]  Rossouw von Solms,et al.  The 10 deadly sins of information security management , 2004, Comput. Secur..

[18]  Michael E. Whitman,et al.  In defense of the realm: understanding the threats to information security , 2004, Int. J. Inf. Manag..

[19]  Dennis Longley,et al.  Information security management and modelling , 1999, Inf. Manag. Comput. Secur..

[20]  Neil F. Doherty,et al.  The application of information security policies in large UK-based organizations: an exploratory investigation , 2003, Inf. Manag. Comput. Secur..

[21]  Charles Cresson Wood,et al.  Writing infosec policies , 1995, Computers & security.

[22]  Rashi Glazer,et al.  Measuring the Value of Information: The Information-Intensive Organization , 1993, IBM Syst. J..

[23]  William R. King,et al.  An Empirical Assessment of Information Systems Planning and the Role of Information Systems in Organizations , 1992, J. Manag. Inf. Syst..

[24]  Jon David,et al.  Policy enforcement in the workplace , 2002, Comput. Secur..

[25]  Stephen Hinde Security surveys spring crop , 2002, Comput. Secur..

[26]  Günther Pernul,et al.  Information systems security: Scope, state-of-the-art, and evaluation of techniques , 1995 .

[27]  James R. Lindner,et al.  HANDLING NONRESPONSE IN SOCIAL SCIENCE RESEARCH , 2001 .

[28]  Stephen Hinde Cyber-terrorism in context , 2003, Comput. Secur..

[29]  Jan H. P. Eloff,et al.  Feature: What Makes an Effective Information Security Policy? , 2002 .

[30]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[31]  Charles Cresson Wood,et al.  Writing infosec policies , 1995, Comput. Secur..

[32]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[33]  L. R. Chao,et al.  An integrated system theory of information security management , 2003, Inf. Manag. Comput. Secur..