Information cyber is on the rise, and it is affecting the operation of the company and the decision which the top management is going to make. We will explore the misperceptions of information security.
The importance of assuring the security of information assets is becoming more critical every year. However, the critical areas of information security risk management and risk metrics still do not receive enough attention. Despite lots of documents describing the managed approach to risk, they do not explicitly define a proper risk analysis and assessment. The ISO standards explain the theoretical risk analysis approach and provide general guidance on choosing security objectives. With ISO 27000 standards as guidance, the practical aspects and sufficiency in evaluating the security mechanisms are detailed in the sections below.
According to most scholars, perception is viewed to play a significant work mostly in the identification of risks within information security. In essence, Bandyopadhyay (1999), as well as Gerber (2005), argued that information risk is usually subjective since it mainly relies on the individual’s feelings, mood and opinion. For instance, risks which are high probability and effect are usually given high attention and consideration compared to the one that is less probable.
Siponen & Vance (2010) and Johnston & Warkentin (2010), suggested that some incidences are mostly like to emerge from within a specific firm where most of them are malicious, while others are accidental and others are as a result of SME’s definition of incidences, where some security occurrences might be unrecognized as incidents. Such might be viewed as a signal of deficiency of the information security professionals in identifying information security occurrence and then classified as an incident.
Echoed by, Shedden (2009), the impact and probability are mostly projected by chief decision makers and security managers in the SMEs instead of being founded on the hard facts. Misperception of the security incident might lead to several escalating impacts on the company’s decision in taking up the information security.
Therefore, the wrong views of the information security by her people would result in erroneous risk analysis facing a specific firm.
As researched by, Briney & Prince (2002), failure to spot security gaps in case companies believed that there are closely linked to the level of the risk exposure could negatively impact her.
Consequently, companies indicate that information risks could at some instances be alleviated certainly in the small organizations and impact can be mitigated relatively more comfortable; perceived that smaller firms were less likely to be attacked.
Personnel can also be regarded as business assets. People with their knowledge and skills are valuable assets, and measures are necessary to protect this value.
The organization must have rigorous procedures when personnel leave and enter employment, or when they change jobs within the organization. It is essential to change or remove access rights when deeming fit and to collect equipment and passes that are expired - thus making access rights control a regular process in the information security. Three distinct phases in the evaluation: -
Prior to Employment – an organization can employ strict physical screening with an NDA in place in the interview process.
During Employment – awareness can be enforced through induction programs. Other means include flyers, booklets, messages on computer screens, mouse pads, newsletters, videos, and posters. With information security courses targeted at particular groups, new social engineering tactics to gain confidential information via formal (company events) or informal (social drinking sessions) events in the corporate environment can be addressed and stopped.
Termination and Change of Employment – this is addressed via the employment contract where confidentiality of information maintains for 1 or 2 years after termination and rights to information are revoked immediately along with the return of all company assets.
Whiteman (2003), in his study, indicated that all security incidents are not necessarily malicious. This is due to the fact that companies lacking adequate information security experience are mainly more focused on the external risks and consequently a good number of internal risks end up being overlooked.
Having a formal incident response plan by chief decision makers or security managers and recognizing that irrespective of human errors and disgruntled employees, there are several other risks which could be addressed like the internal program; that is, Security Education, Training, and Awareness (SETA), which could be significant for mitigating possibility of such misperception.
Other business contingencies include:
There are many more factors (e.g., Asset Management; Information Security Incident Management; Information System Acquisition, Development, and Maintenance; Communications and Operations Management ) for consideration in implementing a thoroughly concise and practical information security base on ISO 27000 standards. What is important is that the procedures, policy, compliances, etc. are outlined and documented along with the ISO 27000 standards so that risks associated with implementing information security can be minimized – thus paving the way for a system that can be improved contextually.
Author: Tan Kian Hua, Ph.D. student at LIGS University
Heru Susanto, Mohammad Nabil Almunawar and Yong Chee Tuan, retrieved from:-
Information Security Management System Standards: A Comparative Study of the Big Five
Jule Hintzbergen, Kees Hintzbergen, André Smulders, Hans Baars, (2015, April).
Foundations of Information Security - Based on ISO 27001 and ISO 27002
Tony Campbell, (2016, May) Chap 5&6 Practical Information Security Management - A Complete Guide to Planning and Implementation
Jason Andress, Mark Leary (2017) Building a Practical Information Security Program