IT disaster recovery, cloud computing and information security news

Daisy

University of Texas at Dallas study determines why organizations fight data breaches differently

In the wake of recent high-profile security breaches at retail stores such as Target and Neiman Marcus, a new study from The University of Texas at Dallas determines why differences exist in the level of information security control resources among organizations.

Since digitalization began, organizations have understood how valuable their information is, said Dr. Huseyin Cavusoglu, the study's lead author and an associate professor of information systems at UT Dallas. More recently, dependency on the Internet has made it difficult for organizations to secure and protect this asset.

Protecting information initially was viewed as a technology-related problem, he said, and was solved by investing in technology-based solutions.

"But over the years, it has become clear that technology-based solutions are not foolproof or sufficient," said Cavusoglu, a security management researcher in the Naveen Jindal School of Management. "In light of this observation, we were interested in identifying a coherent set of organizational resources for information security controls that organizations should invest in to protect their information assets."

For the study, published in the June edition of Information & Management, the researchers surveyed senior and midlevel IT managers about information security practices and operations in their organizations. The analysis was based on responses from 241 organizations of varying industries and size.

The study found that organizations should invest in three distinct resources to better protect their information: security technologies, qualified information security personnel and security awareness of organizational users:

  • Security technologies: preventive and detective technical solutions to address vulnerabilities within IT structure in which critical information assets reside.
  • Qualified information security personnel: professional staff members who can define, execute and maintain the information security program of the organization.
  • Security awareness of organizational users: employees interacting with the information assets of an organization are fully informed, well-trained and aware of security-related issues and assume security as their everyday responsibility.

Because organizations perceive security risks differently, they invest in information security controls at different levels. The researchers also examined the drivers of these investments.

"We found that coercive pressures (stemming from business partners or industry and government regulations) and normative pressures (rooted in information security practices of partners, as well as the firm's exposure to security best practices through professional organizations, trade shows, conferences and security publications) largely impact the firms' investments in security control resources," Cavusoglu said.

Cavusoglu said the findings have several implications for public policymakers, security vendors and individual organizations.

The study advises public policymakers to continue to support government-sponsored security groups and to work closely with professional security associations and councils to design regulatory rules on security and promote best security practices.

Cavusoglu said the study shows that information security is not solely about technology and that to ward off security threats, organizations should invest in both technology-based solutions and knowledge-based assets.

The study advises organizations to consider information security as an issue that can be managed with a combined portfolio of control mechanisms consisting of information security technologies, qualified information security personnel and security awareness of organizational users.

"Employees should understand that they play an important role in safeguarding the information assets of their organizations and keep themselves up-to-date with the contemporary security threats," Cavusoglu said. "Businesses should pay close attention to security education, which can change employees from being the weakest link in security to the biggest safeguard for security."

Dr. Hasan Cavusoglu and Dr. Izak Benbasat of the University of British Columbia and Dr. Jai-Yeol Son of Yonsei University also contributed to the study.



Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.