SECURITY, ETHICS, AND LEGAL ISSUES

A MODEL OF
INFORMATION
ASSURANCE BENEFITS
Jean-Noël Ezingeard, Elspeth McFadzean, and David Birchall

Effective information assurance (IA) is the key to reliable management decision-making, cus-
tomer trust, business continuity, and good governance in all sectors of industry and public ser-
vice. Yet making a business case for IA investments can be difficult because the scope of the
potential benefits can be very broad. Based on interview data collected from company execu-
tives, senior IA managers, and a variety of external stakeholders, we develop and discuss a
four-layer model that can be used to help structure the case for IA investments.

ECURITY CONCERNS ARE ON THE IN- attention to aspects of information integrity

JEAN-NOËL
S crease in all organizations worldwide
and there is a growing number of calls
due to legislation (ITGI, 2003). In this context,
the term “information assurance” (IA) is there-
EZINGEARD is urging senior managers and top execu- fore emerging as a broader business concept
professor of tives to take greater interest in information se- than just security (Colwill et al., 2001).
management studies curity (Fourie, 2003). These calls are mainly Whereas security was once the sole domain
(processes and systems
based on the premise that the engagement of of the information systems department, organi-
management) at
senior managers and directors with the infor- zations are increasingly tasking audit and com-
Henley Management
College in the United
mation security agenda is key to achieving pliance committees with monitoring and
Kingdom. He can be good security (ISO, 2000; Thomson and von overseeing information assurance processes.
reached at Solms, 2003). But are these calls being heard? Experts suggest that auditors should “fully un-
Jean-Noel.Ezingeard Unfortunately, there is evidence that the topic derstand” IA issues as a key part of future re-
@henleymc.ac.uk. is not reaching the top layers of organizations, sponsibility (Parker, 2001). Despite this
or that it only does so at irregular intervals and widening of scope, there is still evidence of a
ELSPETH
MCFADZEAN is a
on an ad-hoc basis (Ezingeard et al., 2004b), with lack of senior management understanding of
lead tutor and visiting the attention of senior managers for informa- the business value of good information assur-
senior research fellow tion security centered around incidents, either ance (Deloitte, 2003; Ernst & Young, 2002).
at Henley Management published in the press or internally identified. Research has shown that the lack of engage-
College and a visiting In parallel to the increased focus on busi- ment from senior managers and boards could
lecturer at the ness benefits for IT investments, the topic of in- be attributed to differences in language and cul-
University of Surrey. formation security has evolved in many ture between information security staff and se-
DAVID BIRCHALL is organizations to cover broader issues than se- nior managers, and that there is a need to
director of research at curity. The scope of potential benefits has express information security problems in busi-
Henley Management therefore also increased. In particular, aspects ness rather than technical language (McFadzean
College and also leads such as quality and trustworthiness of informa- et al., 2003).This is compounded by a dearth of
the Centre for Business tion are now becoming key business issues. In advice and research into how information secu-
in the Digital light of several high-profile governance failures rity return on investment (ROI) can be better
Economy. that could be traced to distorted information, calculated and presented to senior managers
executives are being required to pay more (McAdams, 2004).The research presented here
20 W W W . I S M - J O U R N A L . C O M
S P R I N G 2 0 0 5
 SECURITY, ETHICS, AND LEGAL ISSUES
aims to bridge this gap by advancing the under-
standing of the benefits that can be gained
from superior information assurance. We do so
by investigating what organizations expect to
gain from information assurance through a se-
ries of interviews with senior managers from
which we build a structured model of the busi-
ness benefits of IA.
Our research was based on a two-pronged
data collection approach. A total of 32 inter-
views was conducted with two different
groups. Our initial enquiry started with in-
depth interviews with 22 senior business man-
agers. From these interviews we were able to
establish both the internal and external busi-
ness benefits of an effective IA policy for differ-
ent organizations. Apart from one U.K. charity
and one government department, all managers
were from public companies with listings on
the London, New York, Zürich, or Frankfurt
stock exchanges. In parallel, we conducted in-
terviews with representatives of ten external
stakeholders to gain the different perspectives
of IA benefits from people located outside the
companies — including investors and suppli-
ers.These two sets of interviews enabled us —
using interpretive content analysis assisted by
cognitive mapping software — to develop our
model of IA benefits. (More details on our re-
search methods are provided in Table 1.)
WHAT IS INFORMATION ASSURANCE?
Unfortunately, there is no universally accepted
definition of what constitutes information as-
surance (IA). Many still equate it with informa-
tion security but the term “information
assurance” is growing in acceptance and usage,
particularly among government and interna-
tional agencies (Wolf, 2003). Information secu-
rity generally includes the following three
elements (Whitman, 2003):
1. Confidentiality. This ensures information is
accessible on a need-to-know basis and that
unauthorized access is prevented.
2. Integrity. This ensures that data (or, more
widely, information) is not deleted or cor-
rupted, either accidentally or deliberately.
3. Availability. This ensures that information
is available when it is required and that it
will support the organization’s ability to
operate and accomplish its objectives.
Some experts add identification and authen-
tication to this list (Koved et al., 2001; Landwehr,
2001).The distinction between these two terms
emphasizes a necessary separation between the
I N F O R M A T I O N S Y S T E M S
S P R I N G
TABLE 1 Research Methodology Details
In-Depth Interviews
with Senior Business Managers
We sought the views of 22 managers, all based
in the United Kingdom except for four (two in the
United States, one in Germany, one in South
Africa). Six of the respondents are board-level
directors (CEO, CFO, non-executive director),
four are in charge of information systems for their
organization, ten have responsibility for
information assurance (head of information
assurance, head of risk, head of information
security), and two are senior project managers
specializing in IA. Sectors represented include
financial services, manufacturing, power
distribution, retail, IT services, consultancy, and
pharmaceutical. The managers were asked
about the effect of information assurance on their
organizations. This included both an internal
perspective (e.g., how IA influences employees,
managers, etc.) and an external perspective
(e.g., the impact of IA on customers, suppliers,
etc). Consequently, we gained detailed
information on the effect of IA on issues such as
business processes, information sharing,
innovation, company reputation, and
relationships with suppliers among others. These
interviews lasted between 60 and 90 minutes.
Stakeholder Interviews
In parallel, we interviewed ten external
stakeholders — three investors, two buyers with
an interest in the IA procedures of their suppliers,
two suppliers with an interest in the IA
procedures of their customers, an insurance
underwriter, a provider of professional technical
services, and a financial consultant with
significant experience in flotation and merger
and acquisitions. The aim of these interviews
was to provide us with information about how
organizations’ information assurance policies
affected their external stakeholders. This
enabled us to gain a different perspective on IA
benefits from outside the companies. These
interviews lasted up to 30 minutes, which was
sufficient to examine the participants’ views
using questions that were very focused.
act of recording who has carried out an interac-
tion with an information asset and the act of de-
termining their authority to do so. Separating
these concepts in information architecture
can, for example, identify instances of pass-
word security breaches.
A further component is non-repudiation, in-
troduced as far back as the late 1980s (ISO,
1989). Non-repudiation is a basic security ser-
vice that ensures organizations can prove that
transactions actually took place and that they
are correctly recorded.This expanded scope of
the activities associated with managing the de-
fense, preservation, provenance, and surety of
2 0 0 5
M A N A G E M E N T
21
 SECURITY, ETHICS, AND LEGAL ISSUES
information now forms the concept and defini-
tion of IA used in many countries. For example,
The Information Assurance Advisory Council
(IAAC, 2003) in the U.K. defines information
assurance as:
T
…the certainty that the information
he within an organization is reliable, se-
cure and private. IA encompasses both
ability of an the accuracy of the information and its
organization
protection, and includes disciplines
to adapt its such as security management, risk man-
agement and business continuity man-
policies, agement.
procedures,
Despite this widening of scope, informa-
and technology tion assurance is still frequently used as a syn-
may be as onym for security, where little value is added to
important as the mindset of defense (Boyce and Jennings,
2002). The danger here is that operational de-
the ability to fensive measures such as intrusion detection
produce a and password breach prevention become the
complete benchmarks for “successful” performance —
failing to identify and capture the scale of expo-
assessment of sure because of, for example, errors in accu-
all possible rately invoicing goods and services delivered.
threats. Security considerations typically focus on
the need to protect systems from internal and
external attack, environmental threats, acci-
dental damage, and disaster recovery. This is
undoubtedly a core element of information as-
surance but can lead to a “fixed state” approach
because of the dangerous assumption that all
threats can be accurately predicted. Agility is
needed in the face of unpredictable threats —
and the ability of an organization to adapt its
policies, procedures, and technology may be as
important as the ability to produce a complete
assessment of all possible threats. System
changes can even be viewed as a temporary
transition between static states, breeding a tol-
erance for a reduced state of security during a
transition period. Our interviewees had little
doubt that this approach is “complacent” in to-
day’s threat environment, where the Internet
allows security weaknesses to be publicized
widely among hackers and business-crippling
worms can spread globally in minutes. Wheth-
er it is a law of economic conservation or sim-
ply ironic, the same Internet that allows many
companies to reduce operating costs and im-
prove customer services also increases the cost
and complexity of IA, as it increases the num-
ber of defensive frontiers that a company must
manage.
Adopting a problem-prevention outlook
can be very limiting. It is particularly danger-
ous to assume that the majority of serious
22 W W W . I S M - J O U R N A L . C O M
S P R I N G 2 0 0 5
threats can be predicted or to introduce sys-
tems that are so rigid they are slow — or even
unable — to respond to changing needs. If cus-
tomer services unilaterally implemented inflex-
ible and strict security procedures, they might
achieve a zero-complaints target, but they
might also completely prevent any sales from
occurring. Similarly, finance could eliminate
bad debt by refusing to offer credit terms to
any customer. While these are obviously ex-
treme examples, they illustrate how a depart-
ment unchecked by business logic can hamper
business performance. Of course, the corpo-
rate mindset that does not question its security
policies in the face of employee inconve-
nience, ever-increasing procedures, and re-
strictions on knowledge management is being
equally shortsighted.
Our research also indicates that taking a “se-
curity” outlook can be counter-productive in
achieving board engagement. This is because
information security tends to be associated
with technology — not always a topic in which
board members can engage. In the words of
the group IA adviser for a multinational retail
bank:
Board members tend not to be very
technical and avoid IA. However, the
technical part of IA is actually only a
small element… It is important to be
able to look at things in a holistic way,
with a broader perspective, not just
technical.
ENABLING RATHER THAN PREVENTING
Information assurance could be said to repre-
sent a migration from a preventative approach
to an enabling approach. Information systems
can represent a source of competitive advan-
tage through their structural integrity as much
as through the information content they deliv-
er. Reliability and resilience mean more consis-
tent operational and customer service
performance, thus reducing costs and increas-
ing the ability to adapt quickly to changing mar-
ket circumstances. Table 2 compares the key
elements of a traditional information security
method to a more pioneering information as-
surance approach.
A comprehensive conceptualization of IA
ensures that the information systems serve the
organization’s transactional needs — such as
operational capability, customer service, and fi-
nancial systems — as well as its transformation-
al needs — including knowledge management,
innovation, and rapid adaptation. Taking such a
 SECURITY, ETHICS, AND LEGAL ISSUES
TABLE 2 Comparing Information Security with Information Assurance
Information Security
Confidentiality Need-to-know only and
protection from
unauthorized access
Integrity Preventing accidental or
malicious alteration,
corruption, or deletion
Availability Disaster recovery and
business continuity to
ensure ongoing operation
of existing systems
Identification Password access control
and
Authentication
Non-repudiation Fraud prevention
forward-looking view requires an examination
of the direction of the business as its current
needs and systems. IA practitioners must un-
derstand how value is created in the business
and what will influence future strategic deci-
sions (Ezingeard et al., 2004a).
Consequently, by combining all these ideas,
information assurance strategy can be defined
as:
Determining how the reliability, accura-
cy, security and availability of a compa-
ny’s information assets should be
managed to provide maximum benefit
to the organization, in alignment with
corporate objectives and strategy.
AVOIDING NEGATIVE STRATEGIC
CONSEQUENCES OF POOR
INFORMATION ASSURANCE
Breaches in security heighten awareness of just
how dependent organizations have become on
their information systems — and how high the
price for failing to safeguard them is in terms of
reputational damage, loss of business and re-
duction in share price (Hovav and D’Arcy,
2003). Breaches in information reliability can
have similarly devastating reputational or finan-
cial consequences. It is vital, therefore, that or-
ganizations develop an effective IA strategy to
help them defend against these violations.
I N F O R M A T I O N S Y S T E M S
S P R I N G
Information Assurance
How can ongoing compliance be ensured against
regulatory changes or regional variations?
What would be the impact on reputation of a breach in
confidentiality?
Can users compare relative levels of reliability if data
is conflicting?
How does the organization reduce costs incurred
through errors?
How can we develop systems that will not be restrictive
as the organization grows, enters new alliances, or
develops new businesses?
Do users keep their passwords secret and change
them regularly because they are told to or because
they understand the importance of password safety?
How can we develop better identification and
authentication methods for our stakeholders?
How can security reduce the organization’s transaction
costs?
Can transactions be simplified for our customers to
increase their value gained from dealing with us,
without compromising security?
Despite these dangers, information assur-
ance is not a key consideration in shaping cor-
porate strategy. Naturally, companies do not
consider revenue generation plans and budgets
secondary to IA policies (with the few excep-
tions being those whose primary business is to
secure transmission or storage of information).
Nonetheless, information assurance is a strate-
gic issue — in the sense of the potential impact
on the rest of the business (McFarlan, 1984;
Ward, 1988). If it is not undertaken well, strate-
gic risks may follow. IA should therefore sup-
port corporate strategy because the
consequences of IA policy decisions can affect
the entire business. For example, an informa-
tion system’s failure could cause damage to an
organization’s reputation and may inhibit the
firm’s ability to operate; or ill-considered poli-
cies may restrict information flow, causing
poor customer service and resulting in loss of
business over time. Finally, the cost of the inci-
dent may be prohibitively high and the organi-
zation may not survive the disruption (Logan
and Logan, 2003).
Customer tolerance for publicized security
breaches is decreasing (DTI, 2002; Treanor,
2000). This also calls for information security
concerns to rise to the highest levels of the or-
ganization. If customers migrate not just be-
cause of perceived risk, but simply because of
the inconvenience of failing computer systems,
2 0 0 5
M A N A G E M E N T
23
 SECURITY, ETHICS, AND LEGAL ISSUES

value-adding contribution to the organization

FIGURE 1 Interview Findings: The Benefits of Good Information through this changing perspective, enhancing
Assurance
competitive advantage rather than simply de-
fending existing systems (Dhillon, 2004). This
is what we explore in the next section.
rational Benefits
O pe
s Imp
e sse rov
roc tic al Benefit ed HARNESSING POSITIVE
sP Tac Co
s Cu
es g of mm
Par t itm
s
CONSEQUENCES OF GOOD
in ities

to
sin

d ic Benef ners en
ta r tuntrateg
n

m
i t
Bu

s t a
s nd f INFORMATION ASSURANCE

er
r po S
p ce Ch
ss de

an
nt

Se
ro Cus
rn ea
O
ilie

m to
ine n

anization Ensuring business continuity — the ability to

rvic
ve p
Bus ter U

B u e rs
Or Improved al
Res

Go

er

e
sin
continue operating without falling foul to legis-
Bet

m
Eq
er

ess
Shareholder
Bett

u ity
Value lation or adverse media reports — is an imme-
Competitive diate benefit that many of the board members
Advantage
License to and senior executives interviewed recognized.
Operate Some managers, however, go beyond the sim-
le s
Lo
Ea

we

Sa
ple, immediate benefits of IA. These inter-
Imp

B e n e fit s

e
l
Co
sie

re tro
r

ag
sts Mo
r ov

on
viewees pointed out that in the medium term,
rC

Us
m
C
o

r
ed

p li tte n
an it should be possible to achieve further bene-
io
Be
Re

ce
at

po m
s

ns or fits. As illustrated in Figure 1, we have classified

ive
n er
ess
B ett
then stability and reliability become competitive
drivers. In the United States, the advent of the
Sarbanes–Oxley Act, which holds executives
personally liable for the accuracy of financial
results, could potentially pave the way to simi-
lar liability for all compliance issues — particu-
larly in light of growing consumer concern for
information privacy (Stewart and Segars, 2002).
Information assurance must become a con-
cern from a corporate governance perspective
(Thomson and von Solms, 2003). Recent media
reports have also highlighted the potentially
dramatic consequences of poor information in-
tegrity, demonstrating that decisions taken on
the basis of unreliable information can leave
shareholders and voters concerned and angry
(Stiles and Taylor, 2001). Stakeholders no long-
er see the fact that decisions were taken “in
good faith” or that assets were represented “to
the best of executives’ knowledge” as an ac-
ceptable excuse for mistakes subsequently dis-
covered. Unsurprisingly, “corrupt data” (and its
impact on corporate governance and general
management decision making) was therefore
seen by our interviewees as one of the biggest
risks of poor IA.
Perhaps too often, information security is
presented as a necessity for survival rather than
a business enabler. Interestingly, considering
information assurance as incorporating respon-
sibility for the reliability and integrity of data
means that those formerly responsible for im-
plementing information security can make a
24
Inf
those into:
❚ Operational benefits: those benefits that will
have an immediate positive impact on the
organization’s ability to deliver goods and
services more efficiently or effectively
❚ Tactical benefits: those benefits that will
have a medium-term positive impact on the
organization’s relationships with its trading
partners
❚ Strategic benefits: those benefits that are
more long-term in nature and connected
with competitive advantage
❚ Organizational benefits: those benefits
sought by the owners of the organization or
its key stakeholders
Operational Benefits
Resilient Business Processes. A good IA
policy can provide a global framework for in-
formation security within an organization, pull-
ing together both information and physical
security to ensure business continuity. Going
beyond information security, effective IA is also
the key to good operational controls and proce-
dures that rely on timely and accurate informa-
tion for their business continuity or simply for
effectiveness. Supply chains, for example, are in-
creasingly considered an area of exposure by
many businesses — but also an opportunity to
gain significant competitive advantage. Because
controlling the supply chain is a very informa-
tion-intensive activity, supply-chain management
is an example of a business process whose resil-
ience can be significantly enhanced by good
IA. Many interviewees pointed to resilience of
business processes as a key benefit of good IA in
W W W . I S M - J O U R N A L . C O M
S P R I N G 2 0 0 5
 SECURITY, ETHICS, AND LEGAL ISSUES
sectors such as banking, telecommunication,
and retail.
Improved Customer Service. An effec-
tive IA strategy can help the organization to
provide secure and easy-to-use access, which
G ood IA
customers increasingly expect as a given, as
well as reliable information, which is the key to
will often be good service provision. As one of our inter-
viewees described it,“Information is absolutely
the key to the
central to good advice delivery.” It is particular-
ability to
ly critical, for example, in sectors where cus-
deliver real- tomer service is delivered through call center
operations. In other sectors, such as financial
time financial
services, good IA will often be the key to the
information to ability to deliver real-time financial information
customers. to customers. In retail, good IA is a cornerstone
of many loyalty programs.
Better Information Usage. IA facilitates
improvement in the quality, integrity, availabil-
ity, and reliability of information. Many organi-
zations suggest that information is a key
element for business decisions and innovation.
It is therefore beneficial for companies to gath-
er and maintain accurate and reliable informa-
tion. Collecting, storing, and processing
information can be costly, however. Good IA is
therefore linked by some of our interviewees
to enabling a reduction in such costs. This, for
example, can be the cost of storing business-
critical information in an efficient way. In the
words of one of the executives interviewed,
good IA can help identify when “you’ve got
four copies of that [because] you don’t need
four.” In other companies, good IA will ensure
that information is enhanced, as well as pro-
tected and used well. For example, the CEO of
one of the banks interviewed pointed out that
good IA helped ensure that customer needs
were matched appropriately to products.
Improved Responsiveness. Good IA can
significantly improve responsiveness. In securi-
ty terms, good IA is often the key to responsive-
ness when breaches do actually occur.
Responsiveness is often only possible if every
individual within an organization feels respon-
sible for security. Improving knowledge and
awareness of security issues can be beneficial
in itself; but in addition, this awareness can
help to improve the speed of response when a
breach in security occurs. Thus, both the com-
munication of the breach and the repair of the
infringement can be undertaken much faster.
Furthermore, good IA will ensure that an
organization is alerted rapidly to changes in the
I N F O R M A T I O N S Y S T E M S
S P R I N G
environment. In situations where rapid re-
sponses are required, being able to trust the in-
formation on the basis of which decisions are
taken will be critical. As argued by the chief
risk officer of a large bank that participated in
the research, one of the reasons that his organi-
zation pays attention to IA is because it supports
the bank’s ability to remain “cutting edge.”
Tactical Benefits
Easier Compliance. Many organizations
see IA solely as a compliance issue. Achieving
compliance can be expensive — simply meet-
ing the data storage requirements brought
about by the Sarbanes–Oxley Act has required
the quadrupling of storage capacity in many or-
ganizations (Economist, 2004). By ensuring
good IA processes, companies are able to
achieve leaner internal control systems that
still meet regulatory and legal requirements;
they need to spend less on technology to re-
main compliant and less on processes to moni-
tor compliance. Improved confidence and
accountability in IA reduces the complexity
(and therefore the cost) of post-hoc verifica-
tion of information accuracy.
Better Control. An effective IA policy will
provide additional rigor for information and se-
curity controls. At a basic operational level,
strict control procedures can be put in place to
stop unauthorized access to information or the
use of unauthorized software, illicit Web surf-
ing, and e-mail communication. One senior
manager (from a telecommunications firm) we
interviewed suggested that, at a tactical level,
control often takes another form. He pointed
out that an organization will want to ensure
that once vulnerabilities are identified, it
“brings the risk down to a manageable and rec-
ognizable level.” In addition, business control is
also much more than security, and good IA will
ensure that aspects such as expenditure are
looked at rigorously to ensure that no “surpris-
es” are brought to light, for example, in an an-
nual audit. Finally, business control needs
reliable information to steer the organization in
the right direction. As pointed out by one of
our interviewees, “if you’re making decisions
on the wrong data, then making better deci-
sions is probably not your biggest issue.”
Better Understanding of Business
Opportunities. Understanding business
opportunities and markets relies on trusted
market intelligence. Many organizations in-
creasingly place an emphasis on ensuring that
2 0 0 5
M A N A G E M E N T
25
 SECURITY, ETHICS, AND LEGAL ISSUES
this information is available and accurate. Al-
though few organizations will make this an ex-
plicit requirement of their internal control
systems, shareholders are becoming much less
tolerant of companies that constantly misjudge
market outlook.As pointed out by a senior con-
IA reviews
sultant we interviewed, “If you go back to the
Internet bubble where people would give you
by market a million dollars for having an idea on a Web
analysts are site, great. I think those days are gone —
clearly not a they’re far more rigorous now.”
widespread Commitment from Business Partners
practice, and Customers. As information technology
permeates all business relationships, custom-
although our
ers and suppliers alike are becoming more de-
interpretation manding. An organization will instill trust
of interview among its stakeholders if it is able to constantly
data is that the demonstrate that it knows how to ensure that
the information it collects and exchanges with
trend is
its trading partners is secure. This in turn will
growing. inspire commitment. In the retail sector, for ex-
ample, allowing automated shelf-restocking or-
ders from direct observation by suppliers of
sales transactions can be a source of significant
commercial benefit (e.g., reduced cost of order
administration, reduced inventory manage-
ment, and fewer missed sales opportunities).
However, in practice, that can only arise from
assuring partners of the ability to guarantee not
only the accuracy of sales data, but also the se-
curity of commercially sensitive information.
Strategic Benefits
Better Governance. Feedback to the board
regarding IA is necessary to ensure that direc-
tors are kept informed about potential prob-
lems or risks. In the words of one of our
interviewees, “I think for non-executive direc-
tors their nightmare is having a scandal, so
they’ve got to be — and they are being — more
challenging and require more information.”
This also means that the board can make better
decisions regarding IA investment as well as
providing assurance concerning the company’s
security to other stakeholders. In addition, it
enables the senior executive responsible for IA
to view the issue holistically. He or she can
therefore facilitate compliance with govern-
ment directives and provide global standards
for the entire organization.
Cheaper Equity. Many firms require access
to external financing to fund innovation and
growth. A number of academic studies have
26 W W W . I S M - J O U R N A L . C O M
S P R I N G 2 0 0 5
shown that investors believe that companies
that have been vulnerable to security breaches
such as denial-of-service attacks in the past will
be exposed to financial damage in the future
(Ettredge and Richardson, 2003; Garg et al.,
2003; Hovav and D’Arcy, 2003). The only ex-
ceptions to this were firms that showed they
were willing to continuously invest in informa-
tion security. Our interviews have confirmed
that few analysts will take IA seriously when
making investment decisions — either as part
of an initial due diligence process or in subse-
quent reviews. IA reviews by market analysts
are clearly not a widespread practice, although
our interpretation of interview data is that the
trend is growing.
More Sales. Effective communication of IA
readiness will serve as reassurance for all stake-
holders, including customers. It illustrates that
the company:
❚ Is willing to protect its customers’ informa-
tion from malicious intent
❚ Provides better customer service
❚ Has more resilient processes that will ensure
unbroken supply or service
For example, one of our interviewees (from
a manufacturing company) pointed out that
many of its customers “don’t want their prices
and their volumes [made public]” and that they
would stop buying if they “felt that there was a
chance that their competitors would under-
stand how much they’re buying and get some
competitive insights into the information we
had about them.”This, of course, is not unusual
and not specific to manufacturing.
Lower Costs. The combination of opera-
tional and tactical benefits of good IA can ulti-
mately result in lower overall costs for the
business. Major security problems can cause
substantial downtime and extreme disruption
to the workforce. Research has also shown the
massive costs that security breaches can create
(Garg, 2003).An effective IA strategy therefore
has the potential benefit of reducing costs and
decreasing disruption and downtime due to se-
curity infringements.
Other cost drivers will be influenced by
good IA, and we have already discussed busi-
ness process benefits. Combined with better
management information and better control,
IA can clearly contribute to lowering an organi-
zation’s overall costs.
 SECURITY, ETHICS, AND LEGAL ISSUES
Organizational Benefits
Improved Shareholder Value. As pointed
out by a senior IA executive we interviewed,
“Spending money without justification is not
the order of the day any more,” and all IA
spending is now increasingly linked to the re-
A n effective
turn it will produce for shareholders. We have
already discussed operational and tactical value
IA strategy drivers that IA can help realize, such as com-
mitment from customers and trading partners.
was seen as
These are, in turn, likely to generate sharehold-
one method of
er value.
communicating Ensuring shareholder value is one of the
many roles undertaken by the board of direc-
to shareholders
tors (Stiles and Taylor, 2001). An effective IA
the board’s
strategy was seen as one method of communi-
intent cating to shareholders the board’s intent re-
regarding garding security. That is, the strategy seeks to
reassure shareholders regarding the safety of
security.
the organization as well as its security invest-
ment intentions.
Competitive Advantage. Competitive ad-
vantage is the ability of an organization to dif-
ferentiate itself from its competitors. What,
then, would IA-driven competitive advantage
look like? While none of our interviewees actu-
ally linked IA to competitive advantage per se,
it was linked to competitive advantage at two
broad levels:
1. Reliable information about competitors,
their new products and services, or market-
ing tactics can often help achieve competi-
tive advantage.
2. The operational and tactical benefits that
we have already associated with IA were
linked with IA by interviewees. These
included commitment from trading part-
ners and better decision making.
License to Operate. Finally, many inter-
viewees reminded us that, at a very fundamen-
tal level, organizations must comply with the
legislation and regulatory requirements of the
countries in which they operate. In extreme
cases, failure to comply will result in a lack of
approval to operate.
IMPLICATIONS
There are a number of implications of the mod-
el in Figure 1 for both managers and researchers.
For example, the model shows that information
assurance can have a resounding impact on
many organizational processes, as well as influ-
ence both internal and external stakeholders.
Consequently, information assurance should be
I N F O R M A T I O N S Y S T E M S
S P R I N G
seen in broad business terms rather than in nar-
row technical terms. It is important, therefore,
that senior managers take responsibility for in-
formation assurance in order to guarantee the
following:
❚ A holistic picture of IA controls and proce-
dures has been developed and maintained.
❚ Appropriate compliance and legislation
issues have been fulfilled.
❚ Information assurance strategy has been
aligned with the organization’s corporate
goals.
❚ Employees have been fully briefed and are
regularly updated on information assurance
policies, processes, and potential threats.
❚ Appropriate adjustments can be made to IA
policies when the internal or external envi-
ronments alter, thus necessitating a change
in security procedures.
Further research can also be undertaken in
this area.This qualitative study is interpretive in
nature and focuses on a small number of orga-
nizations. A wider survey of the benefits of IA
to organizations could be undertaken, with
data collected on the magnitude of the value of
operational, tactical, strategic, and organiza-
tional benefits. It would also be interesting to
ascertain whether the values of these benefits
are similar for both internal and external stake-
holders, and if they are similar for organiza-
tions in the United States and European
countries.
CONCLUSION
Our research has shown that the benefits of su-
perior information assurance can be grouped
under four different headings:
1. Operational benefits: The immediate and
direct consequence of superior informa-
tion assurance will be flows of accurate
information, available when and where
they are needed. This in turn will support
operational excellence and ensure the con-
tinuity of day-to-day operations for the ben-
efit of the organization’s customers.
2. Tactical benefits: Derived from the avail-
ability of usable management information
a n d r o b u s t n e s s o f t h e i n fo r m a t i o n
exchanges with business partners, these
benefits are often the most publicized by IA
practitioners.
3. Strategic benefits: These are the benefits
that are linked with the ability of the orga-
nization to achieve its strategic objectives
and achieve better performance than its
2 0 0 5
M A N A G E M E N T
27
 SECURITY, ETHICS, AND LEGAL ISSUES
competitors. Although they are more long
term in nature, we found that they were
often sought as direct benefits of IA by the
managers who participated in our research.
4. Organizational benefits: Ultimately, the
“rolling up” of the operational, tactical, and
I
strategic benefits of IA should result in
n some improved shareholder value and competi-
industries, tive advantage. In some industries, superior
superior IA is IA is also a condition that regulators and
other authorities place on organizations —
also a in which case, a license to operate is the
condition that ultimate organizational benefit.
regulators Information assurance is critical to organi-
and other zations in all sectors of industry and public ser-
vice. It is the key to reliable management
authorities
decision-making, customer trust, business con-
place on tinuity, and good governance. Yet, making the
organizations
case for IA investments can be difficult as the
— in which scope of benefits is wide. The four-layer model
presented here can be used to help structure
case, a license the case for IA investments. Many practitioners
to operate is and vendors often focus their arguments on
the ultimate what the negative outcomes of poor IA are. In
contrast, our model shows what business ben-
organizational efits can be gained. ▲
benefit.
References
Boyce, J.G. and Jennings, D.W. (2002) Information
Assurance: Managing Organizational IT
Security Risks, London: Butterworth Heineman.
Colwill, C.J., Todd, M.C., Fielder, G.P., and
Natanson, C. (2001) Information Assurance. BT
Technology Journal, 19(3), 107–114.
Deloitte (2003) 2003 Global Security Survey.
Deloitte Touche Tohmatsu.
Dhillon, G. (2004) The Challenge of Managing
Information Security — Guest Editorial.
International Journal of Information
Management, pp. 243–244.
DTI (2002) Information Security Breaches Survey.
Department of Trade and Industry/
PricewaterhouseCoopers, London, U.K.
Economist (2004) File that — The Sarbanes–Oxley
Act Is Causing a Quantum Leap in the Storage
Industry. The Economist [print edition] March 4.
Ernst & Young (2002) Global Information Security
Survey. Ernst & Young LLP.
Ettredge, M. and Richardson, V. J. (2003)
Information Transfer among Internet Firms:
The Case of Hacker Attacks. Journal of
Information Systems, 17(2), 71–82.
Ezingeard, J.-N., Bowen-Schrire, M., and Birchall, D.
(2004a) Triggers of Change in Information
Security Management. Proceedings of
ISOneWorld Conference, Las Vegas, April 23–25.
Ezingeard, J.-N., McFadzean, E., and Birchall, D. W.
(2004b) Board of Directors and Information
28 W W W . I S M - J O U R N A L . C O M
S P R I N G 2 0 0 5
Security: A Perception Grid. Paper No. 222 in
Proceedings of British Academy of
Management Conference, Harrogate.
Fourie, L.C.H. (2003) The Management of
Information Security — A South African Case
Study. South African Journal of Business
Management, 34(2), 19.
Garg, A. (2003) What Does an Information Security
Breach Really Cost? Evidence and Implications.
Information Strategy: The Executive’s Journal,
19(4), 21f.
Garg, A., Curtis, J., and Halper, H. (2003)
Quantifying the Financial Impact of IT Security
Breaches. Information Management &
Computer Security, 11(2), 374–383.
Hovav, A. and D’Arcy, J. (2003) The Impact of
Denial-of-Service Attack Announcements on the
Market Value of Firms. Risk Management &
Insurance Review, 6(2), 97.
IAAC (2003) Engaging the Board: Corporate
Governance and Information Assurance.
Information Assurance Advisory Council,
Cambridge, U.K.
ISO (1989) ISO 7498-2:1989 Information
Processing Systems — Open Systems
Interconnection — Basic Reference Model —
Part 2: Security Architecture. ISO, Geneva.
ISO (2000) ISO/IEC 17799:2000 Code of Practice
for Information Security Management. ISO,
Geneva.
ITGI (2003) IT Control Objectives for Sarbanes–
Oxley. IT Governance Institute, Rolling
Meadows, IL.
Koved, L., Nadalin, A., Nagaratnam, N., Pistoia, M.,
and Shrader, T. (2001) Security Challenges for
Enterprise Java in an E-Business
Environment. IBM Systems Journal, 40(1),
130–152.
Landwehr, C.E. (2001) Computer Security.
International Journal of Information Security,
1(1), 3–13.
Logan, P.Y. and Logan, S.W. (2003) Bitten by a Bug:
A Case Study in Malware Infection. Journal of
Information Systems Education, 14(3), 301–
305.
McAdams, A.C. (2004) Security and Risk
Management: A Fundamental Business Issue.
Information Management Journal, 38(4), 36–44.
McFadzean, E., Ezingeard, J.-N., and Birchall, D.
(2003) Boards of Directors Engagement with
Information Security. Henley Working Paper
(HWP0309) (available from www.henleymc.
ac.uk).
McFarlan, F.W. (1984) Information Technology
Changes the Way You Compete. Harvard
Business Review, 62(3), 98.
Parker, X.L. (2001) Understanding Risk. Internal
Auditor, 61–65.
Stewart, K.A. and Segars, A.H. (2002) An Empirical
Examination of the Concern for Information
Privacy Instrument. Information Systems
Research, 13(1), 36–49.
 SECURITY, ETHICS, AND LEGAL ISSUES
Stiles, P. and Taylor, B. (2001) Boards at Work: How
Directors View Their Roles and Responsibilities,
Oxford: Oxford University Press.
Thomson, K.-L. and von Solms, R. (2003)
Integrating Information Security into Corporate
Governance. 18th IFIP International
Information Security Conference, Athens,
pp. 169–180.
Treanor, J. (2000) Security Fear Shuts Online Bank.
The Guardian, Aug. 1, 2000
Ward, J.M. (1988) Information Systems and
Technology Application Portfolio
I N F O R M A T I O N S Y S T E M S
S P R I N G 2 0 0 5
M A N A G E M E N T
Management — An Assessment of Matrix-Based
Analyses. Journal of Information Technology,
3(3), 205.
Whitman, M.E. (2003) Enemy at the Gate: Threats
to Information Security. Communications of
the ACM, 46(8), 91–95.
Wolf, D.G. (2003) Statement by NSA’s Director of
Information Assurance before the House Select
Committee on Homeland Security. U.S. House
of Representatives (available from http://www.
nsa.gov/ia/Wolf_SFR_22_July_2003.pdf).
29