Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
A MODEL OF
INFORMATION
ASSURANCE BENEFITS
Jean-Noël Ezingeard, Elspeth McFadzean, and David Birchall
Effective information assurance (IA) is the key to reliable management decision-making, cus-
tomer trust, business continuity, and good governance in all sectors of industry and public ser-
vice. Yet making a business case for IA investments can be difficult because the scope of the
potential benefits can be very broad. Based on interview data collected from company execu-
tives, senior IA managers, and a variety of external stakeholders, we develop and discuss a
four-layer model that can be used to help structure the case for IA investments.
JEAN-NOËL
S crease in all organizations worldwide
and there is a growing number of calls
due to legislation (ITGI, 2003). In this context,
the term “information assurance” (IA) is there-
EZINGEARD is urging senior managers and top execu- fore emerging as a broader business concept
professor of tives to take greater interest in information se- than just security (Colwill et al., 2001).
management studies curity (Fourie, 2003). These calls are mainly Whereas security was once the sole domain
(processes and systems
based on the premise that the engagement of of the information systems department, organi-
management) at
senior managers and directors with the infor- zations are increasingly tasking audit and com-
Henley Management
College in the United
mation security agenda is key to achieving pliance committees with monitoring and
Kingdom. He can be good security (ISO, 2000; Thomson and von overseeing information assurance processes.
reached at Solms, 2003). But are these calls being heard? Experts suggest that auditors should “fully un-
Jean-Noel.Ezingeard Unfortunately, there is evidence that the topic derstand” IA issues as a key part of future re-
@henleymc.ac.uk. is not reaching the top layers of organizations, sponsibility (Parker, 2001). Despite this
or that it only does so at irregular intervals and widening of scope, there is still evidence of a
ELSPETH
MCFADZEAN is a
on an ad-hoc basis (Ezingeard et al., 2004b), with lack of senior management understanding of
lead tutor and visiting the attention of senior managers for informa- the business value of good information assur-
senior research fellow tion security centered around incidents, either ance (Deloitte, 2003; Ernst & Young, 2002).
at Henley Management published in the press or internally identified. Research has shown that the lack of engage-
College and a visiting In parallel to the increased focus on busi- ment from senior managers and boards could
lecturer at the ness benefits for IT investments, the topic of in- be attributed to differences in language and cul-
University of Surrey. formation security has evolved in many ture between information security staff and se-
DAVID BIRCHALL is organizations to cover broader issues than se- nior managers, and that there is a need to
director of research at curity. The scope of potential benefits has express information security problems in busi-
Henley Management therefore also increased. In particular, aspects ness rather than technical language (McFadzean
College and also leads such as quality and trustworthiness of informa- et al., 2003).This is compounded by a dearth of
the Centre for Business tion are now becoming key business issues. In advice and research into how information secu-
in the Digital light of several high-profile governance failures rity return on investment (ROI) can be better
Economy. that could be traced to distorted information, calculated and presented to senior managers
executives are being required to pay more (McAdams, 2004).The research presented here
20 W W W . I S M - J O U R N A L . C O M
S P R I N G 2 0 0 5
SECURITY, ETHICS, AND LEGAL ISSUES
information now forms the concept and defini- threats can be predicted or to introduce sys-
tion of IA used in many countries. For example, tems that are so rigid they are slow — or even
The Information Assurance Advisory Council unable — to respond to changing needs. If cus-
(IAAC, 2003) in the U.K. defines information tomer services unilaterally implemented inflex-
assurance as: ible and strict security procedures, they might
achieve a zero-complaints target, but they
T
…the certainty that the information
might also completely prevent any sales from
he within an organization is reliable, se-
occurring. Similarly, finance could eliminate
cure and private. IA encompasses both
ability of an the accuracy of the information and its
bad debt by refusing to offer credit terms to
organization any customer. While these are obviously ex-
protection, and includes disciplines
treme examples, they illustrate how a depart-
to adapt its such as security management, risk man-
ment unchecked by business logic can hamper
agement and business continuity man-
policies, agement.
business performance. Of course, the corpo-
procedures, rate mindset that does not question its security
Despite this widening of scope, informa- policies in the face of employee inconve-
and technology tion assurance is still frequently used as a syn- nience, ever-increasing procedures, and re-
may be as onym for security, where little value is added to strictions on knowledge management is being
important as the mindset of defense (Boyce and Jennings, equally shortsighted.
2002). The danger here is that operational de- Our research also indicates that taking a “se-
the ability to fensive measures such as intrusion detection curity” outlook can be counter-productive in
produce a and password breach prevention become the achieving board engagement. This is because
complete benchmarks for “successful” performance — information security tends to be associated
failing to identify and capture the scale of expo- with technology — not always a topic in which
assessment of sure because of, for example, errors in accu- board members can engage. In the words of
all possible rately invoicing goods and services delivered. the group IA adviser for a multinational retail
threats. Security considerations typically focus on bank:
the need to protect systems from internal and
Board members tend not to be very
external attack, environmental threats, acci-
technical and avoid IA. However, the
dental damage, and disaster recovery. This is
technical part of IA is actually only a
undoubtedly a core element of information as-
small element… It is important to be
surance but can lead to a “fixed state” approach
able to look at things in a holistic way,
because of the dangerous assumption that all
with a broader perspective, not just
threats can be accurately predicted. Agility is
technical.
needed in the face of unpredictable threats —
and the ability of an organization to adapt its
policies, procedures, and technology may be as ENABLING RATHER THAN PREVENTING
important as the ability to produce a complete Information assurance could be said to repre-
assessment of all possible threats. System sent a migration from a preventative approach
changes can even be viewed as a temporary to an enabling approach. Information systems
transition between static states, breeding a tol- can represent a source of competitive advan-
erance for a reduced state of security during a tage through their structural integrity as much
transition period. Our interviewees had little as through the information content they deliv-
doubt that this approach is “complacent” in to- er. Reliability and resilience mean more consis-
day’s threat environment, where the Internet tent operational and customer service
allows security weaknesses to be publicized performance, thus reducing costs and increas-
widely among hackers and business-crippling ing the ability to adapt quickly to changing mar-
worms can spread globally in minutes. Wheth- ket circumstances. Table 2 compares the key
er it is a law of economic conservation or sim- elements of a traditional information security
ply ironic, the same Internet that allows many method to a more pioneering information as-
companies to reduce operating costs and im- surance approach.
prove customer services also increases the cost A comprehensive conceptualization of IA
and complexity of IA, as it increases the num- ensures that the information systems serve the
ber of defensive frontiers that a company must organization’s transactional needs — such as
manage. operational capability, customer service, and fi-
Adopting a problem-prevention outlook nancial systems — as well as its transformation-
can be very limiting. It is particularly danger- al needs — including knowledge management,
ous to assume that the majority of serious innovation, and rapid adaptation. Taking such a
22 W W W . I S M - J O U R N A L . C O M
S P R I N G 2 0 0 5
SECURITY, ETHICS, AND LEGAL ISSUES
Confidentiality Need-to-know only and How can ongoing compliance be ensured against
protection from regulatory changes or regional variations?
unauthorized access What would be the impact on reputation of a breach in
confidentiality?
Integrity Preventing accidental or Can users compare relative levels of reliability if data
malicious alteration, is conflicting?
corruption, or deletion How does the organization reduce costs incurred
through errors?
Availability Disaster recovery and How can we develop systems that will not be restrictive
business continuity to as the organization grows, enters new alliances, or
ensure ongoing operation develops new businesses?
of existing systems
Identification Password access control Do users keep their passwords secret and change
and them regularly because they are told to or because
Authentication they understand the importance of password safety?
How can we develop better identification and
authentication methods for our stakeholders?
Non-repudiation Fraud prevention How can security reduce the organization’s transaction
costs?
Can transactions be simplified for our customers to
increase their value gained from dealing with us,
without compromising security?
to
sin
d ic Benef ners en
ta r tuntrateg
n
m
i t
Bu
s t a
s nd f INFORMATION ASSURANCE
er
r po S
p ce Ch
ss de
an
nt
Se
ro Cus
rn ea
O
ilie
m to
ine n
rvic
ve p
Bus ter U
B u e rs
Or Improved al
Res
Go
er
e
sin
continue operating without falling foul to legis-
Bet
m
Eq
er
ess
Shareholder
Bett
u ity
Value lation or adverse media reports — is an imme-
Competitive diate benefit that many of the board members
Advantage
License to and senior executives interviewed recognized.
Operate Some managers, however, go beyond the sim-
le s
Lo
Ea
we
Sa
ple, immediate benefits of IA. These inter-
Imp
B e n e fit s
e
l
Co
sie
re tro
r
ag
sts Mo
r ov
on
viewees pointed out that in the medium term,
rC
Us
m
C
o
r
ed
p li tte n
an it should be possible to achieve further bene-
io
Be
Re
ce
at
po m
s
G ood IA
customers increasingly expect as a given, as
well as reliable information, which is the key to
zation pays attention to IA is because it supports
the bank’s ability to remain “cutting edge.”
will often be good service provision. As one of our inter-
viewees described it,“Information is absolutely
the key to the Tactical Benefits
central to good advice delivery.” It is particular-
ability to Easier Compliance. Many organizations
ly critical, for example, in sectors where cus-
see IA solely as a compliance issue. Achieving
deliver real- tomer service is delivered through call center compliance can be expensive — simply meet-
operations. In other sectors, such as financial
time financial ing the data storage requirements brought
services, good IA will often be the key to the about by the Sarbanes–Oxley Act has required
information to ability to deliver real-time financial information the quadrupling of storage capacity in many or-
customers. to customers. In retail, good IA is a cornerstone ganizations (Economist, 2004). By ensuring
of many loyalty programs. good IA processes, companies are able to
achieve leaner internal control systems that
Better Information Usage. IA facilitates
still meet regulatory and legal requirements;
improvement in the quality, integrity, availabil-
they need to spend less on technology to re-
ity, and reliability of information. Many organi-
main compliant and less on processes to moni-
zations suggest that information is a key
tor compliance. Improved confidence and
element for business decisions and innovation.
accountability in IA reduces the complexity
It is therefore beneficial for companies to gath- (and therefore the cost) of post-hoc verifica-
er and maintain accurate and reliable informa- tion of information accuracy.
tion. Collecting, storing, and processing
information can be costly, however. Good IA is Better Control. An effective IA policy will
therefore linked by some of our interviewees provide additional rigor for information and se-
to enabling a reduction in such costs. This, for curity controls. At a basic operational level,
example, can be the cost of storing business- strict control procedures can be put in place to
critical information in an efficient way. In the stop unauthorized access to information or the
words of one of the executives interviewed, use of unauthorized software, illicit Web surf-
good IA can help identify when “you’ve got ing, and e-mail communication. One senior
four copies of that [because] you don’t need manager (from a telecommunications firm) we
four.” In other companies, good IA will ensure interviewed suggested that, at a tactical level,
that information is enhanced, as well as pro- control often takes another form. He pointed
tected and used well. For example, the CEO of out that an organization will want to ensure
one of the banks interviewed pointed out that that once vulnerabilities are identified, it
good IA helped ensure that customer needs “brings the risk down to a manageable and rec-
were matched appropriately to products. ognizable level.” In addition, business control is
also much more than security, and good IA will
Improved Responsiveness. Good IA can ensure that aspects such as expenditure are
significantly improve responsiveness. In securi- looked at rigorously to ensure that no “surpris-
ty terms, good IA is often the key to responsive- es” are brought to light, for example, in an an-
ness when breaches do actually occur. nual audit. Finally, business control needs
Responsiveness is often only possible if every reliable information to steer the organization in
individual within an organization feels respon- the right direction. As pointed out by one of
sible for security. Improving knowledge and our interviewees, “if you’re making decisions
awareness of security issues can be beneficial on the wrong data, then making better deci-
in itself; but in addition, this awareness can sions is probably not your biggest issue.”
help to improve the speed of response when a
breach in security occurs. Thus, both the com- Better Understanding of Business
munication of the breach and the repair of the Opportunities. Understanding business
infringement can be undertaken much faster. opportunities and markets relies on trusted
Furthermore, good IA will ensure that an market intelligence. Many organizations in-
organization is alerted rapidly to changes in the creasingly place an emphasis on ensuring that
I N F O R M A T I O N S Y S T E M S
S P R I N G 2 0 0 5
M A N A G E M E N T
25
SECURITY, ETHICS, AND LEGAL ISSUES
this information is available and accurate. Al- shown that investors believe that companies
though few organizations will make this an ex- that have been vulnerable to security breaches
plicit requirement of their internal control such as denial-of-service attacks in the past will
systems, shareholders are becoming much less be exposed to financial damage in the future
tolerant of companies that constantly misjudge (Ettredge and Richardson, 2003; Garg et al.,
market outlook.As pointed out by a senior con- 2003; Hovav and D’Arcy, 2003). The only ex-
IA reviews
sultant we interviewed, “If you go back to the
Internet bubble where people would give you
ceptions to this were firms that showed they
were willing to continuously invest in informa-
by market a million dollars for having an idea on a Web tion security. Our interviews have confirmed
analysts are site, great. I think those days are gone — that few analysts will take IA seriously when
clearly not a they’re far more rigorous now.” making investment decisions — either as part
of an initial due diligence process or in subse-
widespread Commitment from Business Partners quent reviews. IA reviews by market analysts
practice, and Customers. As information technology are clearly not a widespread practice, although
permeates all business relationships, custom-
although our our interpretation of interview data is that the
ers and suppliers alike are becoming more de- trend is growing.
interpretation manding. An organization will instill trust
of interview among its stakeholders if it is able to constantly More Sales. Effective communication of IA
data is that the demonstrate that it knows how to ensure that readiness will serve as reassurance for all stake-
the information it collects and exchanges with holders, including customers. It illustrates that
trend is
its trading partners is secure. This in turn will the company:
growing. inspire commitment. In the retail sector, for ex-
ample, allowing automated shelf-restocking or- ❚ Is willing to protect its customers’ informa-
ders from direct observation by suppliers of tion from malicious intent
sales transactions can be a source of significant ❚ Provides better customer service
❚ Has more resilient processes that will ensure
commercial benefit (e.g., reduced cost of order
administration, reduced inventory manage- unbroken supply or service
ment, and fewer missed sales opportunities). For example, one of our interviewees (from
However, in practice, that can only arise from a manufacturing company) pointed out that
assuring partners of the ability to guarantee not many of its customers “don’t want their prices
only the accuracy of sales data, but also the se- and their volumes [made public]” and that they
curity of commercially sensitive information. would stop buying if they “felt that there was a
chance that their competitors would under-
Strategic Benefits stand how much they’re buying and get some
Better Governance. Feedback to the board competitive insights into the information we
regarding IA is necessary to ensure that direc- had about them.”This, of course, is not unusual
tors are kept informed about potential prob- and not specific to manufacturing.
lems or risks. In the words of one of our
interviewees, “I think for non-executive direc- Lower Costs. The combination of opera-
tors their nightmare is having a scandal, so tional and tactical benefits of good IA can ulti-
they’ve got to be — and they are being — more mately result in lower overall costs for the
challenging and require more information.” business. Major security problems can cause
This also means that the board can make better substantial downtime and extreme disruption
decisions regarding IA investment as well as to the workforce. Research has also shown the
providing assurance concerning the company’s massive costs that security breaches can create
security to other stakeholders. In addition, it (Garg, 2003).An effective IA strategy therefore
enables the senior executive responsible for IA has the potential benefit of reducing costs and
to view the issue holistically. He or she can decreasing disruption and downtime due to se-
therefore facilitate compliance with govern- curity infringements.
ment directives and provide global standards Other cost drivers will be influenced by
for the entire organization. good IA, and we have already discussed busi-
ness process benefits. Combined with better
Cheaper Equity. Many firms require access management information and better control,
to external financing to fund innovation and IA can clearly contribute to lowering an organi-
growth. A number of academic studies have zation’s overall costs.
26 W W W . I S M - J O U R N A L . C O M
S P R I N G 2 0 0 5
SECURITY, ETHICS, AND LEGAL ISSUES
competitors. Although they are more long Security: A Perception Grid. Paper No. 222 in
term in nature, we found that they were Proceedings of British Academy of
often sought as direct benefits of IA by the Management Conference, Harrogate.
managers who participated in our research. Fourie, L.C.H. (2003) The Management of
Information Security — A South African Case
4. Organizational benefits: Ultimately, the
Study. South African Journal of Business
“rolling up” of the operational, tactical, and
I
Management, 34(2), 19.
strategic benefits of IA should result in Garg, A. (2003) What Does an Information Security
n some improved shareholder value and competi- Breach Really Cost? Evidence and Implications.
industries, tive advantage. In some industries, superior Information Strategy: The Executive’s Journal,
superior IA is IA is also a condition that regulators and 19(4), 21f.
other authorities place on organizations — Garg, A., Curtis, J., and Halper, H. (2003)
also a in which case, a license to operate is the Quantifying the Financial Impact of IT Security
condition that ultimate organizational benefit. Breaches. Information Management &
Computer Security, 11(2), 374–383.
regulators Information assurance is critical to organi- Hovav, A. and D’Arcy, J. (2003) The Impact of
and other zations in all sectors of industry and public ser- Denial-of-Service Attack Announcements on the
vice. It is the key to reliable management Market Value of Firms. Risk Management &
authorities Insurance Review, 6(2), 97.
decision-making, customer trust, business con-
place on tinuity, and good governance. Yet, making the IAAC (2003) Engaging the Board: Corporate
organizations Governance and Information Assurance.
case for IA investments can be difficult as the
Information Assurance Advisory Council,
— in which scope of benefits is wide. The four-layer model
Cambridge, U.K.
presented here can be used to help structure ISO (1989) ISO 7498-2:1989 Information
case, a license the case for IA investments. Many practitioners Processing Systems — Open Systems
to operate is and vendors often focus their arguments on Interconnection — Basic Reference Model —
the ultimate what the negative outcomes of poor IA are. In Part 2: Security Architecture. ISO, Geneva.
contrast, our model shows what business ben- ISO (2000) ISO/IEC 17799:2000 Code of Practice
organizational efits can be gained. ▲ for Information Security Management. ISO,
benefit. Geneva.
ITGI (2003) IT Control Objectives for Sarbanes–
References Oxley. IT Governance Institute, Rolling
Boyce, J.G. and Jennings, D.W. (2002) Information Meadows, IL.
Assurance: Managing Organizational IT Koved, L., Nadalin, A., Nagaratnam, N., Pistoia, M.,
Security Risks, London: Butterworth Heineman. and Shrader, T. (2001) Security Challenges for
Colwill, C.J., Todd, M.C., Fielder, G.P., and Enterprise Java in an E-Business
Natanson, C. (2001) Information Assurance. BT Environment. IBM Systems Journal, 40(1),
Technology Journal, 19(3), 107–114. 130–152.
Deloitte (2003) 2003 Global Security Survey. Landwehr, C.E. (2001) Computer Security.
Deloitte Touche Tohmatsu. International Journal of Information Security,
Dhillon, G. (2004) The Challenge of Managing 1(1), 3–13.
Information Security — Guest Editorial. Logan, P.Y. and Logan, S.W. (2003) Bitten by a Bug:
International Journal of Information A Case Study in Malware Infection. Journal of
Management, pp. 243–244. Information Systems Education, 14(3), 301–
DTI (2002) Information Security Breaches Survey. 305.
Department of Trade and Industry/ McAdams, A.C. (2004) Security and Risk
PricewaterhouseCoopers, London, U.K. Management: A Fundamental Business Issue.
Economist (2004) File that — The Sarbanes–Oxley Information Management Journal, 38(4), 36–44.
Act Is Causing a Quantum Leap in the Storage McFadzean, E., Ezingeard, J.-N., and Birchall, D.
Industry. The Economist [print edition] March 4. (2003) Boards of Directors Engagement with
Ernst & Young (2002) Global Information Security Information Security. Henley Working Paper
Survey. Ernst & Young LLP. (HWP0309) (available from www.henleymc.
Ettredge, M. and Richardson, V. J. (2003) ac.uk).
Information Transfer among Internet Firms: McFarlan, F.W. (1984) Information Technology
The Case of Hacker Attacks. Journal of Changes the Way You Compete. Harvard
Information Systems, 17(2), 71–82. Business Review, 62(3), 98.
Ezingeard, J.-N., Bowen-Schrire, M., and Birchall, D. Parker, X.L. (2001) Understanding Risk. Internal
(2004a) Triggers of Change in Information Auditor, 61–65.
Security Management. Proceedings of Stewart, K.A. and Segars, A.H. (2002) An Empirical
ISOneWorld Conference, Las Vegas, April 23–25. Examination of the Concern for Information
Ezingeard, J.-N., McFadzean, E., and Birchall, D. W. Privacy Instrument. Information Systems
(2004b) Board of Directors and Information Research, 13(1), 36–49.
28 W W W . I S M - J O U R N A L . C O M
S P R I N G 2 0 0 5
SECURITY, ETHICS, AND LEGAL ISSUES
Stiles, P. and Taylor, B. (2001) Boards at Work: How Management — An Assessment of Matrix-Based
Directors View Their Roles and Responsibilities, Analyses. Journal of Information Technology,
Oxford: Oxford University Press. 3(3), 205.
Thomson, K.-L. and von Solms, R. (2003) Whitman, M.E. (2003) Enemy at the Gate: Threats
Integrating Information Security into Corporate to Information Security. Communications of
Governance. 18th IFIP International
the ACM, 46(8), 91–95.
Information Security Conference, Athens,
Wolf, D.G. (2003) Statement by NSA’s Director of
pp. 169–180.
Treanor, J. (2000) Security Fear Shuts Online Bank. Information Assurance before the House Select
The Guardian, Aug. 1, 2000 Committee on Homeland Security. U.S. House
Ward, J.M. (1988) Information Systems and of Representatives (available from http://www.
Technology Application Portfolio nsa.gov/ia/Wolf_SFR_22_July_2003.pdf).
I N F O R M A T I O N S Y S T E M S
S P R I N G 2 0 0 5
M A N A G E M E N T
29