Risks, controls & incident handling, and why they matter

I hosted a longish lecture & discussion this morning with a small but select mix of MBA students from Providence College School of Business and Edinburgh Napier computing students. They had been working on a project to visualise some security log data to help identify the wheat (data leaks) from the chaff (ordinary traffic).

My challenge: give an overview to explain how the tool they were developing fits into the business context.

I focussed on explaining how risk management and controls are the route to understanding why information security matters to business. I also discussed why incident handling is no longer optional (thank APT, and think about TalkTalk’s experience of its data breaches).

My main point was that a tool that identifies incidents quickly, acts as a detect control (part of risk management) and will help management make better decisions, ealier. A useful thing for both MBA and Computing students to know!

Here are the slides:

Posted in Audit, Security | Tagged , , , | Leave a comment

What can TOE say about information security?

This post continues my exploration of the frameworks used for understanding the role of information security in business decisions. I’m still working on my thinking, so please bear with me… and let me know where I have got things wrong.

As I explained my last post on this subject, I’m exploring theories that explain the issue from the perspectives of organisations rather than individual choices. This is an interesting area because there is ongoing disagreement on why variations exist between organisations in the amount of resources for information security controls [5].  There are other approaches which might explain why this could be the case such as Institutional theory [5] and DeLone McLean [1]… but here, I am focusing on TOE and what it is has to say about information security.

Information security

The general ISO Information Security Standard (ISO 27001:2013) defines the core role of information security as the preservation of the confidentiality, integrity, availability of information (the CIA triangle). Information security also addresses privacy, identity management, authentication, compliance, encryption, network security and physical security [4]. ISO 27001 is structured around 14 domains (listed in the table below). It should be possible to map them onto TOE contexts…

Thinking about information security is important because much research has established that security concerns remain the biggest barrier to the uptake of technologies like cloud computing [4][6][11]. Depending on their industry sector, businesses give security higher or lower priority, and within that will emphasise different parts of the CIA triangle. For instance, it is likely that client-centred professional firms such as lawyers give information security a high priority, with confidentiality of client data a particular concern [13].

What do T, O and E mean for information security anyway?

This seems a good point to run through how the three TOE contexts are defined in the literature to be clear about that they cover (and don’t cover) – and how that relates to information security. I am using Baker[2] as the main point of reference for TOE, as it is written as a summary of the general understanding of TOE theory, but I contrast it with other approaches where interesting.

Technology

Technology long been a problematic concept as it is entangled with use and knowledge of how to use it. You don’t have to be a follower of Latour or a believer in ANT to see that it is inherently difficult to draw a boundary around what is meant by the word. But what is meant by ‘technology’ in TOE? It is not clear: it is not defined an a general overview of the model [2] nor does [10], which analyses uptake of cloud services. It’s not the focus of this post, so I think I will go with the consensus represented by the Wikipedia definition as it seems to be consistent with the way the term is used in the TOE literature:

“The collection of techniques, skills, methods and processes used in the production of goods or services or in the accomplishment of objectives … Technology can be the knowledge of techniques, processes, etc. or it can be embedded in machines, computers, devices and factories…” (Retrieved 7 April 2016)

So information technology means more than hardware and software – it also includes the skills to install, configure and operate it, but it does not include (management) decisions on how and where to use the installed technology.

My argument is that information security (and Cybersecurity [12]) cover much more than this broad definition of technology, and so security cannot just be accounted for in the Technology context of TOE.

Organisation

Turning to the next context: Organisation in contrast is explicitly defined [2]: it relates to the linking structures (including management) and communications between employees. It provides the (organisational) context in which the technology is used.

Many of ISO27001’s 14 domains (listed in the table at the end of this post) are organisational in nature. Similarly, the US Government’s NIST security framework includes planning, policies, roles and responsibilities, assurance and accreditation – all factors which clearly belong in the Organisational context of TOE. (One ISO27001 domain, supplier relationships, could even be seen as environmental.)

NIST Cybersecurity framework: Illustrating the role of organisational factors [7, p12]

All these factors are also relevant to acquiring and then managing innovative technology – so need to be addressed within TOE. Indeed, governance and risk management have been recognised as key to understanding how organisations make a technology adoption decision – this aligns with Top Management support in TOE [1][3].

Environment

The final TOE context is Environment, which covers everything around the organisation: from market structures and competitive pressures to regulatory environment [1][3].

An organisations approach to information security is shaped by its environmental context, for example PCI-DSS and data protection laws (such as the laws derived from the EU’s data protection Directive or SOX and HIPAA in the USA). The relationships with suppliers and customers are part of the environmental context – but also crucial to information security (think of the risks to information from bad practice elsewhere in the supply chain).

So, I think I’ve established that there all three TOE contexts have information security aspects. This would seem to imply that there is a need for a coherent account of information security within TOE.

Can information security map onto TOE?

TOE seems to have potential to provide a framework for understanding the security factors involved in a technology adoption decision. However, much TOE technology adoption research has taken place without an explicit account of what is meant by security: eg Baker[2] does not mention security at all. Generally where it does appear, security is not defined (nor linked to the wider information security literature) and it is treated as a single factor (generally within Technology, but sometimes as a moderating factor outside TOE [3]). For example, the review of the literature [10] for ‘security’, showed that in the 2/6 papers it is acknowledged, it is treated as an element within ‘Technology’.

One TOE paper [10] stands out for having an account of security and TOE: ‘Security’ in this context seems to refer to confidentiality, even though security is generally taken to include information availability and integrity. Disappointingly, security concerns are treated as a (single) negative factor in the relative advantage of an innovation of (cloud) technology[ – that is, the multi-dimensionality of security is not acknowledged. However, security-related factors are implicitly acknowledged as significant in a number of other places [10]. For instance, there are separate and contrasting references to ‘privacy’, ‘government regulation’, ‘information loss’, ‘confidentiality’ and ‘integrity’ – all terms that relate directly to information security.

Despite this, there are benefits from sticking with a framework like TOE for its theoretical basis and empirical support. The alternatives are to revert to a positivist approach of statistical correlation (which has alimited explanatory power) – or to abandon TOE in favour of another framework which can explicitly account for information security.

So, I conclude this next step in my thinking with a start of an analysis of the information security aspects of the TOE contexts… as far as I know, though previous work has looked at the role of governance frameworks in TOE [1], this is the first time that ISO27000 domains have been explicitly mapped onto TOE contexts.

TOE Context

  • ISO2700 Security domain
TOE perspective
Technology (readiness in terms of infrastructure and skills)

  • Asset Management
  • System acquisition, development and maintenance
  • Access Control
  • Physical and environmental security
  • Operation Security
  • Communication security
  • Cryptography
Relative advantage: (is the technology better than the idea it supersedes): includes protection against loss of information [10] – (confidentiality, privacy).

Compatibility: Apply in contexts with ‘low security concerns’ – ie is security compatible with business needs[10]. (This is the factor that is used most frequently for security in TOE [8]

Complexity: Issues with defining boundaries and securing business processes and data privacy (confidentiality, integrity) though some approaches includes ‘data security and confidentiality’ here [2]

Organisation

  • Information Security Policies
  • Organization of Information Security
  • Human Resource Security
  • Information security incident management
  • BCP: Information security aspects
  • Supplier relationships
Top management support: Role of power, control and information links/sharing [10]. Top management support will be evidenced by willingness to invest in the security domains, for instance Information security Training, development and implementation of information security policies – include HR and BCP. Risk management, processes and controls (including auditability). Security culture (and hence willingness to take risky decisions) will also be impacted.

Firm size: The TOE literature is ambiguous on the impact of firm size. Information Security recognises that the governance environment (and hence management support) varies significantly between large and small organisations.

Environment

  • Supplier relationships

Additionally: Professional and regulatory context as drivers: DPA, SOX/HIPAA

Competitor pressure: Indirect pressure through establishment of security expectations. Sectors with sensitive data will be reluctant to innovate (In contrast with institutional theory[5], TOE has no further account for supply chain or influence of rivals in coming to a common solution)

Regulatory support: Conflicts with competitor pressure [Borgman]. Laws, regulations and professional standards (privacy, client confidentiality) can support or inhibit decisions (‘data security constraints’ [2]).

Table: Reviewing informatoon security aspects of TOE contexts (I know it needs developed)

Sources

Unfortunately, as I noted before, most of these sources will cost you if you are accessing them from outside a university.

  1. Aoun, C., Vatanasakdakul, S., & Chen, Y. (2011). IT Governance Framework Adoption: Establishing Success Factors. In M. Nüttgens, A. Gadatsch, K. Kautz, I. Schirmer, & N. Blinn (Eds.), Governance and Sustainability in … (pp. 239–248). Springer Berlin Heidelberg. http://doi.org/10.1007/978-3-642-24148-2_15
  2. Baker, J. (2012). The Technology–Organization–Environment Framework. In Y. K. Dwivedi, M. R. Wade, & S. L. Schneberger (Eds.), Information Systems Theory (Vol. 28, pp. 231–245). New York, NY: Springer New York. http://doi.org/10.1007/978-1-4419-6108-2
  3. Borgman, H. P., Bahli, B., Heier, H., & Schewski, F. (2013). Cloudrise: Exploring Cloud Computing Adoption and Governance with the TOE Framework. In 2013 46th Hawaii International Conference on System Sciences (pp. 4425–4435). IEEE. http://doi.org/10.1109/HICSS.2013.132
  4. Carroll, M., van der Merwe, A., & Kotze, P. (2011). Secure cloud computing: Benefits, risks and controls. In 2011 Information Security for South Africa (pp. 1–9). IEEE. http://doi.org/10.1109/ISSA.2011.6027519
  5. Cavusoglu, H., Cavusoglu, H., Son, J.-Y., & Benbasat, I. (2015). Institutional pressures in security management: Direct and indirect influences on organizational investment in information security control resources. Information & Management, 52(4), 385–400. http://doi.org/10.1016/j.im.2014.12.004
  6. Chang, V., Kuo, Y.-H., & Ramachandran, M. (2016). Cloud computing adoption framework: A security framework for business clouds. Future Generation Computer Systems, 57, 24–41. http://doi.org/10.1016/j.future.2015.09.031
  7. NIST (2014) Framework for Improving Critical Infrastructure Cybersecurity. http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
  8. Lin, A., & Chen, N.-C. (2012). Cloud computing as an innovation: Perception, attitude, and adoption. International Journal of Information Management, 32(2012), 533–540. http://doi.org/10.1016/j.ijinfomgt.2012.04.001
  9. Oliveira, T., & Martins, M. (2011). Literature review of Information Technology Adoption Models at Firm Level. Electronic Journal of Information …, 14(1), 110–121. Retrieved from http://www.ejise.com/issue/download.html?idArticle=705
  10. Oliveira, T., Thomas, M., & Espadanal, M. (2014). Assessing the determinants of cloud computing adoption: An analysis of the manufacturing and services sectors. Information & Management, 51(5), 497–510. http://doi.org/10.1016/j.im.2014.03.006
  11. Phaphoom, N., Wang, X., Samuel, S., Helmer, S., & Abrahamsson, P. (2015). A survey study on major technical barriers affecting the decision to adopt cloud services. Journal of Systems and Software, 103, 167–181. http://doi.org/10.1016/j.jss.2015.02.002
  12. von Solms, R., & van Niekerk, J. (2013). From information security to cyber security. Computers & Security, 38, 97–102. http://doi.org/10.1016/j.cose.2013.04.004
  13. Smith, D. (2015). Securing the law firm. Computer Fraud & Security, 2015(4), 5–7. http://doi.org/10.1016/S1361-3723(15)30026-9
Posted in Methodologies, research, Security | Tagged , , , , | Leave a comment

MSc Business Information Technology: There’s more to computing than coding!

I lead the MSc in Business Information Technology programme at Edinburgh Napier University. We’re running a postgraduate open evening here at the Merchiston Campus of Edinburgh Napier University and I’ll be around to answer questions 5-7pm on 6 April, 2016…

More here: Postgrad open evening: 6th April, 2016

Aside | Posted on by | Tagged , ,

Democratic Participation in a Citizen’s Europe: What Next for the EU?

Janice Thompson of the ECI campaign has been in touch to tell me about an upcoming conference:

This collaborative conference will bring together democracy activists, campaigners, academics and policy makers to explore current challenges and future opportunities for EU public participation. It will build on learning from citizens’ initiatives and petitions, deliberative forums, citizen lobbying, social movements and more. Participants will together imagine new ways and means to develop a more participative and democratic European Union.

Thursday, 5 May 2016, 9:30 AM – 5:30 PM. University of Liverpool – Liverpool, England

For more information and to register:
https://www.liverpool.ac.uk/law-and-social-justice/conferences/democratic-participation-in-a-citizens-europe-what-next-for-the-eu/

I remember being sceptical of the ECI process in the past, and sadly, the scepticism has been born out. The reforms won by the UK government ahead of the EU referendum are not about increasing citizen engagement with the EU… is the EC is capable of and willing to create a genuinely participatory opening?

So, I’ll be interested to see what comes of this conference. It should be interesting.

Aside | Posted on by | Tagged , | 1 Comment

Looking for a theory to explain the impact of security on technology adoption decisions

It hasn’t often appeared as a topic in this blog, but I have an interest in information security. Recently, I’ve been looking at some data on how a group of businesses have decided to (not) move to the cloud – security emerged as a key consideration (not surprisingly). This blog post explores one theory (TOE) which claims to explain the how these decisions are made, focus on how well it copes with the importance of security. Apologies in advance for the somewhat dry academic style.

I’m still getting my thoughts together, so feedback and corrections are very welcome.

Some background: The TOE framework

Like individuals, organisations and businesses are constrained by circumstances when making decisions. One important choice a business can make is whether to implement a technology that is new to it (such as cloud computing). Researchers have long been exploring frameworks to explain what factors affect management choices. Without an explanation, we are left with gut feelings or statistical correlations, and not much in the way of understand of why some factors are more important.

This blog post looks at one model of innovation adaption, called Technology, Organisation and Environment (TOE) [1]. TOE is an extension of a well known frequently used theory called Diffusion of Innovation which has been developed by Everett Rogers since the 1950s. It claims to provide a mechanism for explaining an organisation’s response to a new technology by assessing internal and external factors that influence adoption of new technological innovations.


Figure 1 A typical TOE model

The diagram above gives a quick overview of how TOE approaches the factors behind the decision. Over the last 20 years, a body of research as expanded the three top level contexts by developing a number of different variables which have been used to explain their impact in different business environments: the eight bulleted items above reflect the most commonly used variables.

From my perspective, what interesting is that there is nothing in TOE that has a clear link to information security – but security is a major (and growing) factor in technology adoption decisions. This raises the question what is the most appropriate way to deal with security: as a new variable (or factor?) – or as something that pervasively influences all (or most) of the variables.

Note: There are other established theories for explaining organisational behaviour, including institutional theory, which provides a strong model of the impact of social and cultural factors. Other theories attempt to explain or predict individual choice: for instance the theory of planned behaviour or the various Technology Acceptance Models (TAM).

Information security

A good place to start is to be clear that security here means information security. Information security is generally agreed (by ISO27000 for instance) to include achieving the Confidentiality, Integrity and Availability of information that an organisation is responsible for. (Other factors including Privacy have also been proposed but I want to keep the story simple.)

Security is broader that a mere consideration of technology [8] – though unfortunately security is still often seen as (simply) a technical challenge. The non-technical nature of information security can be demonstrated by the activities of an organisation as it maximises its information security, including:

  • Installing, configuring, running & monitoring technologies
  • carrying out risk management to prioritise security prevention, detection and recovery activities
  • putting management controls in place
  • supporting a positive organisational security culture
  • ensuring compliance with laws and government regulations such as  the Sarbanes Oxley Act or Data Protection law in Europe.

These elements are all important to choice of technology and would seem to relate to all three TOE factors: technology used, organisational context and the business environment. But when reviewing TOE research relating to the adoption of cloud services, I have noticed that there’s a lack of sophistication in the consideration of what is meant by ‘security’: when it is considered at all, it is generally as a part of the technological factor [5] or bolted on top of the TOE framework [2]. The lack of research into factors behind security related decisions is also noted by other researchers in this area, eg [3], which uses institutional theory as its theoretical lens.

Even when security has been considered within TOE research, findings have been mixed. For instance, security considerations were not found to be a factor for the manufacturing or service sector SMEs in Portugal [6]. This is counter-intuitive and it is acknowledged that context (such as country and business sector) could be important, and that there is a need to formulate an adoption model for each industry: the legal sector for instance is likely to have a very different attitude to security, particularly around client confidentiality, and regulatory compliance.

The story so far…

So, TOE may have potential provide a framework for understanding the security factors involved in a technology adoption decision (for instance, whether to move to cloud services), but it would help if it could incorporate a richer account of security.

The next challenge is to see whether/how the extensive information security literature can be married to the TOE models of innovation decisions to provide a richer understanding.

Sources

Here are the main sources I used when putting this post together. Unfortunately, most of these sources will cost you if you are accessing them from outside a university.

  1. Baker, J. (2012). The Technology–Organization–Environment Framework. In Y. K. Dwivedi, M. R. Wade, & S. L. Schneberger (Eds.), Information Systems Theory (Vol. 28, pp. 231–245). New York, NY: Springer New York. doi:10.1007/978-1-4419-6108-2
  2. Borgman, H. P., Bahli, B., Heier, H., & Schewski, F. (2013). Cloudrise: Exploring Cloud Computing Adoption and Governance with the TOE Framework. In 2013 46th Hawaii International Conference on System Sciences (pp. 4425–4435). IEEE. doi:10.1109/HICSS.2013.132
  3. Cavusoglu, H., Cavusoglu, H., Son, J. Y., & Benbasat, I. (2013). Institutional pressures in security management: Direct and indirect influences on organizational investment in information security control resources. Information and Management, 52(4), 385–400. doi:10.1016/j.im.2014.12.004
  4. Chang, V., Kuo, Y.-H., & Ramachandran, M. (2016). Cloud computing adoption framework: A security framework for business clouds. Future Generation Computer Systems, 57, 24–41. doi:10.1016/j.future.2015.09.031
  5. Oliveira, T., & Martins, M. (2011). Literature review of Information Technology Adoption Models at Firm Level. European Conference on Information Management and Evaluation. E-Journal of IS Evaluation, 14(1).
  6. Oliveira, T., Thomas, M., & Espadanal, M. (2014). Assessing the determinants of cloud computing adoption: An analysis of the manufacturing and services sectors. Information & Management, 51(5), 497–510. doi:10.1016/j.im.2014.03.006
  7. von Solms, R., & van Niekerk, J. (2013). From information security to cyber security. Computers & Security, 38, 97–102. doi:10.1016/j.cose.2013.04.004
  8. Whitman, M. E., & Mattord, H. J. (2010). Management of Information Technology (International Edition). Thomson Course Technology.
  9. Zissis, D., & Lekkas, D. (2012). Addressing cloud computing security issues. Future Generation Computer Systems, 28(3), 583–592. doi:10.1016/j.future.2010.12.006
Posted in Methodologies, research, Security | Tagged , , , , | 1 Comment