Information literacy to support democratic engagement

Our latest community councillor project is now well underway. It’s called IL-DEM, and we’re blogging about it on our community knowledge website (Community-Knect.net) it focusses on the information behaviours of community councillors in Scotland as they go about their role of sharing information.

Find out more on Prof Hazel Hall’s blog post “Information Literacy for Democratic Engagement: project update #IL-DEM”

This project also give me the chance to revisit an old interest – online “lurkers” (I hate that word, but it’s what people use) and the need to treat them as part of the democratic process. IL-DEM gives us a chance to find out what community councillors think about their lurkers – I’ll be posting more on this subject in due course.

Hear from postgraduate MSc Business Information Technology students

We’ve just published a short video publicising the MSc course I lead. I’m biased, but I do think it’s a great programme – there are not many places that offer such a good opportunity to strengthen your portfolio of business analysis and technology skills.

The programme appeals to recent IT and business/management graduates – and also to people looking for a chance to retrain, or re-enter the work environment. (And Edinburgh’s not a bad place to study in.)

Spread the word!  (You’ll have to follow the link to see the video)

A modest proposal… for the ECI

In the lead up to the mini conference next week on democratic participation in the EU which I blogged last month, I was asked to contribute an idea for pre-conference discussion: a short proposal for “democratising the EU via citizen participation”.

My proposal focusses on what I know (the ECI) and is as follows:

A minimal proposal for democratising the EU via citizen participation

There is plenty of “democracy” in the EU’s institutions,  if you look: from direct elections to the European Parliament, to national government representation in the Council of Ministers, and the option of direct participation by citizens in agenda setting via the ECI. The problem is that the institutions are not visibly delivering democratic accountability (or effective governance).

How could citizen participation solve the problem?  To start with, I think it has to be acknowledged that direct democracy at the EU level is not an option – only a small minority of citizens will ever engage with single issues and the process is too open to manipulation.

On the other hand, for various reasons, the Commission has failed to make the ECI an effective process.

My proposals would be then: first simplify the ECI process and requirements by for example removing the checks on ECIs which are “manifestly against the values of the Union” [this term is far too judgmental for a bureaucrat], and allow ECIs to propose changes to Treaties [why not: it’s difficult to do, but should not be impossible to propose].

Second, create a single (or federated), secure, auditable EU-wide system open to all who wish to run an ECI  which captures and encrypts minimal data on the signatories.

Finally: let the Parliament be responsible for the ECI process, not the Commission. Successful ECI proposals would be debated on the floor of the Parliament, and if accepted, require an administrative response from the Commission, or be adapted into a proposed EU law. This perhaps would go some way to creating a pan-EU polity and to strengthen the most democratic institution of the EU.

I thought I would restrict myself to a simple proposal to make the ECI work a bit better. I will leave the imaginative and revolutionary ideas to others.

My proposal is picking up on themes I’d worried about back in 2010 and 2011 while the rules were being drafted:

• The complexities of the proposed system: there are unnecessary steps built into the system which serve as opportunities for the EC (perhaps for the best of reasons) to block an ECI, frustrating the citizens who have made the effort to get involved.
• Badly thought through systems and verification processes – see my thoughts on secure storage of signatures and sample based verification.

Finally, it might be worth reading this blog post and this one which between them summarise the issues I still feel are important if the ECI is to be a truly effective mechanism.

 

Risks, controls & incident handling, and why they matter

I hosted a longish lecture & discussion this morning with a small but select mix of MBA students from Providence College School of Business and Edinburgh Napier computing students. They had been working on a project to visualise some security log data to help identify the wheat (data leaks) from the chaff (ordinary traffic).

My challenge: give an overview to explain how the tool they were developing fits into the business context.

I focussed on explaining how risk management and controls are the route to understanding why information security matters to business. I also discussed why incident handling is no longer optional (thank APT, and think about TalkTalk’s experience of its data breaches).

My main point was that a tool that identifies incidents quickly, acts as a detect control (part of risk management) and will help management make better decisions, ealier. A useful thing for both MBA and Computing students to know!

Here are the slides:

Security managment risks, controls and incidents from Edinburgh Napier University

What can TOE say about information security?

This post continues my exploration of the frameworks used for understanding the role of information security in business decisions. I’m still working on my thinking, so please bear with me… and let me know where I have got things wrong.

As I explained my last post on this subject, I’m exploring theories that explain the issue from the perspectives of organisations rather than individual choices. This is an interesting area because there is ongoing disagreement on why variations exist between organisations in the amount of resources for information security controls [5].  There are other approaches which might explain why this could be the case such as Institutional theory [5] and DeLone McLean [1]… but here, I am focusing on TOE and what it is has to say about information security.

Information security

The general ISO Information Security Standard (ISO 27001:2013) defines the core role of information security as the preservation of the confidentiality, integrity, availability of information (the CIA triangle). Information security also addresses privacy, identity management, authentication, compliance, encryption, network security and physical security [4]. ISO 27001 is structured around 14 domains (listed in the table below). It should be possible to map them onto TOE contexts…

Thinking about information security is important because much research has established that security concerns remain the biggest barrier to the uptake of technologies like cloud computing [4][6][11]. Depending on their industry sector, businesses give security higher or lower priority, and within that will emphasise different parts of the CIA triangle. For instance, it is likely that client-centred professional firms such as lawyers give information security a high priority, with confidentiality of client data a particular concern [13].

What do T, O and E mean for information security anyway?

This seems a good point to run through how the three TOE contexts are defined in the literature to be clear about that they cover (and don’t cover) – and how that relates to information security. I am using Baker[2] as the main point of reference for TOE, as it is written as a summary of the general understanding of TOE theory, but I contrast it with other approaches where interesting.

Technology

Technology long been a problematic concept as it is entangled with use and knowledge of how to use it. You don’t have to be a follower of Latour or a believer in ANT to see that it is inherently difficult to draw a boundary around what is meant by the word. But what is meant by ‘technology’ in TOE? It is not clear: it is not defined an a general overview of the model [2] nor does [10], which analyses uptake of cloud services. It’s not the focus of this post, so I think I will go with the consensus represented by the Wikipedia definition as it seems to be consistent with the way the term is used in the TOE literature:

“The collection of techniques, skills, methods and processes used in the production of goods or services or in the accomplishment of objectives … Technology can be the knowledge of techniques, processes, etc. or it can be embedded in machines, computers, devices and factories…” (Retrieved 7 April 2016)

So information technology means more than hardware and software – it also includes the skills to install, configure and operate it, but it does not include (management) decisions on how and where to use the installed technology.

My argument is that information security (and Cybersecurity [12]) cover much more than this broad definition of technology, and so security cannot just be accounted for in the Technology context of TOE.

Organisation

Turning to the next context: Organisation in contrast is explicitly defined [2]: it relates to the linking structures (including management) and communications between employees. It provides the (organisational) context in which the technology is used.

Many of ISO27001’s 14 domains (listed in the table at the end of this post) are organisational in nature. Similarly, the US Government’s NIST security framework includes planning, policies, roles and responsibilities, assurance and accreditation – all factors which clearly belong in the Organisational context of TOE. (One ISO27001 domain, supplier relationships, could even be seen as environmental.)

NIST Cybersecurity framework: Illustrating the role of organisational factors [7, p12]

All these factors are also relevant to acquiring and then managing innovative technology – so need to be addressed within TOE. Indeed, governance and risk management have been recognised as key to understanding how organisations make a technology adoption decision – this aligns with Top Management support in TOE [1][3].

Environment

The final TOE context is Environment, which covers everything around the organisation: from market structures and competitive pressures to regulatory environment [1][3].

An organisations approach to information security is shaped by its environmental context, for example PCI-DSS and data protection laws (such as the laws derived from the EU’s data protection Directive or SOX and HIPAA in the USA). The relationships with suppliers and customers are part of the environmental context – but also crucial to information security (think of the risks to information from bad practice elsewhere in the supply chain).

So, I think I’ve established that there all three TOE contexts have information security aspects. This would seem to imply that there is a need for a coherent account of information security within TOE.

Can information security map onto TOE?

TOE seems to have potential to provide a framework for understanding the security factors involved in a technology adoption decision. However, much TOE technology adoption research has taken place without an explicit account of what is meant by security: eg Baker[2] does not mention security at all. Generally where it does appear, security is not defined (nor linked to the wider information security literature) and it is treated as a single factor (generally within Technology, but sometimes as a moderating factor outside TOE [3]). For example, the review of the literature [10] for ‘security’, showed that in the 2/6 papers it is acknowledged, it is treated as an element within ‘Technology’.

One TOE paper [10] stands out for having an account of security and TOE: ‘Security’ in this context seems to refer to confidentiality, even though security is generally taken to include information availability and integrity. Disappointingly, security concerns are treated as a (single) negative factor in the relative advantage of an innovation of (cloud) technology[ – that is, the multi-dimensionality of security is not acknowledged. However, security-related factors are implicitly acknowledged as significant in a number of other places [10]. For instance, there are separate and contrasting references to ‘privacy’, ‘government regulation’, ‘information loss’, ‘confidentiality’ and ‘integrity’ – all terms that relate directly to information security.

Despite this, there are benefits from sticking with a framework like TOE for its theoretical basis and empirical support. The alternatives are to revert to a positivist approach of statistical correlation (which has alimited explanatory power) – or to abandon TOE in favour of another framework which can explicitly account for information security.

So, I conclude this next step in my thinking with a start of an analysis of the information security aspects of the TOE contexts… as far as I know, though previous work has looked at the role of governance frameworks in TOE [1], this is the first time that ISO27000 domains have been explicitly mapped onto TOE contexts.

TOE Context ISO2700 Security domain	TOE perspective
Technology (readiness in terms of infrastructure and skills) Asset Management System acquisition, development and maintenance Access Control Physical and environmental security Operation Security Communication security Cryptography	Relative advantage: (is the technology better than the idea it supersedes): includes protection against loss of information [10] – (confidentiality, privacy). Compatibility: Apply in contexts with ‘low security concerns’ – ie is security compatible with business needs[10]. (This is the factor that is used most frequently for security in TOE [8] Complexity: Issues with defining boundaries and securing business processes and data privacy (confidentiality, integrity) though some approaches includes ‘data security and confidentiality’ here [2]
Organisation Information Security Policies Organization of Information Security Human Resource Security Information security incident management BCP: Information security aspects Supplier relationships	Top management support: Role of power, control and information links/sharing [10]. Top management support will be evidenced by willingness to invest in the security domains, for instance Information security Training, development and implementation of information security policies – include HR and BCP. Risk management, processes and controls (including auditability). Security culture (and hence willingness to take risky decisions) will also be impacted. Firm size: The TOE literature is ambiguous on the impact of firm size. Information Security recognises that the governance environment (and hence management support) varies significantly between large and small organisations.
Environment Supplier relationships Additionally: Professional and regulatory context as drivers: DPA, SOX/HIPAA	Competitor pressure: Indirect pressure through establishment of security expectations. Sectors with sensitive data will be reluctant to innovate (In contrast with institutional theory[5], TOE has no further account for supply chain or influence of rivals in coming to a common solution) Regulatory support: Conflicts with competitor pressure [Borgman]. Laws, regulations and professional standards (privacy, client confidentiality) can support or inhibit decisions (‘data security constraints’ [2]).

Table: Reviewing informatoon security aspects of TOE contexts (I know it needs developed)

Sources

Unfortunately, as I noted before, most of these sources will cost you if you are accessing them from outside a university.

1. Aoun, C., Vatanasakdakul, S., & Chen, Y. (2011). IT Governance Framework Adoption: Establishing Success Factors. In M. Nüttgens, A. Gadatsch, K. Kautz, I. Schirmer, & N. Blinn (Eds.), Governance and Sustainability in … (pp. 239–248). Springer Berlin Heidelberg. http://doi.org/10.1007/978-3-642-24148-2_15
2. Baker, J. (2012). The Technology–Organization–Environment Framework. In Y. K. Dwivedi, M. R. Wade, & S. L. Schneberger (Eds.), Information Systems Theory (Vol. 28, pp. 231–245). New York, NY: Springer New York. http://doi.org/10.1007/978-1-4419-6108-2
3. Borgman, H. P., Bahli, B., Heier, H., & Schewski, F. (2013). Cloudrise: Exploring Cloud Computing Adoption and Governance with the TOE Framework. In 2013 46th Hawaii International Conference on System Sciences (pp. 4425–4435). IEEE. http://doi.org/10.1109/HICSS.2013.132
4. Carroll, M., van der Merwe, A., & Kotze, P. (2011). Secure cloud computing: Benefits, risks and controls. In 2011 Information Security for South Africa (pp. 1–9). IEEE. http://doi.org/10.1109/ISSA.2011.6027519
5. Cavusoglu, H., Cavusoglu, H., Son, J.-Y., & Benbasat, I. (2015). Institutional pressures in security management: Direct and indirect influences on organizational investment in information security control resources. Information & Management, 52(4), 385–400. http://doi.org/10.1016/j.im.2014.12.004
6. Chang, V., Kuo, Y.-H., & Ramachandran, M. (2016). Cloud computing adoption framework: A security framework for business clouds. Future Generation Computer Systems, 57, 24–41. http://doi.org/10.1016/j.future.2015.09.031
7. NIST (2014) Framework for Improving Critical Infrastructure Cybersecurity. http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
8. Lin, A., & Chen, N.-C. (2012). Cloud computing as an innovation: Perception, attitude, and adoption. International Journal of Information Management, 32(2012), 533–540. http://doi.org/10.1016/j.ijinfomgt.2012.04.001
9. Oliveira, T., & Martins, M. (2011). Literature review of Information Technology Adoption Models at Firm Level. Electronic Journal of Information …, 14(1), 110–121. Retrieved from http://www.ejise.com/issue/download.html?idArticle=705
10. Oliveira, T., Thomas, M., & Espadanal, M. (2014). Assessing the determinants of cloud computing adoption: An analysis of the manufacturing and services sectors. Information & Management, 51(5), 497–510. http://doi.org/10.1016/j.im.2014.03.006
11. Phaphoom, N., Wang, X., Samuel, S., Helmer, S., & Abrahamsson, P. (2015). A survey study on major technical barriers affecting the decision to adopt cloud services. Journal of Systems and Software, 103, 167–181. http://doi.org/10.1016/j.jss.2015.02.002
12. von Solms, R., & van Niekerk, J. (2013). From information security to cyber security. Computers & Security, 38, 97–102. http://doi.org/10.1016/j.cose.2013.04.004
13. Smith, D. (2015). Securing the law firm. Computer Fraud & Security, 2015(4), 5–7. http://doi.org/10.1016/S1361-3723(15)30026-9