Application 3 – Annotated Bibliography
Disaster Prevention and Management: An International Journal Managing computer security issues: preventing and limiting future threats and disasters Peter R.J. Trim,
Article information: To cite this document: Peter R.J. Trim, (2005) "Managing computer security issues: preventing and limiting future threats and disasters", Disaster Prevention and Management: An International Journal, Vol. 14 Issue: 4, pp.493-505, https://doi.org/10.1108/09653560510618339 Permanent link to this document: https://doi.org/10.1108/09653560510618339
Downloaded on: 11 March 2018, At: 19:09 (PT) References: this document contains references to 40 other documents. To copy this document: permissions@emeraldinsight.com The fulltext of this document has been downloaded 2745 times since 2006*
Users who downloaded this article also downloaded: (2008),"Multi-level information system security in outsourcing domain", Business Process Management Journal, Vol. 14 Iss 6 pp. 849-857 <a href="https://doi.org/10.1108/14637150810916026">https:// doi.org/10.1108/14637150810916026</a> (2010),"Business continuity planning methodology", Disaster Prevention and Management: An International Journal, Vol. 19 Iss 2 pp. 243-255 <a href="https://doi.org/10.1108/09653561011038039">https:// doi.org/10.1108/09653561011038039</a>
Access to this document was granted through an Emerald subscription provided by emerald-srm:552352 []
For Authors If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service information about how to choose which publication to write for and submission guidelines are available for all. Please visit www.emeraldinsight.com/authors for more information.
About Emerald www.emeraldinsight.com Emerald is a global publisher linking research and practice to the benefit of society. The company manages a portfolio of more than 290 journals and over 2,350 books and book series volumes, as well as providing an extensive range of online products and additional customer resources and services.
Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee on Publication Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive preservation.
*Related content and download information correct at time of download.
D ow
nl oa
de d
by W
al de
n U
ni ve
rs it
y A
t 19
:0 9
11 M
ar ch
2 01
8 (P
T )
Managing computer security issues: preventing and limiting future threats and disasters
Peter R.J. Trim Department of Management, Birkbeck College, University of London,
London, UK
Abstract
Purpose – The purpose of this paper is to make explicit why security needs to be viewed as a core activity and why senior management need to view security from a holistic perspective. Reference is made to various activities carried out by computer hackers and the costs associated with computer related crime.
Design/methodology/approach – A literature review was undertaken and a conceptual security model was produced. The key elements of the activities associated with security were highlighted and the links between the activities were made clear.
Findings – Organized criminal syndicates and international terrorist groups are increasing their level of activity. Senior managers within companies need to put in place an intelligence and security strategy to counter the activities of criminals and terrorists. Furthermore, senior managers will in the future have to work more closely with law enforcement representatives and industry representatives. They will also have to develop an appreciation of the strategic intelligence objectives of various governments. There is also evidence that senior management need to pay greater attention to identifying future threats associated with advances in internet technology.
Research limitations/implications – More attention will need to be given to how facilitating technology such as the internet is providing computer hackers and criminals with ways to either disrupt business activities or extend the range of criminal activities that they are engaged in.
Practical implications – Senior management will need to refocus on the capability of staff vis-à-vis corporate intelligence and security work. The learning organization concept can be embraced and can be used to assist staff to identify the advantages associated with effective knowledge management. Scenario analysis and simulation exercises can be used to train staff in emergency work, and disaster management and prevention.
Originality/value – A diverse range of topics is covered and integrated into a security-oriented context. Attention is focused on the link between organized criminal syndicates and international terrorist groups, and why senior managers in companies need to be engaged in disaster management recovery planning. The material highlights why senior managers in companies need to develop business contingency plans and embrace the counterintelligence concept.
Keywords Internet, Intelligence, Data security
Paper type Conceptual paper
Introduction The latest scare to focus the attention of information technology and systems managers and experts, and computer specialists, was the Sobig.F computer virus that contained an alarm program that had been designed to cause havoc through activating and synchronising an attack on infected networks (Ungoed-Thomas, 2003, p. 19). This episode is yet another aspect of an established and growing culture of computer oriented crime that is aimed at causing as much disruption as possible to organizations
The Emerald Research Register for this journal is available at The current issue and full text archive of this journal is available at
www.emeraldinsight.com/researchregister www.emeraldinsight.com/0965-3562.htm
Managing computer
security issues
493
Disaster Prevention and Management Vol. 14 No. 4, 2005
pp. 493-505 q Emerald Group Publishing Limited
0965-3562 DOI 10.1108/09653560510618339
D ow
nl oa
de d
by W
al de
n U
ni ve
rs it
y A
t 19
:0 9
11 M
ar ch
2 01
8 (P
T )
and individuals. Computer-oriented crime covers a broad range of activities that include the work of computer hackers (some of whom have criminal intent) and those set to cause maximum disruption by producing and unleashing a computer virus. Indeed, according to Craig (2002) of Trend Micro, The Love Bug virus that was launched in May, 2000, was said to have caused US$8.75 billion worth of damage and a direct action worm which attacked web servers and infected 250,000 computers in nine hours caused an estimated US$2.4 billion worth of damage.
Ungoed-Thomas (2003, p. 19) has put all this into perspective by indicating that Price Waterhouse Coopers have estimated that the total cost in terms of lost business and related costs vis-à-vis the work of computer hackers and virus authors is put at £1 trillion. This is an enormous amount of money. However, when viewed from an opportunity cost perspective, the figure cited seems to take on a far more serious meaning. It can also be argued, that in order for organizations to either make cost savings or provide higher returns to shareholders, senior managers are going to have to share more information relating to the work of hackers and virus producers with staff employed by other organizations. But this is easier said than done owing to the fact that managers are reluctant to share or divulge sensitive and in many cases confidential data and information. This is because unnecessary leaks can result in inappropriate publicity for the organization that has been targeted by hackers or organized criminal syndicates. As a result of negative publicity, business may be lost or various investors may consider further investment in the organization to be too risky and they look elsewhere. A targeted organization may also suffer in the sense that contracts with clients are cancelled and damaging rumours begin to spread throughout the industry.
Senior managers do need to be made fully aware of the costs involved, and as a consequence more needs to be done than just putting in place a risk assessment team that deals with clear-cut matters of uncertainty. For example, Craig (2002) has indicated that the other related costs associated with an attack on an organization (such as a clean up operation), can cost anything from £3,000 to £300,000 per virus infection. This is proof alone that small and medium-sized organizations are at risk, if senior management has not made security a core activity. By making security a core activity, the security function within the organization can be integrated into the strategic planning process. This would have the benefit of forcing both senior managers and junior managers within the organization, and those employed by partner organizations (suppliers, wholesalers, retailers and support organizations which provide specialist services), to exchange relevant information on a continual basis. It would also force senior managers to put in place a strategic counter-intelligence and defence protection system that would neutralize the actions of computer hackers, virus producers and organized criminal syndicates that were intent on causing damage and disruption to the organization. But robust internal security is also of growing necessity. Hacking that is carried-out by internal staff is becoming a growing problem. Indeed, Crowcombe (2002) has indicated that internal computer hackers account for about a third of all hacking activities and this is worrying.
What is even more worrying, is the fact that law enforcement agencies worldwide are hard pressed to deal effectively with computer-oriented crime. Law enforcement agencies will have to make a considerable investment in terms of personnel and equipment, and work in partnership with the intelligence and security agencies, and
DPM 14,4
494
D ow
nl oa
de d
by W
al de
n U
ni ve
rs it
y A
t 19
:0 9
11 M
ar ch
2 01
8 (P
T )
various organizations, if they are to deal effectively with hackers, virus authors, organized criminal syndicates and terrorist cells and organizations. This is because the individuals involved in causing damage and disruption are indeed using the world wide web, and other forms of technology, to transfer information that can result in a co-ordinated attack on an organization. Organized criminal syndicates have adopted highly sophisticated command and control systems and are investing a great deal of money in computer systems and encryption especially. They are identifying new criminal activities and are forging links with international terrorist cells and organizations. This is of growing concern to law enforcement, intelligence and security officers, and is forcing political leaders to view national security from a regional and international stance. What is of major concern to law enforcement officers is the fact that those that carry-out electronic crime can change their regional operating base at any given time. This means that the perpetrators of international crime can operate from anywhere and can at times disguise their identities. Stealing identities or creating false identities are ways and means of pushing the blame or attention onto somebody else and at the same time it enables criminals to gain time in order to commit another criminal act.
International criminal syndicates and terrorist organizations are therefore, in a position to unleash a variety of criminal oriented attacks and this means that international criminal syndicates can deploy different forms of criminal activity as it suits them. So we have entered a phase whereby criminals and terrorists are developing a portfolio of high-level damaging activities, all of which are aimed at securing the highest returns possible as perceived by the leaders of these gangs and groups.
It is important to realize that security needs to take into account recovery and containment (Brooks et al., 2002, p. 380), and this assumes that the organization will receive a hit. It also assumes that an effective contingency plan needs to be in place to deal with the activated threat. Senior management are therefore, responsible for ensuring that a disaster management recovery plan can be implemented immediately and meets the objectives set: these relate to damage limitation, containment of the threat, recovering data and information, and restoring business operations.
In order to learn from past threat-oriented events, it is necessary to implement an effective internal marketing policy that informs staff of what the procedures are in the case of an activated threat, and how knowledge gained from the event is to be documented and stored so that those undergoing training in security can be well informed. A well-defined and effective public relations policy and strategy is an important factor with respect to appeasing external stakeholders (banks, customers and partnership organizations for example). What is crucial, however, is that business continuity plans are tested and updated (Kwok and Longley, 1999, p. 38).
In order that business continuity planning is realistic, security officers must pose a number of relevant questions that go beyond immediate security needs. They also need to be vigilant. Desai et al. (2002, p. 138) have stated that: “Once a firewall is operational, a company should remain knowledgeable about firewall advances and emerging threats. Firewall technology will continue to advance providing the capability for increased protection. Changes in system architecture or data requirements may also require a change in the company’s firewall strategy”. Chief security officers need to be aware of the fact that firewalls represent only a technical solution, but they do assist the enforcement of a security policy (Tryfonas et al., 2001, p. 194).
Managing computer
security issues
495
D ow
nl oa
de d
by W
al de
n U
ni ve
rs it
y A
t 19
:0 9
11 M
ar ch
2 01
8 (P
T )
Proactive security Hearn and Rooney (2002, p. 24) have indicated that when complex adaptive systems evolve, they can remain the same; they can adapt and thus change; they can be transformed; or they can cease to exist. Baskerville and Siponen (2002, p. 341) are correct to state that: “Fast-moving organizational change means fast-changing information requirements. As a result, limited access to information through stringent access control can become a drag on organizational change and thereby threaten organizational survival”. One can suggest, therefore, that senior management need to adopt a pro-active approach to security and this demands that an intelligence function is created that ensures that data and information are collected, screened, analyzed, interpreted, and then the problems/issues identified are researched and an explanation arrived at. This suggests that theory building is necessary and is a necessary element of inclusive security. It also suggests that an intelligence culture will develop that has both an internal and an external orientation.
Senior management cannot sit back and wait for security systems to evolve naturally, the necessary commitment and stimulation needs to be put in place so that a security culture is created that incorporates an intelligence dimension. The organization’s intelligence function needs to have a specific organizational-environment focus. Hence it needs to be organizational specific; industry specific; technology specific; and country specific. This being the case, corporate intelligence and security will automatically be linked to governmental transnational intelligence. Transnational intelligence deals with the many but integrated threats that emerge to debilitate a system. Once a system is debilitated, it is both defenceless and vulnerable. It is then a question of time before anti-social elements can establish themselves and penetrate the system further by putting in place a network of cells and activists. The work of hacktivist groups is both focused and highly disruptive. What is clear is that hacktivists are organizing their activities and actions in order to get maximum attention and are actively seeking media coverage in order to raise their profile and gain support from individuals with similar mindsets (Vegh, 2003). A well-crafted intelligence and security strategy will automatically put in place a number of defensive mechanisms that are company and industry specific. It does mean however, that chief security officers will need to ensure that company staff work closely with government officials from time to time, and that as well as passing specific types of data and information to government representatives, a follow-up mechanism is in place to provide information to other possible/likely targets within the industry. What is essential, is that a debriefing mechanism is in being that allows staff within the organization to learn from the various security exercises that are undertaken from time to time.
Baskerville and Siponen (2002, p. 338) are correct to point out the necessity for information security management standards and the fact that security needs to be placed within a more holistic security management decision-making context. Classifying security according to high-level and low-level information security policy requirements is relevant as it identifies who in the organization is responsible for making (or contributing) to security policy (Baskerville and Siponen, 2002, p. 339). Trim (1999) has outlined how staff can be categorized so that the risk of information leaks is reduced. Kwok and Longley (1999, p. 36) have stated that “Personal security is a vital part of organizational information security and it is important that there be formal commitments to this topic, and such formal commitments are communicated to
DPM 14,4
496
D ow
nl oa
de d
by W
al de
n U
ni ve
rs it
y A
t 19
:0 9
11 M
ar ch
2 01
8 (P
T )
staff”. It is important to identify which members of staff are given security clearance with respect to information vis-à-vis protecting sensitive and confidential data and information. A monitoring facility needs to be devised and implemented in order to:
. stop disillusioned staff disrupting the activities of the organization; and
. act as a counterintelligence mechanism that identifies if somebody has been planted in the organization to steal data and information.
As regards the latter, key issues can be data and information relating to cost structures, contract details and employee skill levels for example. Once it is understood that security covers all the aspects of an organization’s operations, it is then possible to adopt a holistic security policy that has an intelligence foundation. In other words, pro-active intelligence is the key to anticipating and putting in place counter-intelligence measures that identify and then neutralize threats as they occur.
Criminal activities Warren (2002, p. 349), referring to a survey undertaken by the National Computer Centre in the UK, has reinforced the point that only about 50 per cent of companies have a security policy in place. Several factors are cited but it is clear that budget constraints and skills constraints are main factors, and this must prove worrying bearing in mind the vulnerability of organizations. For example, a computer hacker or virus author can invest time and effort into perpetuating an attack, but the damage caused can be tremendous and may see organizations with limited resources preferring to pay a ransom as opposed to suffer a hit and then carry out expensive repair work. In other words, a market opportunity is developing for syndicated criminal groups to segment the market and identify small and medium-sized organizations that can be blackmailed into paying small sums of money on a continual basis. In the short term this may prove ideal for senior management to do this as it is cheaper or more convenient for the organization (bearing in mind such factors as the cash flow situation) than it would be to invest large sums of money in establishing a high-level computer security system. One way to assess if an organization is able to pay a ransom is for criminals to work alongside corrupt auditors or corrupt bank staff who are in a position to appraise the cash flow of an organization and indicate if and when an organization can pay a ransom demand. A separate industry could develop around criminal consultancy services and as a result this type of business activity (like illegal protection rackets) will assume a certain amount of acceptance. This is the case in various European countries where companies and governments (often through collusion) consider that it is more appropriate to pay a ransom in order to settle a problem as opposed to invest in counteracting criminal activity. But criminal syndicates do not need to hire outsiders, they have in place their own specialist staff who can carry out high-level computer work and financial analysis. Indeed, the sons and daughters of criminals are in fact keen to gain legitimate qualifications and use the knowledge gained to criminal effect.
It would seem that the market can be segmented vis-à-vis criminal opportunities. For example, Warren (2002, p. 350) has made reference to the work of Briney who has reported on the CSI/FBI Computer Crime Survey and indicated that the main problems that organizations are confronted with are: theft of information; financial fraud; virus; insider net abuse; sabotage; unauthorised insider access; laptop theft; denial of service;
Managing computer
security issues
497
D ow
nl oa
de d
by W
al de
n U
ni ve
rs it
y A
t 19
:0 9
11 M
ar ch
2 01
8 (P
T )
system penetration; active wiretapping; telecom fraud; and telecom eavesdropping. As one looks hard at the figures provided, it seems that industrial espionage is a serious problem but it is not identified as such. Industrial espionage is regarded as a taboo subject that is not really to be discussed. Industrial espionage is undertaken by a variety of individuals and organizations. As well as individual freelancers being involved, it is becoming clear that highly sophisticated, and well qualified individuals and/or organizations are stealing to order.
What emerges from the above and has been highlighted by Hutchinson and Warren (2003, p. 67), is that chief security officers need to work with other skilled individuals in order to produce relevant security frameworks that are designed to assist security personnel vis-à-vis identifying security requirements for a particular situation/industry. In order to be inclusive, however, it is important for those involved in undertaking a threat and risk analysis to think in terms of developing new security approaches and methodologies. This can be done in one of five ways:
(1) by reviewing the published literature and designing a hypothetical framework or plan that can be amended and then validated as required;
(2) by developing a framework or model from an existing framework/model;
(3) by developing a framework/model that is developed from the benchmarking process;
(4) by mathematically modelling the organization and as a consequence a security framework can be developed that is based on inputs and outputs; and
(5) by a group of organizations (possibly those involved in a partnership arrangement or those that make up a particular segment), whose representatives come together to pool resources and work with a trade association, and implement a security framework for the members of the network.
There is no doubt that the process of globalization has and will continue to transform organizations “in terms of their strategies, operations, management, and marketing, as well as their human and material resources and services” (Harris, 2002, pp. 417-18). So what then are the security issues and problems that are likely to emerge? Trim (2002a) has indicated that industrial espionage is and will continue to be of major concern to computer security staff and government officials. One way to counteract the activities of those involved in industrial espionage is for all those with an interest in security work to engage in industry-government co-operation. Trim (2001b) has linked intelligence and security, and this suggests that organizations need to develop both a security culture and an intelligence culture. But it also means that senior management need to be aware of the strategic intelligence issues that are of concern to a government. This means in fact that organizational security can be placed within a strategic intelligence and security context, and this will stretch the time horizon within which security matters are viewed. Hall (2004) has indicated that senior managers need to embrace the concept of security and place it in a holistic context. Hall (2004) has also stated that in order that future threats are identified and eradicated, it is necessary for senior managers to accept that risk identification and threat limitation need to be integrated into company policy. Yates (2004) supports this view, and suggests that business continuity managers need to pay more attention to the issue of organizational
DPM 14,4
498
D ow
nl oa
de d
by W
al de
n U
ni ve
rs it
y A
t 19
:0 9
11 M
ar ch
2 01
8 (P
T )
vulnerability. Yates (2004) suggests that as regards organizational network structures, senior managers need to identify and then put in place organizational policies that require partner organizations to work closely with supplier organizations vis-à-vis implementing contingency plans.
The internet Hutchinson and Warren (2003, p. 69) have indicted that the internet is “a network of networks where there is no one single entity responsible for security or held accountable for any loss suffered”. This is a weakness in the sense that ownership becomes elusive and the world wide web represents a vehicle through which a nation’s security can be challenged. Hence, the argument suggesting that the intelligence and security services need to be involved in more than just national security issues, appears to be valid. The intelligence and security services do police the internet, and intelligence and security staff do work alongside law enforcement officers in order to eradicate threats posed. As regards the internet, it is clear that trust and security are key factors (Chellappa and Pavlou, 2002, p. 364) and potential consumers need to be convinced that electronic commerce is safe. Liebermann and Stashevsky (2002, p. 292) have indicated that privacy and security are of concern to consumers. As we enter the electronic business era, it would seem logical to state that the concept of security is changing, and that a more holistic and pro-active approach to managing security issues needs to be taken.
Owing to the fact that staff in competitor organizations can be given sensitive and confidential information, and this sometimes occurs because of leaks (Higgins, 1999, p. 218), it is important that information going onto the internet is monitored. Indeed, security experts will in fact advise staff to place selective and limited information about the organization and its employees on the internet. This is owing to the fact that sensitive information can be gained that allows hackers and criminals to identify people within an organization, and then working through a third party, to gain access to the organization. The problem stems from the fact that most managers feel that they should place as much information as possible about the organization on the world wide web. But this plays into the hands of criminals and hackers, who are continually seeking new opportunities to penetrate organizational defences.
Bearing the above in mind, it is clear that senior management need to review the organization’s corporate intelligence and security functions, and to link corporate intelligence to strategic marketing development and implementation (Trim, 2002b). It also means, that senior management need to think in terms of finding new ways to assess risk and uncertainty, and to put in place formal management frameworks that result in an effective counter-intelligence policy being implemented (Trim, 2004). It also means that the term corporate intelligence needs to be carefully defined and in some cases redefined, if that is, a holistic view of security is to materialize. Trim (2001a, pp. 54-5) has defined corporate intelligence as: “the acquisition of knowledge using human, electronic and other means, and the interpretation of knowledge relating to the environment, both internal and external, in which the organization operates. It provides selected staff within the organization with up-to-date and accurate information, which allows strategists to develop and implement policy so that the organization maintains and/or gains a competitive advantage in the marketplace. It also provides a mechanism for implementing counter-intelligence measures to safeguard corporate data and secrets”.
Managing computer
security issues
499
D ow
nl oa
de d
by W
al de
n U
ni ve
rs it
y A
t 19
:0 9
11 M
ar ch
2 01
8 (P
T )
Making security comprehensive The problems faced by security officers can be ranked as follows (Kwok and Longley, 1999, p. 30): senior management are not fully committed; there is a lack of authoritative source for guidance; the amount of security needed is not decided easily; there is an issue vis-à-vis conducting security audits/risk analysis; and problems exist with respect to producing a convincing demonstration of current levels of security to auditors. If security is to be comprehensive, it is necessary for the chief security officer to ensure that the appropriate staff throughout the organization are aware of the laws and ethical codes that govern security policies, procedures and strategies. This is crucial because staff need to be more aware of the fact that electronic mail represents an official record and because of this senior management need to devise and implement a policy relating to the use of e-mails (White and Pearson, 2001, p. 89). This further reinforces the fact that senior management need to establish the security requirements of the organization and this means undertaking a security requirements exercise (Gerber et al., 2001). Threat countermeasure diagrams can prove useful to security policy formulation because they cite the threat, the countermeasure, the residual threat and the transformed threat (Kwok and Longley, 1999, p. 33).
The internet is unfortunately, a source for information and tools that can be used by hackers and crackers, and has attracted unscrupulous individuals and groups intent on exploiting internet subscribers (Labuschagne and Eloff, 2000, p. 156). There are a number of factors that organizational staff need to take into account when using the internet and these need to be communicated to staff via internal training and conference sessions. Attaran and VanLaar (1999, p. 246) have provided a number of useful hints relating to buying online and it is important to note that the Federal Trade Commission has provided useful advice to those contemplating buying online. This is important because it suggests that the internet has various stakeholders and furthermore, it is important to have a mechanism in place to share information relating to best practice. Another point that needs to be stated is that those involved in e-commerce need to ensure that there is all round protection. Kesh et al. (2002, p. 150) have indicated that: “Integrity ensures that only authorized parties make changes to the documents transmitted over the network. Various types of modifications can take place. For example, orders placed over the internet can be altered. Other types of modifications include creation of new documents as well as deletion of documents”.
Cyber attacks are of concern to managers owing to the fact that if for any reason an organization’s systems are taken off line for a period of time, this may prove devastating for an organization that relies on electronic transaction in order to stay in business (Abouzakhar and Manson, 2002, p. 203). One way in which security weaknesses can be rectified, is by senior management devising and implementing an information systems security analysis and design framework that is considered a comprehensive methodology (Kokolakis et al., 2000). This should allow an organizational specific security architecture to be developed and put in place.
Knowledge integration In order that organizations continue to develop, it is essential that they become learning organizations. Hitt (1996, p. 16) has indicated that senior management need to ensure the organization becomes a learning organization in order to be both excellent and to be able to survive. Training is a necessary aspect of learning organization
DPM 14,4
500
D ow
nl oa
de d
by W
al de
n U
ni ve
rs it
y A
t 19
:0 9
11 M
ar ch
2 01
8 (P
T )
culture. What needs to be borne in mind is that as an organization develops, it is necessary to work towards closing “the gaps between an organization’s current reality and its future transformation” (Appelbaum and Gallagher, 2000, p.49).
McKenna (1999, p. 776) has suggested that managers are keen to create an environment in which learning and staff development are facilitated. Badii and Sharif (2003, p. 146) have suggested that “knowledge can be exchanged, shared, evolved, refined and be made readily available at the point of need. This implies that knowledge integration must facilitate reflection and dialogue to allow personal and organizational learning and innovation. Without effective information management to underpin knowledge integration, and therefore innovation, the enterprise could find itself spending more and more resources administering and guarding information silos rather than using them effectively”. Why this is an important consideration is because security officers need to be innovators. They need to have the necessary skill base in order to appraise and evaluate complex situations, and be confident enough to devise and implement security policies and systems. Being up-to-date and knowledgeable are prerequisites for security technology implementation. Authentication is a pivotal component of security. It is envisaged that biometrics will become more established because it represents a new form of authentication (Harris and Yen, 2002, p. 14). Hence, achieving knowledge integration can be viewed as an immediate objective of a learning organization.
Scenario analysis and simulation exercises Kennedy et al. (2003, p. 10) have indicated that scenario planning is useful for understanding complex problems, and is concerned with “managing the range of uncertainty to be faced and the strategies you can put into place that will provide competitive advantage no matter what specific events unfold. In short, the twin goals of scenario planning are opportunity identification and risk mitigation”. Scenario planning does have a useful input into strategic planning and can be used to find unique solutions to complex and ongoing problems (Graetz, 2002). It is essential, therefore, for security officers and computer information experts to be involved in various forms of scenario planning and analysis, as this will force the different parties involved in security-oriented work to develop a collectivist approach to security. It also means, that senior management need to endorse the activities of those involved in all aspects of security, and this means providing the chief security officer with an appropriate platform within the organization.
Simulation exercises can be used by a range of individuals to develop their decision-making skill base (Feinstein et al., 2002, p. 733). Management trainees may be required to familiarize themselves with security issues; and develop an understanding of how security theory can be translated into security practice. Senior managers may be required to work with emergency and disaster prevention and management officers, and to help prepare organizational defences against a possible terrorist attack. The key point to note, is that an attack on a city and/or critical infrastructure would have consequences for specific organizations, as operating systems, suppliers, wholesalers, retailers and consumers would all be affected. Some of the issues identified can be designed into a simulation exercise that can be used to train staff how to perform in a specific situation.
Multi-faceted simulation exercises can be designed that focus attention on managerial, technical, professional and inter-cultural issues. According to Fripp (1997, p. 138), simulation exercises facilitate team working and experiential learning. The fact
Managing computer
security issues
501
D ow
nl oa
de d
by W
al de
n U
ni ve
rs it
y A
t 19
:0 9
11 M
ar ch
2 01
8 (P
T )
that instant feedback can be provided is an advantage and needs to be viewed as so. This is a useful observation because security-oriented simulation exercises can be used to reinforce the point that security is a core activity. Ways and means need to be found to make this clear.
Reflecting on the above, it is important that senior management view security as a core activity, and that an adequate risk assessment and counter-intelligence policy are implemented. Figure 1 is proof that security is to be viewed from a holistic perspective.
Figure 1. Security as a core activity
DPM 14,4
502
D ow
nl oa
de d
by W
al de
n U
ni ve
rs it
y A
t 19
:0 9
11 M
ar ch
2 01
8 (P
T )
It can also be deduced that security has an internal dimension and an external dimension, and that scenario planning and simulation exercises are valuable vehicles for linking theory and practice. There is no doubt that everybody in the organization needs to be aware of the need for adequate security, and this can be reinforced through the development of a learning organization culture. A theory building research group can be established to identify insights vis-à-vis “hot” topics, and staff in this group can also work on complex theoretical subjects. A close working relationship needs to be developed between staff in the theory building research group and staff in the monitoring unit, and this should ensure that new security topics are identified and the organization’s corporate intelligence function performs adequately.
Conclusion The types of problem that computer hackers and crackers present, are likely to intensify once organized criminal syndicates and terrorist organizations identify new market areas and opportunities to be exploited. The law enforcement agencies, and the intelligence and security services, are working closely together in order to neutralize the acts of criminals and terrorists. There is no doubt, that as the electronic society takes shape, staff employed by organizations and trade associations are going to have to work more closely with officers from the specialist agencies that are working hard to disrupt and dismantle the various criminal and terrorist networks.
Although information management and computer security specialists are working hard to put in place defensive measures and systems, it needs to be recognized that if security is to be viewed as a core activity, senior management need to ensure that staff throughout the organization are aware of the problems and issues involved. These problems and issues can and should be placed within a wider national context, and this means that security needs to be viewed as a core activity. If security is viewed as a core activity, it means a comprehensive emergency and disaster management planning framework and strategy will be in place, and a deep commitment to business continuity planning will be evident.
References
Abouzakhar, N.S. and Manson, G.A. (2002), “An intelligence approach to prevent distributed systems attacks”, Information Management & Computer Security, Vol. 10 No. 5, pp. 203-9.
Appelbaum, S.H. and Gallagher, J. (2000), “The competitive advantage of organizational learning”, Journal of Workplace Learning: Employee Counselling Today, Vol. 12 No. 2, pp. 40-56.
Attaran, M. and VanLaar, I. (1999), “Privacy and security on the internet: how to secure your personal information and company data”, Information Management & Computer Security, Vol. 7 No. 5, pp. 241-6.
Badii, A. and Sharif, A. (2003), “Information management and knowledge integration for enterprise innovation”, Logistics Information Management, Vol. 16 No. 2, pp. 145-55.
Baskerville, R. and Siponen, M. (2002), “An information security meta-policy for emergent organizations”, Logistics Information Management, Vol. 15 Nos 5/6, pp. 337-46.
Brooks, W.J., Warren, M.J. and Hutchinson, W. (2002), “A security evaluation criteria”, Logistics Information Management, Vol. 15 Nos 5/6, pp. 377-84.
Managing computer
security issues
503
D ow
nl oa
de d
by W
al de
n U
ni ve
rs it
y A
t 19
:0 9
11 M
ar ch
2 01
8 (P
T )
Chellappa, R.K. and Pavlou, P.A. (2002), “Perceived information security, financial liability and consumer trust in electronic commerce transactions”, Logistics Information Management, Vol. 15 Nos 5/6, pp. 358-68.
Craig, P. (2002), “Enterprise protection strategy”, paper presented at Business Continuity Briefing Seminar hosted by Citadel, London, 9 December.
Crowcombe, P. (2002), “Scalable security solutions”, paper presented at Business Continuity Briefing Seminar hosted by Citadel, London, 9 December.
Desai, M.S., Richards, T.C. and von der Embse, T. (2002), “System insecurity – firewalls”, Information Management & Computer Security, Vol. 10 No. 3, pp. 135-9.
Feinstein, A.H., Mann, S. and Corsun, D.L. (2002), “Charting the experiential territory: clarifying definitions and uses of computer simulations, games and role play”, Journal of Management Development, Vol. 21 No. 10, pp. 732-44.
Fripp, J. (1997), “A future for business simulations?”, Journal of European Industrial Training, Vol. 21 No. 4, pp. 138-42.
Gerber, M., von Solms, R. and Overbeek, P. (2001), “Formalizing information security requirements”, Information Management & Computer Security, Vol. 9 No. 1, pp. 32-7.
Graetz, F. (2002), “Strategic thinking versus strategic planning: towards understanding the complementarities”, Management Decision, Vol. 40 No. 5, pp. 456-62.
Hall, R. (2004), “The strategic component of security”, paper presented at the First CAMIS Security Management Conference, Birkbeck College, University of London, London, 20 October.
Harris, A.J. and Yen, D.C. (2002), “Biometric authentication: assuring access to information”, Information Management & Computer Security, Vol. 10 No. 1, pp. 12-19.
Harris, P.R. (2002), “European challenge: developing global organizations”, European Business Review, Vol. 14 No. 6, pp. 416-25.
Hearn, G. and Rooney, D. (2002), “The future role of government in knowledge-based economies”, Foresight, Vol. 4 No. 6, pp. 23-33.
Higgins, H.N. (1999), “Corporate system security: towards an integrated management approach”, Information Management & Computer Security, Vol. 7 No. 5, pp. 217-22.
Hitt, W.D. (1996), “The learning organization: some reflections on organizational renewal”, Employee Counselling Today, Vol. 8 No. 7, pp. 16-25.
Hutchinson, D. and Warren, M. (2003), “Security for internet banking: a framework”, Logistics Information Management, Vol. 16 No. 1, pp. 64-73.
Kennedy, P., Perrottet, C. and Thomas, C. (2003), “Scenario planning after 9/11: managing the impact of a catastrophic event”, Strategy & Leadership, Vol. 31 No. 1, pp. 4-13.
Kesh, S., Ramanujan, S. and Nerur, S. (2002), “A framework for analyzing e-commerce security”, Information Management & Computer Security, Vol. 10 No. 4, pp. 149-58.
Kokolakis, S.A., Demopoulos, A.J. and Kiountouzis, E.A. (2000), “The use of business process modelling in information systems security analysis and design”, Information Management & Computer Security, Vol. 8 No. 3, pp. 107-16.
Kwok, L.F. and Longley, D. (1999), “Information security management and modelling”, Information Management & Computer Security, Vol. 7 No. 1, pp. 30-9.
Labuschagne, L. and Eloff, J.H.P. (2000), “Electronic commerce: the information-security challenge”, Information Management & Computer Security, Vol. 8 No. 3, pp. 154-7.
DPM 14,4
504
D ow
nl oa
de d
by W
al de
n U
ni ve
rs it
y A
t 19
:0 9
11 M
ar ch
2 01
8 (P
T )
Liebermann, Y. and Stashevsky, S. (2002), “Perceived risks as barriers to internet and e-commerce usage”, Qualitative Market Research: An International Journal, Vol. 5 No. 4, pp. 291-300.
McKenna, S.D. (1999), “Maps of complexity and organizational learning”, Journal of Management Development, Vol. 18 No. 9, pp. 772-93.
Trim, P.R.J. (1999), “The corporate intelligence information charter: responsibility and accountability in the defence sector”, Strategic Change, Vol. 8 No. 6, pp. 359-66.
Trim, P.R.J. (2001a), “Public-private partnerships in the defence industry and the extended corporate intelligence and national security model”, Strategic Change, Vol. 10 No. 1, pp. 49-58.
Trim, P.R.J. (2001b), “A framework for establishing and implementing corporate intelligence”, Strategic Change, Vol. 10 No. 6, pp. 349-57.
Trim, P.R.J. (2002a), “Counteracting industrial espionage through counterintelligence: the case for a corporate intelligence function and collaboration with government”, Security Journal, Vol. 15 No. 4, pp. 7-24.
Trim, P.R.J. (2002b), “Corporate intelligence and transformational marketing in the age of the internet”, Marketing Intelligence & Planning, Vol. 20 No. 5, pp. 259-68.
Trim, P.R.J. (2004), “The strategic corporate intelligence and transformational marketing (SATELLITE) model”, Marketing Intelligence & Planning, Vol. 22 No. 2, pp. 240-56.
Tryfonas, T., Kiountouzis, E. and Poulymenakou, A. (2001), “Embedding security practices in contemporary information systems development approaches”, Information Management & Computer Security, Vol. 9 No. 4, pp. 183-97.
Ungoed-Thomas, J. (2003), “The e-mail timebomb”, The Sunday Times, 24 August, p. 19.
Vegh, S. (2003), “Classifying forms of online activism: the case of cyberprotests against the World Bank”, in McCaughey, M. and Ayers, M.D. (Eds), Cyberactivism: Online Activism in Theory and Practice, Routledge, London.
Warren, M.J. (2002), “Security practice: survey evidence from three countries”, Logistics Information Management, Vol. 15 Nos 5/6, pp. 347-51.
White, G.W. and Pearson, S.J. (2001), “Controlling corporate e-mail, PC use and computer security”, Information Management & Computer Security, Vol. 9 No. 2, pp. 88-92.
Yates, S. (2004), “Homeland defence: the telecommunications angle”, paper presented at the First CAMIS Security Management Conference, Birkbeck College, University of London, London, 20 October.
Managing computer
security issues
505
D ow
nl oa
de d
by W
al de
n U
ni ve
rs it
y A
t 19
:0 9
11 M
ar ch
2 01
8 (P
T )
This article has been cited by:
1. Leong Lai Hoong, Govindan MarthandanFactors influencing the success of the disaster recovery planning process: A conceptual paper 1-6. [CrossRef]
2. Peter R.J. Trim, Yang-Im LeeA security framework for protecting business, government and society from cyber attacks 1-6. [CrossRef]
3. Gerald V. Post, Albert Kagan. 2007. Evaluating information security tradeoffs: Restricting access can interfere with user tasks. Computers & Security 26:3, 229-237. [CrossRef]
4. Peter R.J. TrimDepartment of Management, Birkbeck College, University of London, London, UK Yang‐ Im LeeRoyal Holloway, The School of Management, University of London, Egham, UK. 2006. An internationally focused synthesised marketing strategy underpinned by qualitative research. Qualitative Market Research: An International Journal 9:3, 203-224. [Abstract] [Full Text] [PDF]
D ow
nl oa
de d
by W
al de
n U
ni ve
rs it
y A
t 19
:0 9
11 M
ar ch
2 01
8 (P
T )