| Information security is a management problem, not a technology one. Experience indicates that technology cannot provide all the answers to the problems posed by people in the context of information security management (ISM). For example, according to a survey conducted by the Computer Security Institute (CSI) and the FBI, 89% of respondent organizations have firewalls and 60% have user IDs, but 40% of them still reported system penetration from intruders. The CSI survey also revealed that although 90% of respondent organizations used anti-virus software, 85% were still hit by viruses, worms, etc.; To protect the information assets of organizations, different frameworks and guidelines have been proposed by researchers, practitioners, consultants, and professional organizations. The new international standard ISO17799 is considered a robust model for ISM. This standard provides security practices in ten areas for organizations to follow. Similarly, researchers also have different views on information security objectives. Many believe that information security consists of three primary elements: confidentiality, integrity, and availability; others suggest more than three.; As a result, current information security objectives and practices are inconsistent or misleading to practitioners. In addition, concepts in the field of ISM are typically based on case studies, anecdotal evidence and the prescription of industry "leaders". There is little consensus on which security objectives should be achieved, which factors are critical to achieve successful security initiatives, and what the relationship is between best practices and objectives.; Based on an analysis of empirical data from 354 information security professionals, this research contributes to the information security community with the following findings: (1) Four dimensions of information security objectives were identified: Information Integrity, Confidentiality, Accountability, and Availability. (2) The information security professionals in small and medium sized organizations were found to be younger and have less experience in the information security area than their counterparts in larger organizations. (3) ISO 17799 was refined to provide a parsimonious framework. (4) For small and medium sized organizations, "Confidentiality" was considered to be the most important security objective, and the most important security practice related to this objective was "Access Control". For large organizations, the important security objectives were "Confidentiality", "Accountability," and "Integrity." The security practices related to these objectives were: "Access control", "Organizational Security", and "Security Policy". "Access Control" is the most important security practice in both groups.; Practitioners should use the four information security objectives identified in this study as a starting point to develop organization specific security objectives to reflect their business environment and business goals. |
