16_a model of information

8/7/2019 16_A model of information

1/11

20

W W W . I S M - J O U R N A L . C O M

S P R I N G 2 0 0 5

A MODEL OF

INFORMATIONASSURANCE BENEFITS

Jean-Nol Ezingeard, Elspeth McFadzean, and David Birchall

Effective information assurance (IA) is the key to reliable management decision-making, cus-

tomer trust, business continuity, and good governance in all sectors of industry and public ser-vice. Yet making a business case for IA investments can be difficult because the scope of the

potential benefits can be very broad. Based on interview data collected from company execu-

tives, senior IA managers, and a variety of external stakeholders, we develop and discuss a

four-layer model that can be used to help structure the case for IA investments.

ECURITY CONCERNS ARE ON THE IN-

crease in all organizations worldwideand there is a growing number of calls

urging senior managers and top execu-tives to take greater interest in information se-curity (Fourie, 2003). These calls are mainly

based on the premise that the engagement ofsenior managers and directors with the infor-

mation security agenda is key to achievinggood security (ISO, 2000; Thomson and von

Solms, 2003). But are these calls being heard?Unfortunately, there is evidence that the topicis not reaching the top layers of organizations,

or that it only does so at irregular intervals andon an ad-hoc basis (Ezingeard et al., 2004b), with

the attention of senior managers for informa-tion security centered around incidents, either

published in the press or internally identified.

In parallel to the increased focus on busi-ness benefits for IT investments, the topic of in-

formation security has evolved in manyorganizations to cover broader issues than se-

curity. The scope of potential benefits hastherefore also increased. In particular, aspects

such as quality and trustworthiness of informa-tion are now becoming key business issues. Inlight of several high-profile governance failures

that could be traced to distorted information,executives are being required to pay more

attention to aspects of information integrity

due to legislation (ITGI, 2003). In this context,the term information assurance (IA) is there-

fore emerging as a broader business concept

than just security (Colwill et al., 2001).Whereas security was once the sole domain

of the information systems department, organi-zations are increasingly tasking audit and com-

pliance committees with monitoring andoverseeing information assurance processes.

Experts suggest that auditors should fully un-derstand IA issues as a key part of future re-

sponsibility (Parker, 2001). Despite this

widening of scope, there is still evidence of alack of senior management understanding of

the business value of good information assur-ance (Deloitte, 2003; Ernst & Young, 2002).

Research has shown that the lack of engage-

ment from senior managers and boards couldbe attributed to differences in language and cul-ture between information security staff and se-

nior managers, and that there is a need to

express information security problems in busi-ness rather than technical language (McFadzean

et al., 2003). This is compounded by a dearth ofadvice and research into how information secu-

rity return on investment (ROI) can be bettercalculated and presented to senior managers

(McAdams, 2004). The research presented here

S

JEAN-NOLEZINGEARD isprofessor ofmanagement studies

(processes and systemsmanagement) at

Henley ManagementCollege in the United

Kingdom. He can bereached at

[email protected].

ELSPETHMCFADZEAN is alead tutor and visitingsenior research fellowat Henley Management

College and a visitinglecturer at theUniversity of Surrey.

DAVID BIRCHALL isdirector of research at

Henley ManagementCollege and also leadsthe Centre for Businessin the Digital

Economy.

SECURITY, ETHICS, AND LEGAL ISSUES


2/11

I N F O R M A T I O N S Y S T E M S M A N A G E M E N T

S P R I N G 2 0 0 5


aims to bridge this gap by advancing the under-

standing of the benefits that can be gained

from superior information assurance. We do so

by investigating what organizations expect to

gain from information assurance through a se-

ries of interviews with senior managers from

which we build a structured model of the busi-

ness benefits of IA.

Our research was based on a two-prongeddata collection approach. A total of 32 inter-

views was conducted with two different

groups. Our initial enquiry started with in-

depth interviews with 22 senior business man-

agers. From these interviews we were able to

establish both the internal and external busi-

ness benefits of an effective IA policy for differ-

ent organizations. Apart from one U.K. charity

and one government department, all managers

were from public companies with listings on

the London, New York, Zrich, or Frankfurt

stock exchanges. In parallel, we conducted in-

terviews with representatives of ten external

stakeholders to gain the different perspectives

of IA benefits from people located outside the

companies including investors and suppli-

ers. These two sets of interviews enabled us

using interpretive content analysis assisted by

cognitive mapping software to develop our

model of IA benefits. (More details on our re-

search methods are provided in Table 1.)

WHAT IS INFORMATION ASSURANCE?

Unfortunately, there is no universally accepted

definition of what constitutes information as-surance (IA). Many still equate it with informa-

tion security but the term information

assurance is growing in acceptance and usage,

particularly among government and interna-

tional agencies (Wolf, 2003). Information secu-

rity generally includes the following three

elements (Whitman, 2003):

1. Confidentiality.This ensures information is

accessible on a need-to-know basis and that

unauthorized access is prevented.

2. Integrity. This ensures that data (or, more

widely, information) is not deleted or cor-rupted, either accidentally or deliberately.

3. Availability. This ensures that information

is available when it is required and that it

will support the organizations ability to

operate and accomplish its objectives.

Some experts add identification and authen-

tication to this list (Koved et al., 2001; Landwehr,

2001). The distinction between these two terms

emphasizes a necessary separation between the

act of recording who has carried out an interac-

tion with an information asset and the act of de-

termining their authority to do so. Separating

these concepts in information architecture

can, for example, identify instances of pass-

word security breaches.A further component is non-repudiation, in-

troduced as far back as the late 1980s (ISO,

1989). Non-repudiation is a basic security ser-

vice that ensures organizations can prove that

transactions actually took place and that they

are correctly recorded. This expanded scope of

the activities associated with managing the de-

fense, preservation, provenance, and surety of

TABLE 1

Research Methodology Details

In-Depth Interviews

with Senior Business Managers

We sought the views of 22 managers, all based

in the United Kingdom except for four (two in the

United States, one in Germany, one in South

Africa). Six of the respondents are board-level

directors (CEO, CFO, non-executive director),four are in charge of information systems for their

organization, ten have responsibility for

information assurance (head of information

assurance, head of risk, head of information

security), and two are senior project managers

specializing in IA. Sectors represented include

financial services, manufacturing, power

distribution, retail, IT services, consultancy, and

pharmaceutical. The managers were asked

about the effect of information assurance on their

organizations. This included both an internal

perspective (e.g., how IA influences employees,

managers, etc.) and an external perspective

(e.g., the impact of IA on customers, suppliers,

etc). Consequently, we gained detailedinformation on the effect of IA on issues such as

business processes, information sharing,

innovation, company reputation, and

relationships with suppl iers among others. These

interviews lasted between 60 and 90 minutes.

Stakeholder Interviews

In parallel, we interviewed ten external

stakeholders three investors, two buyers with

an interest in the IA procedures of their suppliers,

two suppliers with an interest in the IA

procedures of their customers, an insurance

underwriter, a provider of professional technical

services, and a financial consultant with

significant experience in flotation and merger

and acquisitions. The aim of these interviewswas to provide us with information about how

organizations information assurance policies

affected their external stakeholders. This

enabled us to gain a different perspective on IA

benefits from outside the companies. These

interviews lasted up to 30 minutes, which was

sufficient to examine the participants views

using questions that were very focused.


3/11

22W W W . I S M - J O U R N A L . C O M

S P R I N G 2 0 0 5


information now forms the concept and defini-

tion of IA used in many countries. For example,

The Information Assurance Advisory Council(IAAC, 2003) in the U.K. defines information

assurance as:

the certainty that the information within an organization is reliable, se-

cure and private. IA encompasses both

the accuracy of the information and itsprotection, and includes disciplinessuch as security management, risk man-

agement and business continuity man-

agement.

Despite this widening of scope, informa-

tion assurance is still frequently used as a syn-

onym for security, where little value is added tothe mindset of defense (Boyce and Jennings,

2002). The danger here is that operational de-

fensive measures such as intrusion detection

and password breach prevention become the

benchmarks for successful performance failing to identify and capture the scale of expo-

sure because of, for example, errors in accu-

rately invoicing goods and services delivered.Security considerations typically focus on

the need to protect systems from internal andexternal attack, environmental threats, acci-

dental damage, and disaster recovery. This is

undoubtedly a core element of information as-

surance but can lead to a fixed state approachbecause of the dangerous assumption that all

threats can be accurately predicted. Agility is

needed in the face of unpredictable threats and the ability of an organization to adapt its

policies, procedures, and technology may be as

important as the ability to produce a complete

assessment of all possible threats. Systemchanges can even be viewed as a temporary

transition between static states, breeding a tol-

erance for a reduced state of security during atransition period. Our interviewees had little

doubt that this approach is complacent in to-

days threat environment, where the Internet

allows security weaknesses to be publicizedwidely among hackers and business-crippling

worms can spread globally in minutes. Wheth-er it is a law of economic conservation or sim-

ply ironic, the same Internet that allows manycompanies to reduce operating costs and im-

prove customer services also increases the cost

and complexity of IA, as it increases the num-ber of defensive frontiers that a company must

manage.

Adopting a problem-prevention outlookcan be very limiting. It is particularly danger-

ous to assume that the majority of serious

threats can be predicted or to introduce sys-

tems that are so rigid they are slow or evenunable to respond to changing needs. If cus-

tomer services unilaterally implemented inflex-

ible and strict security procedures, they mightachieve a zero-complaints target, but they

might also completely prevent any sales from

occurring. Similarly, finance could eliminate

bad debt by refusing to offer credit terms toany customer. While these are obviously ex-

treme examples, they illustrate how a depart-ment unchecked by business logic can hamper

business performance. Of course, the corpo-

rate mindset that does not question its securitypolicies in the face of employee inconve-

nience, ever-increasing procedures, and re-

strictions on knowledge management is beingequally shortsighted.

Our research also indicates that taking a se-curity outlook can be counter-productive in

achieving board engagement. This is because

information security tends to be associatedwith technology not always a topic in which

board members can engage. In the words of

the group IA adviser for a multinational retailbank:

Board members tend not to be very

technical and avoid IA. However, thetechnical part of IA is actually only a

small element It is important to be

able to look at things in a holistic way, with a broader perspective, not just

technical.

ENABLING RATHER THAN PREVENTING

Information assurance could be said to repre-

sent a migration from a preventative approachto an enabling approach. Information systems

can represent a source of competitive advan-

tage through their structural integrity as muchas through the information content they deliv-

er. Reliability and resilience mean more consis-

tent operational and customer serviceperformance, thus reducing costs and increas-

ing the ability to adapt quickly to changing mar-

ket circumstances. Table 2 compares the keyelements of a traditional information security

method to a more pioneering information as-

surance approach. A comprehensive conceptualization of IA

ensures that the information systems serve theorganizations transactional needs such as

operational capability, customer service, and fi-

nancial systems as well as its transformation-al needs including knowledge management,

innovation, and rapid adaptation. Taking such a

he

ability of anorganization

to adapt its

policies,

procedures,

and technology

may be as

important as

the ability to

produce a

complete

assessment of

all possible

threats.

T


4/11


S P R I N G 2 0 0 5


forward-looking view requires an examination

of the direction of the business as its current

needs and systems. IA practitioners must un-

derstand how value is created in the business

and what will influence future strategic deci-

sions (Ezingeard et al., 2004a).

Consequently, by combining all these ideas,

information assurance strategy can be defined

as:

Determining how the reliability, accura-

cy, security and availability of a compa-

nys information assets should be

managed to provide maximum benefit

to the organization, in alignment with

corporate objectives and strategy.

AVOIDING NEGATIVE STRATEGIC

CONSEQUENCES OF POOR

INFORMATION ASSURANCE

Breaches in security heighten awareness of just

how dependent organizations have become on

their information systems and how high the

price for failing to safeguard them is in terms of

reputational damage, loss of business and re-

duction in share price (Hovav and DArcy,

2003). Breaches in information reliability can

have similarly devastating reputational or finan-

cial consequences. It is vital, therefore, that or-

ganizations develop an effective IA strategy to

help them defend against these violations.

Despite these dangers, information assur-

ance is not a key consideration in shaping cor-

porate strategy. Naturally, companies do not

consider revenue generation plans and budgets

secondary to IA policies (with the few excep-

tions being those whose primary business is to

secure transmission or storage of information).

Nonetheless, information assurance is a strate-

gic issue in the sense of the potential impacton the rest of the business (McFarlan, 1984;

Ward, 1988). If it is not undertaken well, strate-

gic risks may follow. IA should therefore sup-

port corporate strategy because the

consequences of IA policy decisions can affect

the entire business. For example, an informa-

tion systems failure could cause damage to an

organizations reputation and may inhibit the

firms ability to operate; or ill-considered poli-

cies may restrict information flow, causing

poor customer service and resulting in loss of

business over time. Finally, the cost of the inci-

dent may be prohibitively high and the organi-

zation may not survive the disruption (Logan

and Logan, 2003).

Customer tolerance for publicized security

breaches is decreasing (DTI, 2002; Treanor,

2000).This also calls for information security

concerns to rise to the highest levels of the or-

ganization. If customers migrate not just be-

cause of perceived risk, but simply because of

the inconvenience of failing computer systems,

TABLE 2 Comparing Information Security with Information Assurance

Information Security Information Assurance

Confidentiality Need-to-know only and

protection from

unauthorized access

How can ongoing compliance be ensured against

regulatory changes or regional variations?

What would be the impact on reputation of a breach in

confidentiality?

Integrity Preventing accidental ormalicious alteration,

corruption, or deletion

Can users compare relative levels of reliability if datais conflicting?

How does the organization reduce costs incurred

through errors?

Availability Disaster recovery and

business continuity to

ensure ongoing operation

of existing systems

How can we develop systems that will not be restrictive

as the organization grows, enters new alliances, or

develops new businesses?

Identification

and

Authentication

Password access control Do users keep their passwords secret and change

them regularly because they are told to or because

they understand the importance of password safety?

How can we develop better identification and

authentication methods for our stakeholders?

Non-repudiation Fraud prevention How can secur ity reduce the organizations transaction

costs?Can transactions be simplified for our customers to

increase their value gained from dealing with us,

without compromising security?


5/11


S P R I N G 2 0 0 5


then stability and reliability become competitivedrivers. In the United States, the advent of the

SarbanesOxley Act, which holds executivespersonally liable for the accuracy of financial

results, could potentially pave the way to simi-lar liability for all compliance issues particu-

larly in light of growing consumer concern forinformation privacy (Stewart and Segars, 2002).

Information assurance must become a con-

cern from a corporate governance perspective(Thomson and von Solms, 2003). Recent media

reports have also highlighted the potentiallydramatic consequences of poor information in-

tegrity, demonstrating that decisions taken onthe basis of unreliable information can leave

shareholders and voters concerned and angry(Stiles and Taylor, 2001). Stakeholders no long-er see the fact that decisions were taken in

good faith or that assets were represented tothe best of executives knowledge as an ac-

ceptable excuse for mistakes subsequently dis-covered. Unsurprisingly, corrupt data (and its

impact on corporate governance and generalmanagement decision making) was thereforeseen by our interviewees as one of the biggest

risks of poor IA.Perhaps too often, information security is

presented as a necessity for survival rather thana business enabler. Interestingly, considering

information assurance as incorporating respon-sibility for the reliability and integrity of data

means that those formerly responsible for im-plementing information security can make a

value-addingcontribution to the organization

through this changing perspective, enhancing

competitive advantage rather than simply de-

fending existing systems (Dhillon, 2004). This

is what we explore in the next section.

HARNESSING POSITIVE

CONSEQUENCES OF GOOD

INFORMATION ASSURANCE

Ensuring business continuity the ability to

continue operating without falling foul to legis-

lation or adverse media reports is an imme-

diate benefit that many of the board members

and senior executives interviewed recognized.

Some managers, however, go beyond the sim-

ple, immediate benefits of IA. These inter-

viewees pointed out that in the medium term,

it should be possible to achieve further bene-

fits. As illustrated in Figure 1, we have classified

those into:

Operational benefits: those benefits that will

have an immediate positive impact on the

organizations ability to deliver goods and

services more efficiently or effectively Tactical benefits: those benefits that will

have a medium-term positive impact on the

organizations relationships with its trading

partners Strategic benefits: those benefits that are

more long-term in nature and connected

with competitive advantage Organizational benefits: those benefits

sought by the owners of the organization orits key stakeholders

Operational Benefits

Resilient Business Processes. A good IA

policy can provide a global framework for in-

formation security within an organization, pull-

ing together both information and physical

security to ensure business continuity. Going

beyond information security, effective IA is also

the key to good operational controls and proce-

dures that rely on timely and accurate informa-

tion for their business continuity or simply foreffectiveness. Supply chains, for example, are in-

creasingly considered an area of exposure by

many businesses but also an opportunity to

gain significant competitive advantage. Because

controlling the supply chain is a very informa-

tion-intensive activity, supply-chain management

is an example of a business process whose resil-

ience can be significantly enhanced by good

IA. Many interviewees pointed to resilience of

business processes as a key benefit of good IA in

FIGURE 1 Interview Findings: The Benefits of Good Information

Assurance

Strategic Benefits

Organ

izational

Tactical Benefits

Operatio

nal Benefits

Benefits

ImprovedShareholder

Value

CompetitiveAdvantage

License toOperate

Resilie

nt

Bus

ines

sProc

esses

Imp

rovedResponsiveness

EasierCom

pliance

LowerCosts M

ore

Sal

es

Bette

rCon

trol

Better In

form

ation

Usage

CheaperEq

uity

ImprovedCusto

merServic

e

Bett

er

Gov

erna

nce

Bu

sin

ess

Opp

ortunities

Bett

er

Und

erstan

ding o

f Commit

mentfromBusin

ess

Partnersand

Custo

me

rs


6/11


S P R I N G 2 0 0 5


sectors such as banking, telecommunication,

and retail.

Improved Customer Service. An effec-

tive IA strategy can help the organization to

provide secure and easy-to-use access, which

customers increasingly expect as a given, as

well as reliable information, which is the key to

good service provision. As one of our inter-viewees described it, Information is absolutely

central to good advice delivery. It is particular-

ly critical, for example, in sectors where cus-

tomer service is delivered through call center

operations. In other sectors, such as financial

services, good IA will often be the key to the

ability to deliver real-time financial information

to customers. In retail, good IA is a cornerstone

of many loyalty programs.

Better Information Usage. IA facilitates

improvement in the quality, integrity, availabil-

ity, and reliability of information. Many organi-zations suggest that information is a key

element for business decisions and innovation.

It is therefore beneficial for companies to gath-

er and maintain accurate and reliable informa-

tion. Collecting, storing, and processing

information can be costly, however. Good IA is

therefore linked by some of our interviewees

to enabling a reduction in such costs. This, for

example, can be the cost of storing business-

critical information in an efficient way. In the

words of one of the executives interviewed,

good IA can help identify when youve got

four copies of that [because] you dont need

four. In other companies, good IA will ensure

that information is enhanced, as well as pro-

tected and used well. For example, the CEO of

one of the banks interviewed pointed out that

good IA helped ensure that customer needs

were matched appropriately to products.

Improved Responsiveness. Good IA can

significantly improve responsiveness. In securi-

ty terms, good IA is often the key to responsive-

ness when breaches do actually occur.

Responsiveness is often only possible if everyindividual within an organization feels respon-

sible for security. Improving knowledge and

awareness of security issues can be beneficial

in itself; but in addition, this awareness can

help to improve the speed of response when a

breach in security occurs. Thus, both the com-

munication of the breach and the repair of the

infringement can be undertaken much faster.

Furthermore, good IA will ensure that an

organization is alerted rapidly to changes in the

environment. In situations where rapid re-

sponses are required, being able to trust the in-formation on the basis of which decisions aretaken will be critical. As argued by the chief

risk officer of a large bank that participated inthe research, one of the reasons that his organi-

zation pays attention to IA is because it supportsthe banks ability to remain cutting edge.

Tactical Benefits

Easier Compliance. Many organizations

see IA solely as a compliance issue. Achievingcompliance can be expensive simply meet-

ing the data storage requirements broughtabout by the SarbanesOxley Act has requiredthe quadrupling of storage capacity in many or-

ganizations (Economist, 2004). By ensuringgood IA processes, companies are able to

achieve leaner internal control systems thatstill meet regulatory and legal requirements;

they need to spend less on technology to re-main compliant and less on processes to moni-tor compliance. Improved confidence and

accountability in IA reduces the complexity(and therefore the cost) of post-hoc verifica-

tion of information accuracy.

Better Control. An effective IA policy will

provide additional rigor for information and se-curity controls. At a basic operational level,

strict control procedures can be put in place tostop unauthorized access to information or theuse of unauthorized software, illicit Web surf-

ing, and e-mail communication. One seniormanager (from a telecommunications firm) we

interviewed suggested that, at a tactical level,control often takes another form. He pointed

out that an organization will want to ensurethat once vulnerabilities are identified, itbrings the risk down to a manageable and rec-

ognizable level. In addition, business control isalso much more than security, and good IA will

ensure that aspects such as expenditure arelooked at rigorously to ensure that no surpris-

es are brought to light, for example, in an an-nual audit. Finally, business control needs

reliable information to steer the organization inthe right direction. As pointed out by one ofour interviewees, if youre making decisions

on the wrong data, then making better deci-sions is probably not your biggest issue.

Better Understanding of BusinessOpportunities. Understanding businessopportunities and markets relies on trusted

market intelligence. Many organizations in-creasingly place an emphasis on ensuring that

ood IA

will often bethe key to the

ability to

deliver real-

time financial

information to

customers.

G


7/11


S P R I N G 2 0 0 5


this information is available and accurate. Al-

though few organizations will make this an ex-

plicit requirement of their internal control

systems, shareholders are becoming much less

tolerant of companies that constantly misjudge

market outlook. As pointed out by a senior con-

sultant we interviewed, If you go back to the

Internet bubble where people would give you

a million dollars for having an idea on a Website, great. I think those days are gone

theyre far more rigorous now.

Commitment from Business Partnersand Customers. As information technology

permeates all business relationships, custom-

ers and suppliers alike are becoming more de-

manding. An organization will instill trust

among its stakeholders if it is able to constantly

demonstrate that it knows how to ensure that

the information it collects and exchanges with

its trading partners is secure. This in turn willinspire commitment. In the retail sector, for ex-

ample, allowing automated shelf-restocking or-

ders from direct observation by suppliers of

sales transactions can be a source of significant

commercial benefit (e.g., reduced cost of order

administration, reduced inventory manage-

ment, and fewer missed sales opportunities).

However, in practice, that can only arise from

assuring partners of the ability to guarantee not

only the accuracy of sales data, but also the se-

curity of commercially sensitive information.

Strategic Benefits

Better Governance. Feedback to the board

regarding IA is necessary to ensure that direc-

tors are kept informed about potential prob-

lems or risks. In the words of one of our

interviewees, I think for non-executive direc-

tors their nightmare is having a scandal, so

theyve got to be and they are being more

challenging and require more information.

This also means that the board can make better

decisions regarding IA investment as well as

providing assurance concerning the companys

security to other stakeholders. In addition, it

enables the senior executive responsible for IA

to view the issue holistically. He or she can

therefore facilitate compliance with govern-

ment directives and provide global standards

for the entire organization.

Cheaper Equity. Many firms require access

to external financing to fund innovation and

growth. A number of academic studies have

shown that investors believe that companies

that have been vulnerable to security breaches

such as denial-of-service attacks in the past will

be exposed to financial damage in the future

(Ettredge and Richardson, 2003; Garg et al.,

2003; Hovav and DArcy, 2003). The only ex-

ceptions to this were firms that showed they

were willing to continuously invest in informa-

tion security. Our interviews have confirmedthat few analysts will take IA seriously when

making investment decisions either as part

of an initial due diligence process or in subse-

quent reviews. IA reviews by market analysts

are clearly not a widespread practice, although

our interpretation of interview data is that the

trend is growing.

More Sales. Effective communication of IA

readiness will serve as reassurance for all stake-

holders, including customers. It illustrates that

the company:

Is willing to protect its customers informa-

tion from malicious intent Provides better customer service Has more resilient processes that will ensure

unbroken supply or service

For example, one of our interviewees (from

a manufacturing company) pointed out that

many of its customers dont want their prices

and their volumes [made public] and that they

would stop buying if they felt that there was a

chance that their competitors would under-stand how much theyre buying and get some

competitive insights into the information we

had about them. This, of course, is not unusual

and not specific to manufacturing.

Lower Costs. The combination of opera-

tional and tactical benefits of good IA can ulti-

mately result in lower overall costs for the

business. Major security problems can cause

substantial downtime and extreme disruption

to the workforce. Research has also shown the

massive costs that security breaches can create

(Garg, 2003).An effective IA strategy therefore

has the potential benefit of reducing costs and

decreasing disruption and downtime due to se-

curity infringements.Other cost drivers will be influenced by

good IA, and we have already discussed busi-

ness process benefits. Combined with better

management information and better control,

IA can clearly contribute to lowering an organi-

zations overall costs.

reviews

by marketanalysts are

clearly not a

widespread

practice,

although our

interpretation

of interview

data is that the

trend is

growing.

IA


8/11


S P R I N G 2 0 0 5


Organizational Benefits

Improved Shareholder Value. As pointed

out by a senior IA executive we interviewed,

Spending money without justification is not

the order of the day any more, and all IA

spending is now increasingly linked to the re-

turn it will produce for shareholders. We have

already discussed operational and tactical value

drivers that IA can help realize, such as com-mitment from customers and trading partners.

These are, in turn, likely to generate sharehold-

er value.Ensuring shareholder value is one of the

many roles undertaken by the board of direc-

tors (Stiles and Taylor, 2001). An effective IA

strategy was seen as one method of communi-

cating to shareholders the boards intent re-

garding security. That is, the strategy seeks to

reassure shareholders regarding the safety of

the organization as well as its security invest-

ment intentions.

Competitive Advantage. Competitive ad-

vantage is the ability of an organization to dif-

ferentiate itself from its competitors. What,

then, would IA-driven competitive advantage

look like? While none of our interviewees actu-

ally linked IA to competitive advantage per se,

it was linked to competitive advantage at two

broad levels:

1. Reliable information about competitors,

their new products and services, or market-

ing tactics can often help achieve competi-

tive advantage.2. The operational and tactical benefits that

we have already associated with IA were

linked with IA by interviewees. These

included commitment from trading part-

ners and better decision making.

License to Operate. Finally, many inter-

viewees reminded us that, at a very fundamen-

tal level, organizations must comply with the

legislation and regulatory requirements of the

countries in which they operate. In extreme

cases, failure to comply will result in a lack of

approval to operate.

IMPLICATIONS

There are a number of implications of the mod-

el in Figure 1 for both managers and researchers.

For example, the model shows that information

assurance can have a resounding impact on

many organizational processes, as well as influ-

ence both internal and external stakeholders.

Consequently, information assurance should be

seen in broad business terms rather than in nar-

row technical terms. It is important, therefore,that senior managers take responsibility for in-

formation assurance in order to guarantee the

following:

A holistic picture of IA controls and proce-dures has been developed and maintained.

Appropriate compliance and legislation

issues have been fulfilled. Information assurance strategy has been

aligned with the organizations corporate

goals. Employees have been fully briefed and are

regularly updated on information assurance

policies, processes, and potential threats. Appropriate adjustments can be made to IA

policies when the internal or external envi-

ronments alter, thus necessitating a change

in security procedures.

Further research can also be undertaken in

this area. This qualitative study is interpretive innature and focuses on a small number of orga-nizations. A wider survey of the benefits of IA

to organizations could be undertaken, with

data collected on the magnitude of the value ofoperational, tactical, strategic, and organiza-

tional benefits. It would also be interesting to

ascertain whether the values of these benefitsare similar for both internal and external stake-

holders, and if they are similar for organiza-

tions in the United States and European

countries.

CONCLUSION

Our research has shown that the benefits of su-perior information assurance can be grouped

under four different headings:

1. Operational benefits: The immediate anddirect consequence of superior informa-

tion assurance will be flows of accurate

information, available when and where

they are needed. This in turn will supportoperational excellence and ensure the con-

tinuity of day-to-day operations for the ben-

efit of the organizations customers.2. Tactical benefits: Derived from the avail-

ability of usable management informationand robustness of the informat ion

exchanges with business partners, these

benefits are often the most publicized by IApractitioners.

3. Strategic benefits: These are the benefits

that are linked with the ability of the orga-nization to achieve its strategic objectives

and achieve better performance than its

n effective

IA strategywas seen as

one method of

communicating

to shareholders

the boards

intent

regarding

security.

A


9/11


S P R I N G 2 0 0 5


competitors. Although they are more long

term in nature, we found that they were

often sought as direct benefits of IA by the

managers who participated in our research.4. Organizational benefits: Ultimately, the

rolling up of the operational, tactical, and

strategic benefits of IA should result in

improved shareholder value and competi-

tive advantage. In some industries, superiorIA is also a condition that regulators and

other authorities place on organizations

in which case, a license to operate is the

ultimate organizational benefit.

Information assurance is critical to organi-

zations in all sectors of industry and public ser-

vice. It is the key to reliable management

decision-making, customer trust, business con-

tinuity, and good governance. Yet, making the

case for IA investments can be difficult as the

scope of benefits is wide. The four-layer model

presented here can be used to help structurethe case for IA investments. Many practitioners

and vendors often focus their arguments on

what the negative outcomes of poor IA are. In

contrast, our model shows what business ben-

efits can be gained.

References

Boyce, J.G. and Jennings, D.W. (2002) Information

Assurance: Managing Organizational IT

Security Risks, London: Butterworth Heineman.

Colwill, C.J., Todd, M.C., Fielder, G.P., and

Natanson, C. (2001) Information Assurance.BT

Technology Journal, 19(3), 107114.Deloitte (2003) 2003 Global Security Survey.

Deloitte Touche Tohmatsu.

Dhillon, G. (2004) The Challenge of Managing

Information Security Guest Editorial.

International Journal of Information

Management, pp. 243244.

DTI (2002) Information Security Breaches Survey.

Department of Trade and Industry/

PricewaterhouseCoopers, London, U.K.

Economist(2004) File that The SarbanesOxley

Act Is Causing a Quantum Leap in the Storage

Industry.The Economist[print edition] March 4.

Ernst & Young (2002) Global Information SecuritySurvey. Ernst & Young LLP.

Ettredge, M. and Richardson, V. J. (2003)

Information Transfer among Internet Firms:

The Case of Hacker Attacks.Journal of

Information Systems,17(2), 7182.

Ezingeard, J.-N., Bowen-Schrire, M., and Birchall, D.

(2004a) Triggers of Change in Information

Security Management. Proceedings of

ISOneWorld Conference,Las Vegas, April 2325.

Ezingeard, J.-N., McFadzean, E., and Birchall, D. W.

(2004b) Board of Directors and Information

Security: A Perception Grid. Paper No. 222 in

Proceedings of British Academy of

Management Conference,Harrogate.

Fourie, L.C.H. (2003) The Management of

Information Security A South African Case

Study. South African Journal of Business

Management, 34(2), 19.

Garg, A. (2003) What Does an Information Security

Breach Really Cost? Evidence and Implications.

Information Strategy: The Executives Journal,19(4), 21f.

Garg, A., Curtis, J., and Halper, H. (2003)

Quantifying the Financial Impact of IT Security

Breaches. Information Management &

Computer Security, 11(2), 374383.

Hovav, A. and DArcy, J. (2003) The Impact of

Denial-of-Service Attack Announcements on the

Market Value of Firms.Risk Management &

Insurance Review,6(2), 97.

IAAC (2003) Engaging the Board: Corporate

Governance and Information Assurance.

Information Assurance Advisory Council,

Cambridge, U.K.

ISO (1989) ISO 7498-2:1989 InformationProcessing Systems Open Systems

Interconnection Basic Reference Model

Part 2: Security Architecture. ISO, Geneva.

ISO (2000) ISO/IEC 17799:2000 Code of Practice

for Information Security Management. ISO,

Geneva.

ITGI (2003) IT Control Objectives for Sarbanes

Oxley. IT Governance Institute, Rolling

Meadows, IL.

Koved, L., Nadalin, A., Nagaratnam, N., Pistoia, M.,

and Shrader, T. (2001) Security Challenges for

Enterprise Java in an E-Business

Environment. IBM Systems Journal,40(1),

130152.

Landwehr, C.E. (2001) Computer Security.

International Journal of Information Security,

1(1), 313.

Logan, P.Y. and Logan, S.W. (2003) Bitten by a Bug:

A Case Study in Malware Infection.Journal of

Information Systems Education,14(3), 301

305.

McAdams, A.C. (2004) Security and Risk

Management: A Fundamental Business Issue.

Information Management Journal, 38(4), 3644.

McFadzean, E., Ezingeard, J.-N., and Birchall, D.

(2003) Boards of Directors Engagement with

Information Security.Henley Working Paper(HWP0309) (available fromwww.henleymc.

ac.uk).

McFarlan, F.W. (1984) Information Technology

Changes the Way You Compete.Harvard

Business Review,62(3), 98.

Parker, X.L. (2001) Understanding Risk.Internal

Auditor, 6165.

Stewart, K.A. and Segars, A.H. (2002) An Empirical

Examination of the Concern for Information

Privacy Instrument. Information Systems

Research, 13(1), 3649.

n some

industries,superior IA is

also a

condition that

regulators

and other

authorities

place on

organizations

in which

case, a license

to operate is

the ultimate

organizational

benefit.

I
http://www.henleymc.ac.uk/http://www.henleymc.ac.uk/http://www.henleymc.ac.uk/http://www.henleymc.ac.uk/http://www.henleymc.ac.uk/


10/11


S P R I N G 2 0 0 5


Stiles, P. and Taylor, B. (2001)Boards at Work: How

Directors View Their Roles and Responsibilities,

Oxford: Oxford University Press.

Thomson, K.-L. and von Solms, R. (2003)

Integrating Information Security into Corporate

Governance. 18th IFIP International

Information Security Conference,Athens,

pp. 169180.

Treanor, J. (2000) Security Fear Shuts Online Bank.

The Guardian,Aug. 1, 2000Ward, J.M. (1988) Information Systems and

Technology Application Portfolio

Management An Assessment of Matrix-Based

Analyses.Journal of Information Technology,

3(3), 205.

Whitman, M.E. (2003) Enemy at the Gate: Threats

to Information Security. Communications of

the ACM, 46(8), 9195.

Wolf, D.G. (2003) Statement by NSAs Director of

Information Assurance before the House Select

Committee on Homeland Security. U.S. Houseof Representatives (available fromhttp://www.

nsa.gov/ia/Wolf_SFR_22_July_2003.pdf).
http://www.nsa.gov/http://www.nsa.gov/http://www.nsa.gov/http://www.nsa.gov/http://www.nsa.gov/http://www.nsa.gov/


11/11

16_a model of information

Documents