information security in the extended enterprise: some initial results from a field study of an...

8/8/2019 Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm

1/13

INFORMATION SECURITY IN THE

EXTENDED ENTERPRISE

Presented byAditya ahuja (054)

Anshul pachouri (6503861)

Pooja bagga (085)

14/10/2010 Information Security In the Extended Enterprise 1


2/13

Each firms security decisions have an impact

on the overall security of the information

infrastructure.

Managing the security of the sensitive

information flowing across the extended

enterprise is a significant and under

researched topic.



3/13

Three research efforts that address the core

information security issues pertaining to the

efficacy of economic and other potential

drivers of information security are:

1)

To understand how firms adapt informationsecurity capabilities.

2) To access interdependency risk magnitude.

3) To evaluate the information security gap.



4/13

Interviews with security and supply chain

executives and manager at a host firm and

four of its direct suppliers.

Interviews were designed to elicit theknowledge and belief of the interviewed

individuals.

The host firm is a Fortune 500 manufacturing

firm with plants and sales worldwide. 13 individuals were interviewed, duration

was 30 mints to 2 hrs,



5/13

Candidates had to use some form of

electronic communication to manage their

supply relation with the host.

Candidates would be a range of sizes interms of their annual revenue.

Candidates would provide products directly

used in the hosts products.

Candidates should be close to a small set ofgeographic locations.

14/10/2010 Information Security In the Extended Enterprise


6/13

Drivers of adoption of information security

1) InfoSec managers protecting their firms

internal network and data.

2) Government regulation and customerrequirements

Hence ,as a group the interviewed firms made

few or no demands on their suppliers for levelsof information security, although Supplier b said

that they would start having requirements in the

near future.



7/13

Information security risk: The risk

associated with the internal IT system and

information due to integration of supply

chain systems.Examples: E-Mail, VPN, Web-applications

Supply Chain Continuity Risk: The firms

ability to produce a product due to

disruptive supply chain caused byinformation infrastructure events.

Use of Phone and Fedex is preferred to avoid

the risk.



8/13

Technology

Market Conditions

Government Regulations

Government Spending

Litigations

Cost-Benefit

Standard Setting Best Practices



9/13

Most of the executives who were interviewed focused purelyon the cost trade- off of security, disregarding the possibility

of increased revenue. These costs can be broken into two

major groups:

Costs of avoiding security failures.

Cost of security failures.

14/10/2010 Information Security In the Extended

Enterprise 9

Cost of avoiding security failures Cost of security failures

Cost of prevention Cost of internal failure

Firewall/ Antivirus Lost productivity

Training IT services- restoration

Cost of appraisal Cost of external failure

Audits Lost Confidence/ revenues

Monitoring Litigations

Intrusion detection Fines


10/13

Costs of avoiding security failures such as on-going security appraisals and investments inpreventive measures like installing a firewall.

Costs associated with security failures eitherinternal failures that are not observed bycustomers or external failures which areobserved by those outside the firm

Internal failures are security problems that arediscovered internally, resulting in costs such aslost productivity (for example lost worker

productivity and restoring informationservices).

External failures, such as exposing confidentialinformation can lead to many costs includinglitigation, fines, and brand damage.



11/13

According to one of the clients even when informationsecurity does not increase revenue there can still be a positive

business value for increasing information security.

This client felt that even though increasing informationsecurity would likely not increase profits directly, the

processes put in place would take costs out of the business.

As an example the client talked about single sign-on: while

this was being done for reasons of information security, itwould reduce her costs as well as increase the efficiency ofher staff.



12/13

This study examined how firms identify and manageinformation security risks internally and within their supplychains.

Our initial results are from a sample size of 5 industryspecific, which lead us to believe:

Firms are adopting levels of information security that are

appropriate for their internal operations.

Market forces, in the form of customer requirements orqualifications, are the primary driver for additionalinformation security measures.

The interviewed firms were reactive in their approach toinformation security.

Firms need to pay more attention to the risks they areexposed to as a result of using the information infrastructure

to manage their extended enterprise.14/10/2010 Information Security In the Extended Enterprise 12


13/13


information security in the extended enterprise: some initial results from a field study of an...

Documents