An Empirical Study of Information Security Policy on Information Security Elevation in Taiwan Hong, Kwo-Shing Director of Overall Planning Department Control Yuan of Republic of China, Taiwan 2 Sec. 1 Chung Hsiao East Road, Taipei, Taiwan, Republic of China E-mail:
[email protected] Fax 8662-23568588 Phone 8662-23972067 Chi, Yen-Ping Department of Management Information Systems Associate Professor National Cheng-Chi University E-mail:
[email protected] Dr. Louis R. Chao Institute of Management Science Tamkang University Member of Control Yuan of Republic of China, Taiwan Tang, Jih-Hsin * Department of Management Information Systems National Dong Hwa University Assistant Professor 1, Sec. 2,Da Hsueh Rd., Shou-Feng, Hualien,Taiwan, Republic of China Phone:+886-3-8633112 E-mail:
[email protected]
1
Abstract With the popularity of e-commerce, information security is vital to most organizations. For managers, building and implementing an information security policy (ISP) is usually believed to be an effective managerial measure to elevate an organization’ s security level. The study asks two questions: (1) What are the possible causes of an organization to build an ISP; and (2) Whether the ISP is an effective managerial measure to elevate an organization’ s security level? Empirical evidence collected from 165 Chief Information Officers (CIO) in Taiwan shows that (1) some organizational characteristics (type and MIS/IS department size) might be good predictors for the ISP adoption and that (2) the functions, contents, implementation and procedures of an ISP may significantly c ont r i but et oma na g e r s ’pe r c e i ve de l e va t i onofi nf or ma t i ons e c ur i t y .Managerial implications are also discussed. Keyword: information security, information security policy, path analysis. Introduction With the prevalence of e-commerce, information security is of vital importance to many organizations nowadays. A number of organizations have set up information security policies (ISPs) in the hope of protecting their organizations from security threats. For example, according to a survey in the United States, 85 percent of respondents declared their firms have established or are establishing ISPs (Hinde, 2002). An information security policy (ISP) is any written corporate statements, principles and guidelines for organizational information security. Many managers believe an ISP can help deter improper actions of employees and increase employees’ awareness of potential threats and attacks. When an organization builds and implements an appropriate security policy, it may upgrade business goodwill and bring out implicit value and competitive advantage (Blacharski, 1998; Hinde, 2002; Kuhnhauser, 1999). Despite the wide practice of ISPs in organizations, their effectiveness is not certain. As Fulford and Doherty (2003) noted that “ fewer or no empirical data exist on the important issues of information security policy uptake, content and implementation” ; thus, two important questions to ask are: (1) What are the possible factors of an organization to build an ISP; and (2) Whether the ISP is an effective managerial measure to elevate an organization’ s security level? Literature Review An Information security policy is a policy targeting specifically at improving an 2
or g a ni z a t i on’ si nf or ma t i ons e c ur i t ylevel. ISP is defined in this study as (1) the rules set up for the use of information assets, and the statement set up for the security priorities to achieve organizational objectives; (2) the guideline for the scope of information security; (3) the principle for information management and resource use; and (4) the principle for supporting security techniques. Objectives and functions A primary objective of ISP is to define the users’r i g ht sa ndr esponsibilities in an organization, and the effective ISP will help the users understand what is acceptable and responsible behavior in regards to information resources to ensure the safe environment (Höne & Eloff, 2002 b). Prior studies showed that the goals and functions of an ISP are to: (1) provide a guideline for organizational information security requirements; (2) define the roles and responsibilities associated with the information security; (3) establish a benchmark for information access; (4) work as a baseline security standards and controls for information security product purchase and installation; (5) formalize and document the information security requirements; (6) ensure the legitimate users to access needed information and prevent unauthorized users to get access the information; and (7) limit the confidential information access in order to protect from sabotage and accidents(Blacharski, 1998; Ward & Smith, 2002). Building an Information Security Policy An information security policy should be designed to support the core mission and core values of the organization. The core values of an organization depend upon the nature of the organization. For example, the core value for government units could bet hep r ot e c t i onofpe opl e ’ spr i va c yi nf or ma t ion; yet for enterprises the value could be the protection of their business benefits. Because the core values vary with the organizational types, it is critical to understand these values before building an ISP. ISP has attained an international awareness and several international standards have been built already. As shown in Table I, these six standards could be useful reference while establishing an ISP. Table I International Standard for Information Security Policy
International Standard BS 7799 (Code of practice for information security management) ISO/IEC 17799
Guidelines Describe the minimum contents in an ISP. Explain what should do with an ISP An ISP should be approved by management, published and communicated throughout the organization An ISP should be evaluated and updated periodically 3
Description of drawing up an ISP Coverage topics Contents Review COBIT Describes the process and control (The information system audit and control needs for implementing an ISP association & foundation, ISACAF) Brief section on the security and internal control framework policy Writing and maintaining a document GASSP Minimal Requirements for an ISP (Generally accepted system security and principles behind it principles) The different processes needed for defining, maintaining and implementing the policy The hierarchy concept of an ISP GMITS Provide a comprehensive guidance (ISO/IEC PDTR 13335-1) on Information security with planning, management and implementation ISFs Performance evaluation Standard of Good Practice List the contents of information (The globally representation information security policy security forum, ISF) The characteristics of the policy Explain the acceptable user behavior Source: adapted from Höne & Eloff (2002 a, b) As for the procedures for building an ISP could be summarized as follows. (1) Project initiation; (2) security policy development; (3) consultation and approval; (4) security awareness and policy education; (5) disseminate policies (Lindup, 1995; Ward & Smith, 2002). BSI IT Baseline protection manual
Coverage Management should set up a clear policy direction and demonstrate support for and commitment to information security through the issue and maintenance of an information security across the organization (ISO/IEC 17799, 2000). The contents of an ISP may cover: (1) organization for information security and its duties; (2) roles and responsibilities; (3) information classification and control; (4) information risk assessment; (5) information security education and training; (6) access control; (7) physical and environment security; (8) virus protection and management; (9) emergency treatment procedures for information security accidents; (10) business continuity management; (11) information security policy violations and disciplinary action; (12) compliance (Flynn, 2001; Höne & Eloff, 2002 a&b; ISO/IEC 17799, 2000; Osborne, 1998; Ward & Smith, 2002). Evaluation and maintenance An ISP should be evaluated independently and objectively on a regular basis in order to ensure that the latest laws, government policies, techniques and business are 4
updated. The ISP evaluation could be periodic or non-periodic. Periodic evaluation is to assess the ISP specified in the policy; however non-periodic evaluation is usually conducted in the event of serious security accidents, organizational transformation and drastic technology advance (Osborne, 1998). Research Model It is widely believed that an ISP may effectively elevate an organization’ s information security level. For example, the e-Policy proposed by Flynn (2001) covers comprehensive e-audit, e-risk management policy, computer security policy, cyber insurance policy, e-mail policy, internet policy, and software policy. However, there is rare empirical evidence in support of this speculation. Derived from the authors’prior research (Hong, et al. 2003), the following research model is formed. Information security = f (information security policy) Information security policy = f (build, implementation, and maintenance of information security policy) Information security policy establishment = f (organizational security requirements) Because organizational security requirements are mainly contingent upon organizational characteristics, the research model is derived below as shown in Figure 1.
Information Security Policy Organizational
Build
Characteristics Implementation
Perceived Information Security Elevation
Maintenance
Figure I Information Security Policy Model
Research Hypotheses Two sets of research hypotheses are derived to address the specific two questions in the study. The first set deal with the relationship between organizational characteristics and the decisions to building an ISP, and the second on the relationship between the ISP characteristics and the information security elevation. 5
Ac c or di ngt ot hel i t e r a t ur ea n da ut hor s ’ma na g e me nte xpe r i e nces, an organization is characterized by its type, size, past history regarding IT application, the hierarchical level of MIS department, size of MIS department and the IT infrastructure, and these characteristics may serve as key determinants for an organi z a t i on’ sg e ne r a lpol i c y(Ryan & Bordoloi, 1997; Loch, 1992; Blackarski, 1998). That is to say, organizational characteristics may affect the organization’ s decision to building an ISP. The following hypotheses are derived. H1a: Organizational type will have an impact on the time of building an ISP. H1b: The larger size of an organization, the earlier will it build an ISP. H1c: The longer history of an organization that applies information systems, the earlier that it will build an ISP. H1d: The higher level of MIS department in an organization, the earlier will this organization build an ISP. H1e: The larger size of MIS department of an organization, the earlier will this organization build an ISP. H1f: The main IT infrastructure used in an organization may have an impact on the time of building an ISP. An Information security policy could be operationalized by ISP adoption time, the ISP functions, the ISP contents, ISP implementation items, and procedures for ISP maintenance. The elevated level of information security could be defined as the decrease of threats and vulnerability, the fall of security accidents, and lower damage from security accidents. Since an ISP is the guideline for an organizational security, the time that an organization of adopting and building an ISP, the designed ISP functions (definition, coverage, implementation etc.) may impact the organization’ s overall level of information security (Höne & Eloff, 2002 a; Flynn, 2001). The second set of hypotheses is derived. H2a: The time of adopting an ISP will have an impact on the information security level. H2b: The defined functions of an ISP will have an impact on the information security level. The usefulness for an ISP is whether it has been put into practice. An ISP ranges from policy goals, information security standards, establishment of procedures and control, the fit between information security and business and security awareness. All these 6
contents may have an impact on the information security level (Blacharski, 1998; Höne & Eloff, 2002 a&b; ISO/IEC 17799, 2000; Ward & Smith, 2002). Therefore the following hypothesis is derived. H2c: The contents of an ISP will have an impact on the information security level. The implementation items of an ISP, or sub-policy, are critical also. The implementation items cover the security organization, staff security, information assets classification and information auditing policy. We consider that the implementation items may have a profound impact on the organizational security level (ISO/IEC 17799, 2000; Ward & Smith, 2002; Höne & Eloff, 2002 a&b). H2d: The implementation items of an ISP will have an impact on the information security level. According to the integrated system theory of Information Security Management (ISM) (Hong, et al. 2003), an organization’ s information security is mainly achieved through the establishment, implementation and maintenance of an ISP. The procedures for an ISP establishment and maintenance may have an important impact on the organizational information security level (Höne & Eloff, 2002 a; Hong, et al, 2003; Gupta, 2001). H2e: The procedures for an ISP establishment and maintenance will have an impact on the information security level. Research Method To answer the above research hypotheses, survey method was adopted in this study. Questionnaire Development The questionnaire was developed from the literature, and the initial version was pilot tested by some scholars and practitioners, and then revised accordingly. The questionnaire was divided into three sections: section 1 was associated with ISP establishment; section 2 with I SP’ sf unc t i on,c ont e nt s ,i mpl e me nt a t i oni t e ms , and section 3 with basic data. The questionnaire is available upon request. Data collection The target population of the research is the MIS managers of the organizations in Taiwan. Therefore, the subjects were chosen randomly from the three most important Chief Information Officers (CIO) associations in Taiwan. 645 surveys were sent out 7
by e-mail during June 2002, and 165 filled out surveys were collected. 8 responses were void, and the response rate was 24.34 %. Research Results Sample profile The profile of the valid 157 samples was characterized by the following statistics. (1) Organizational type: private sectors comprised 26.1%, government units 42.7%, public utility business 12.1%, education and research institutions 14.6%. (2) Size of the organization (number of the employees): 200~499 was made up 28.7%, and then over 1000 24.2%, 100~199 13.4%, 500~999 10.8%. (3) The application history for IT in the organization: the span for 10~19 years covered 45.9%, over than 20 years 31.2%, 6~9 years 14%, 3~5 years 5.7% and less than 2 years 3.2%. (4) I st he r eaMI S( I S)de pa r t me nt ? 85. 4% oft her e s ponde nt swe r e“ Ye s ” ,a ndt he remaining 14.6% “ No” . (5) The hierarchy of MIS (IS) department: top level, 63.7%, second level 17.2%, and third level 3.8%. (6) Size of MIS (IS) employee: 20~49 was made up 22.3%, 10~19 20.4%, 6~9 18.5%, 3~5 14.6%, 1~2 8.9%, 50~99 8.3%, and over 100 7%. (7) Main IT infrastructure: multi-user PC-LAN comprised 45.9%, mainframes 22.9%, minicomputers 17.8%, workstations 7 %, and single-user PC 6.4%. (8) I nt e r ne tc onne c t i vi t y :99. 4% oft her e s ponde nt swe r e“ c onne c t e d” . (9) Is there an employee in charge of I nf or ma t i onSe c ur i t y ?65. 6% wa s“ Ye s ” ,34.4% “ No ” . Reliability of the Questionnaire Tome a s ur et hei nt e r na lc ons i s t e nc yoft hes a mec ons t r uc t ,Cr onba c h’ sαwas adopted in this study. The reliability coefficients of the developed sub-scales ranged from 0.82 to 0.94, demonstrating that the questionnaire was reliable, as shown in Table II. Table II. Reliability Analysis of the Scale
Sub-scale Functions of an ISP
Reliability Number of ( Cronbach α) items 5 0.825
Contents of an ISP
7
0.872
Implementation items Procedures for establishment and maintenance of an ISP information security elevation
13
0.945
13
0.9139
6
0.9317
8
Hypothesis testing The research hypotheses fell into two sets: one set deal with the relationship between organizational characteristics and the ISP adoption, and the other with the relationship between the ISP adoption and the CIO perceived information security elevation. Regression analysis was conducted to validate the hypotheses. Table III. The Summary of Hypothesis Testing Results
regression β
Significance
H1a: Organizational type will have an impact on the time of building an ISP.
0.163*
Supported
H1b: The larger size of an organization, the earlier will it build an ISP.
0.146
Not supported
H1c: The longer history of an organization that applies information systems, the earlier will it build an ISP.
0.106
Not supported
H1d: The higher level of MIS department of an organization, the earlier will this organization build an ISP.
0.122
Not supported
H1e: The larger size of MIS department of an organization, the earlier will this organization build an ISP.
0.181*
Supported
H1f: The main IT infrastructure used in an organization may have an impact on the time of building an ISP.
0.105
Not supported
H2a: The time of adopting an ISP will have an impact on the information security level.
0.006
Not supported
H2b: The defined functions of an ISP will have an impact on the information security level.
0.506***
Supported
H2c: The contents of an ISP will have an impact on the information security level.
0.273***
Supported
H2d: The implementation items of an ISP will have an impact on the information security level.
0.443***
Supported
0.482***
Supported
Hypothesis
H2e: The procedures for an ISP establishment and maintenance will have an impact on the information security level.
***: P
