An Integrated Framework for Managing Information Technology Security Uncertainty

2020 European Journal of Business and Management  
Information security to date has been driven a lot of attention in business world. The cyber security standards play significant and crucial role in promoting feasible approaches to organizations while making comprehensive strategical planning. This paper aims at providing a systematic overview of information technology (IT) security management in organizations. Conducted a structured literature from academic database and industry whitepapers, we review a number of the critical issues and
more » ... nges facing the industry today and in the future. In line with the fundamental elements of information security, we propose an integrated framework to understand the current situation of IT security management. In particular, we focus on several critical fundamental functions of IT security management: Security and Risk Management, Security Operations, and Security Assessments and Testing. Then, we use the proposed framework as a lens to discuss and solve the security issues in bring your own device (BYOD) in organizations. Introduction The rapid development in information technology (IT), the accessibility it offers, and ease of use have contributed to an increasing tendency for organizations to invest in developing information systems (Jones et al., 2005) . IT has changed the way organizations run businesses in the 21st century (Sidelinger et al., 2008). Since the internet has been widely implemented into modern business processes, organizations are more susceptible to potential attacks on their information systems (Bojanc and Jerman-Blazic, 2008; Silva et al., 2014) . These attacks may lead to security failures that cause huge losses (e.g., market failure) for companies (Chen et al., 2011) . IT security continues to be a priority and a critical challenge for organizations (Luftman et al., 2016). As a result, more and more business enterprises develop and implement different risk management governance mechanism, while managing corporate information security such as intelligence-based information security framework (Webb, 2015), fuzzy-based information security framework (Silva et al., 2014) , and risk-based information security framework (Bojanc and Jerman-Blazic, 2008). Therefore, IT security has become an essential part of strategic proportions for an organization. For example, many organizations applied the Failure Mode and Effects Analysis (FMEA) in identifying flaws of key processes in the operation level since it offers a set of measures and comparison, as well as provides an effective way to build business process knowledge (Silva et al.,2014) . The purpose of this paper is to provide a systematic overview of information technology security management in organizations. We review some of the critical issues and challenges facing the industry today and in the future, as well as three of the fundamental functions of information security. In doing so, we utilize the three principles of information security: confidentiality, integrity, and availability (Khansa and Zobel, 2014). To identify critical challenges, we concentrated on the three primary functions of security management: Security and Risk Management, Security Operations, and Security Assessments and Testing. We chose to define these functions because they provide the necessary security services expected from a business management point of view. Additionally, if appropriately executed, these security functions have a high return on investment for businesses. Therefore, we develop an integrated framework for the management of IT security through incorporating industryleading security framework. The organization of this paper is as follows. In section 2, we discussed the methodology for the study. In section 3, a literature review of information security is discussed, and a holistic view is developed based on risk management perspective. Next, in section 4, we proposed an integrated framework for information security management. In the next section, we discuss and analyze BYOD security concerns based on our proposed framework in section 4. Finally, the paper is concluded. Methodology We used a structured literature review as a methodology to analyze to understand the nature of security management. Specifically, we paid particular attention to search industry best practices, peer reviewed research,
doi:10.7176/ejbm/12-18-01 fatcat:seompqxkojawlmchk62cssqmba