The IRMA Community
Newsletters
Research IRM
Click a keyword to search titles using our InfoSci-OnDemand powered search:
|
Information Security: A Technical or Human Domain?
Abstract
The ultimate objective of the research study on which this paper is based, is to develop, pilot, and refine an implementation framework for information security, based on critically normative theory. This framework will then be used to critically evaluate existing information security provisions in organisations, including evaluation against existing standards, using case-based and live organisational settings. The initial part of this study is now complete, and has provided the grounding for achieving the above objectives. This first stage, which is reported within this paper, had the key aim of critically assessing the current status of information security theory and practice from the literature and from empirical evidence. From this, the theoretical constructs that are applicable to an understanding of information security have been determined and are reported. This has led to the consideration of critical theory as a foundation for the domain of information security. An information security framework, based on this work, has been constructed. Over the past ten years there has been increasing interest in the subject of information security (for example: DoD, 1987; Baskerville, 1988; EC, 1991; O’Connor, 1994; Drake, 1998; BSI, 1999a; BSI, 1999b), with particular emphasis on information technology or computer security (for example: Donovan, 1994; Forester, 1994; Langford, 1995; Neumann, 1995; Gollman, 1999). In the early to mid 1990s, a group of representatives from some of the largest organisations in the UK decided to collaborate to formalise matters. They established a committee under the stewardship of the United Kingdom Department of Trade and Industry and the British Standards Institute to create a British Standard (BSI, 1999a; BSI, 1999b). Each of these organisations (and others) had been working to establish frameworks to adequately secure the information systems within their organisations, and the British Standard had the simple aim of standardising these frameworks into a model that could be applied to any organisation.
|
|