Has the Indian Government Really Thought About Management of Information Systems Security?

Shalini Kesar


Management of information security is important in any Electronic Government and particularly when confidential and sensitive information is recorded on a daily basis. The term ‘Electronic Government’ (EGov) refers to the use of Information and Communication Technologies (ICT) to improve delivery of government services, facilitate interactions with business and industry, or empower citizens through access to information. Efforts to offer such services to citizens have intensified across many countries. With this, threats such as computer crime both malicious and non-malicious have also increased in number. Consequently, the topic of management information security is both important and topical in view of the recent statistics reported on breaches of computer crime originating from both outside and within organizations. Although, it is argued that these ‘reported’ cases only represent the tip of a potentially large iceberg (CSI/FBI 2008 ).

For the last ten years, the Indian government has initiated various EGov projects both at national state and the local level. Ministry of Communication and Information Technology introduced National e-Governance Plan (NeGP) to support the growth of EGov within the country. Most recently, in 2008, the Indian Government implemented a Policy of Open Standards that aims to provide a set of guidelines for the uniform and reliable implementation of EGov. In the efforts to facilitate, promote advice and support the EGov initiatives at State and local level, the Computer Society of India (CSI) publishes various studies on challenges faced by the Indian government. Some of these challenges include: infrastructure; resistance to re-designing departmental processes; lack of communication between government departments and developers responsible for EGov (also see, Mahapatra and Sahu ).

Given that the India government has also initiated a major push towards offering its services through the Internet, it is clear that potential for information security breaches will also continue to increase. Many examples reflect India, like any other country already faces information security breaches. The Computer Crime & Abuse Report , for example, highlighted that over 6,266 incidents of computer crime cases affected 600 organizations in India during 2001 and 2002 alone . Reports such as Forensic Accounting Report (2007) , point out that given the fast developments in India, awareness level about computer crime is very low. To combat such threats, the Indian Government gave effect to a resolution of the General Assembly of the United Nations for adoption of a Model Law on Electronic Commerce. As a result, Information Technology Act 2000 was introduced to regulate and legalize electronic commerce. More recently, the Act was modified to include computer crime such as hacking. However, statistics indicate that very few people have been prosecuted under this Act. Furthermore, the Act has also been criticized for its complexity.

In explaining information security breaches, researchers provide alternative viewpoints. Taking into account the gravity and complex nature of ICT, one strand of studies argue that relying on technical solutions alone to secure any organizations from threats like computer crime is a very ‘narrow’ approach (for example, see Vroom and Solms 2004). Although, technical solutions are equally important, information security in general is much broader in perspective than “Computer Security”. It is for these reasons that information security researchers advocate the need to recognize both technical and social issues (For example, see Dhillon and Backhouse 2001, Siponen 2001, Kesar 2002). While trying to understand the factors that lead to the absence or poorly implemented solutions, researchers believe that it is also important to explore how management within organizations addresses the issue of information security. In this regard, it has been argued that one of the primary causes for the absence of the appropriate solutions is the complacency towards information security (Hinde 2001). As a result, complacency towards information security can be a major contributing factor for management of threats such as computer crimes. Hence, it can be argued that complacency towards information security combined with inadequate lack of and/or basic security controls could itself offer little scope for developing effective solutions.

Discussions so far, bring forth three fundamental issues regarding management of information security in the context of EGov. Firstly, most cases of computer crime for various reasons are rarely reported. Although, the extent of damage caused by information security breaches can be gauged by the ‘reported’ cases, as mentioned above, they represent only the tip of the iceberg (Parker 1998). To further compound the problem of computer crime, most acts do not catch the attention of organizations until it is too late. Secondly, there seems to be lack of studies that take into account government officials’ perceptions and views about information security. Thirdly, there is a general underestimation of the risks associated in an increasingly electronic and connected environment within government.

Against this backdrop, research question addressed in this paper is “How do government officials responsible for EGov projects perceive and interpret information security policies and procedures”? It makes specific reference to one EGov project implemented at a local level in India. While conducting the case study, it uses the design-reality gap analysis framework based on a multidimensional framework consisting of seven dimensions, namely; Information, Technology, Processes, Objectives and values, Staffing and skills, Management systems and structures, and Other resources (ITPOSMO ) proposed by Heeks (2000). While the prime focus of Heeks (2001; 2002) framework is on identifying gaps in the design and development of EGov projects, this paper uses the framework to address the research question stated above. In this paper, both primary and secondary data is used. Primary data involves semi-structured interviews (operational and managerial staff) and surveys. While secondary data includes documentations and newspaper articles.

To conclude, this paper contributes in providing significant learnings for EGov implementation in India in the context of management of information security. This can be beneficial to the efforts directed towards overcoming challenges and issues involved in securing EGov implementation from increasing threats such as computer crime.


Dhillon, G., and Backhouse, J. (2001). “Current directions in IS security research: toward socio-organisational perspectives.” Information Systems Journal, 11 (2): 127-153.

Heeks, R. (1999). “Better Information Age Reform. Reducing the Risk of Information Systems Failure,” In Heeks, R. (ed.). Reinventing Government in the Information Age. International Practice in IT-enabled Public Sector Reform. London: Routledge.

Heeks, R. (2001). (ed.). “Reinventing Government in the Information Age: International Practice in IT-Enabled Public Sector Reform”. London: Routledge.

Heeks, R. (2002). “E-Government in Africa: Promise and Practice,” Information Polity (7), pp. 97-114.

Hinde, S. (2001). “The weakest link.” Computers & Security, 20 (4): 295- 301.

Kesar, S. (2002). Management of computer misuse committed by employees within organisations. MPhil Thesis (Information Systems). Leicester, De Montfort University: 351.

Parker, D. (1998). Fighting computer crime: a new framework for protecting information. New York, Wiley.

Siponen, M. T. (2001). An analysis of the recent IS security development approaches: descriptive and prescriptive implications. “Information security management: global challenges in the new millennium”. G. Dhillon. Ed. Hershey, Idea Group Publishing: 125-134.

Vroom, C., and Solms, R. V. (2004). “Towards information security behavioural compliance.” Computers & Security 23 (3): 191-198.