Maria Karyda, Spyros Kokolakis and Evangelos Kiountouzis
Within the past decade organizations have realized the need to protect their Information Systems (IS) and thus allocate significant resources to this endeavor. However, protecting an IS in the context of an organization is far from a trivial task and needs to be addressed in a disciplined manner. Within the IS security management agenda, a common practice is to design and apply an IS security policy or, using a more inclusive term, an IS security plan, based on the findings of the evaluation of the IS security level.
An IS security plan comprises principles and guidelines for the protection of an IS and also prescribes specific protective measures and outlines a strategy and a program for implementing the plan. The aim of applying an IS security plan is to reduce the risk an IS faces, thus to transform an IS into a security-enhanced IS. Considering the axiom that there are no hundred percent secure systems, it is generally accepted that this transformation will not result to a zero-risk IS but to a lower-risk IS. This transformation entails significant changes affecting the components as well as the operation of the IS. In most cases, and especially when the IS supports significant organisational functions, many changes need to be made for the security plan to be applied. These changes need to be made not only to the IS, but also to its organizational environment. Technical issues have been systematically examined in the IS security literature, however organizational issues remain largely unexplored, despite the fact that many researchers have stressed their importance. Previous work in this field has largely overlooked the impact of developing and implementing an IS security plan on organizations, and not any accounts have been given on the implications and changes that emerge within the organizational environment and are related with the application of the security plan. The authors’ experience in several IS security planning projects in the period 1998-2002 indicates that organizational factors play an important role in the process of the transformation of an IS into a lower-risk IS.
The above realization has lead us to an attempt to explore the implications that the application of IS security plans has on the organisational context and the organisational changes that are related to it. In this paper we seek to reveal the way IS security plans and the organisational context are formulated as a result of their interaction. To do so we have studied the process of securing an IS: from creating a security plan for a specific organisation to its implementation and use by the organisation. This process is presented in this paper as a case study, which describes the introduction of a security plan to an information system used for processing sensitive personal information, and the activities that were undertaken by the members of the organisation in order to put the security plan to action.
The Center for the Treatment of Dependent Individuals (CTDI), is a Greek Non-Governmental Organization established in 1987 that comprises more than 40 independent units concerned with prevention and treatment of drug abuse. In 2000 CTDI invited a university research group, among which were the authors of this paper, to prepare an IS Security Plan for the CTDI’s information system, which was mainly used for handling research data concerning drug addiction in Greece. The group worked with the CTDI for a period of six months to prepare a security plan comprising a security policy and a list of security countermeasures. For this project the CCTA Risk Analysis and Management Method (CRAMM) was employed. CRAMM does not provide for the analysis of social and organizational factors and the working team could only rest on their experience to handle such issues. The IS Security Plan was delivered on October 2000 and was welcomed by CTDI management, which declared their commitment to implement it. Two years latter, in the spring 2002, researchers from the same group returned to examine how the implementation of the security plan has progressed and to explore how organizational issues have affected the implementation of the plan. In the two research phases more than 30 formal in-depth interviews were conducted with various groups within the CTDI. Data collected from these interviews, as well as documents that are used within the CTDI, archives inspection and personal observation have provided us the basis for composing the case study.
For drawing our conclusions about the effects and implications that the implementation of the security plan had on CTDI, we have drawn upon Structuration Theory (ST), as initially proposed by A. Giddens. Structuration theory provides a framework for understanding social situations in terms of social structure and human interaction; within the IS literature structuration theory has been used for various purposes, among which are theorizing, analyzing, and to provide operational guidance for IS practitioners. We have used stucturation theory for understanding the social interaction among the members of the organisation and their actions with regard to the implementation of the security plan.
The conclusions we have drawn from this case study strengthen the initial observation that elements of the organisational context, and especially social interaction, have a vital role for the application of a security plan. Organisational elements should be acknowledged and taken into consideration by IS security professionals when designing an IS security plan. We also argue that there is need to further explore implications of the application of IS security plans from an organisational perspective, besides the technical perspective that is dominant in the relevant literature.