207
Management and Information Security
systems grew and became decentralized, more complex information security became
an apparent need. Therefore, advances in technology aid in information security but
also create new information security challenges in a networked world.
Management and Information Security
There are four important information technology issues public managers should be
aware of in information security. Each of these information security issues is ex-
tremely important for public sector organizations.
Viruses
Viruses are a threat to any organization because they are connected externally to
the Internet through digital means, which makes them vulnerable to outsiders of
the organization. There is a discussion of computer viruses later in this chapter, but
essentially they are an important management issue because they create an informa-
tion security threat for all public organizations. Public organizations are especially
vulnerable to viruses because of their public purpose. Public managers should be
aware of computer viruses and what can be done to prevent them, through virus
protection software, routine maintenance of machines, and employee awareness of
information security policy.
Maintenance
Information systems are in constant need of maintenance. Therefore, it is essential
for the public manager to be aware of issues of maintenance and to ensure computer
systems are properly maintained. This ensures a greater level of information security,
as threats to information systems can be especially vulnerable when a system is not
properly maintained.
Perpetual Upgrades
One issue of importance to public managers is the perpetual upgrades of their in-
formation systems. Information systems technology is in constant need of upgrades
as new technology becomes available. This poses a challenge financially to keep up
with the latest upgrades, especially in a fiscally constrained public sector.
Top Management Support
One of the most commonly cited impacts on information security development is
support from top management. Information security incidents can be highly pub-
licized and costly to the organization; therefore, management must take them seri-
ously (Straub and Welke, 1998; Knapp et al., 2006). Empirical research shows that
84607_CH10_FINAL.indd 207 7/27/11 4:48 PM
Chapter 10 Information Security and Privacy
208
top management support positively impacts information security culture and policy
enforcement in an organization. Essentially, if there is no support from top manage-
ment, then information security programs will fail, even if the technology used was
great. With an organizational culture that embraces information security, manage-
ment backing will impact information security effectiveness.
Survey evidence on the importance of information security in state government
shows that management support has a positive impact on security (Table 10-4)
(Reddick, 2009b). IRMs indicated they strongly agreed that top management sup-
ports information security policy and awareness for their state agency (35%). There
was not a lot of disagreement with this statement of top management support for
information security (7.7%). In regards to top management’s willingness to invest in
information security, 23% of IRMs strongly agreed to this statement. The results in
Table 10-4 show that top management supports information security through policy
and investment, according to most IRMs.
Even knowing the importance of top management support for information security,
there are several reasons for low management concern about information security
(Kankanhalli et al., 2003). First, managers may believe there is a low risk of infor-
mation security threats; therefore, they invest little time and effort in information
security. Second, managers may not see the benefit of information security protec-
tion because of the difficulty in evaluating its effectiveness. Third, managers may
lack the knowledge about the possible controls that are available. Therefore, to raise
the level of management involvement in information security, managers need to be
convinced about the benefits of this to create a more effective organization.
An information security framework provides the organization with a clear under-
standing of how to minimize risks posed by employee behavior regarding the use of
information assets (Veiga and Eloff, 2010). To understand information security, one
must understand the organizational culture and employee behavior, which is the way
things are done by employees in the organization.
Table 10-4
Top Management Support for Information Security
In my state agency…
Strongly
Agree
Agree
Neutral
Disagree
Strongly
Disagree
%
Top management supports
information security policy and
awareness
34.6 53.8 3.8 7.7 0
Top management is willing to
invest in information security
23.1 42.3 23.1 11.5 0
84607_CH10_FINAL.indd 208 7/27/11 4:48 PM

Get Public Administration and Information Technology now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.