Never Waste a Good Information Security Incident

Friday, 12 May 2017. A day to remember or a day to forget? It was the headline of every newspaper: Hospitals, major organizations and government offices across the globe had been hit by a massive wave of cyberattacks that seized control of computers until the victims paid a ransom. With more than 230,000 infected PCs in more than 150 countries, it was believed to be the biggest attack of its kind ever recorded.

People in organizations feel a sense of urgency about information security. Awareness of the need for adequate information security has increased due to continuous attention on a global scale.¹ Since information security involves more than just IT, the term “business security” was introduced.² Other elements were added to information security that were later folded into business information security (BIS) studies at the Antwerp Management School (AMS) (Belgium).^{3, 4, 5} In various publications, a business-oriented and more strategic approach was developed to involve multiple parties at all levels of the organization and in the digital chain of third parties.^{6, 7, 8, 9}

With the increasing complexity of information security, it is important to consider how to apply BIS effectively. This requires additional insights into relevant success factors that contribute to existing frameworks and models. As a result of extensive explorative research conducted by the AMS, a core set of critical success factors (CSFs) was established for organizations to take into account. Understanding the key factors that influence effective BIS is crucial for business leaders; otherwise, security problems can occur, which can lead to financial loss, unavailability, reputational damage or even bankruptcy.¹⁰ The increasing number of security incidents underscores the need for effective BIS.

What Is the Problem?

Whereas information security did not receive adequate attention for years, today it is at the top of the board’s agenda.^{11, 12} It is no longer a question of if a security issue will happen, but when, and whether the impacted organization has effective information security in place. Four key problems have been identified related to ineffective implementation of information security within organizations:

1. Effectiveness—Many information security programs are not particularly effective, given numerous recent reports¹³ of serious data breaches or business disruptions. Moreover, analysis of discovered breaches suggests that most could have been prevented if the organization had employed best practices related to information security controls.¹⁴ Why is it that organizations still fail in the effective implementation of BIS practices? An extensive study suggests the causes listed in the next three points.
2. Complexity—Organizations today are aware that there is a need for BIS.¹⁵ However, because of the complexity of BIS,¹⁶ managers do not know where to start or what is relevant to ensure effective BIS within their organizations. Due to the high-profile organizational failures of the past decade, legislatures, statutory authorities and regulators have created a complex array of new laws and regulations designed to bring about improvements in organizational governance, security, controls and transparency. Previous and new laws on information retention and privacy, coupled with significant threats of information systems disruptions from hackers, worms, viruses and terrorists, have resulted in a need for a governance approach to information management, protecting the organization’s most critical assets—its information and reputation.¹⁷ The lack of awareness and knowledge of information security¹⁸ fuels this complexity. This makes it difficult for organizations to determine which factors contribute to the actual improvement of BIS.
3. The absence of intangible factors in frameworks—A range of information security models and frameworks consisting of formal policies, procedures, guidelines and activities, and associated resources is collectively managed by an organization to protect its information assets. They show the security maturity level of an organization and what action needs to be taken to get to the level that is needed to be in control. But the value of information security depends on more factors than those prescribed in these frameworks and models. Most of these frameworks do not take into account factors such as culture, tone at the top and awareness. For example, research describes the fact that frameworks and technology solutions do not guarantee a secure environment for information.¹⁹ Besides these aspects, it is necessary to take the human aspects of information security into consideration.²⁰ One study refers to the fact that research into intangible factors has been limited compared to other, more technical, aspects of security.²¹
4. Lack of information security management and governance—Information security governance is important to have in place to improve BIS.²² According to the Computer Security Institute (CSI)/US Federal Bureau of Investigation (FBI) Computer Crime and Security Survey,²³ economic, financial and risk management aspects of computer security have become more and more important concerns for today’s organizations, and such concerns are complements to, rather than substitutes for, the technical aspects of computer security. Solid security products or technology alone cannot protect an organization from security breaches. Structures of responsibility and the integrity of the people in achieving overall security in an organization are critical.²⁴ Effective information security management and governance seem to be lacking in organizations.²⁵

As a consequence of these points, there is a clear need to identify CSFs that can contribute to effective BIS. Over the years, much academic attention has been paid to information security. These research efforts did not lead to an increase in secure information, let alone a decrease in security incidents. CSFs are proposed to add a dimension to the current body of knowledge (BoK) to create more success in practice. However, CSFs for BIS have not received much attention in the research community.²⁶

The aim of the research discussed in this article is to provide insight into potential CSFs that can contribute to the BoK and provide organizations with a better instrument that can be used to address the previously listed problems. Examining CSFs from multiple business perspectives can contribute to developing a framework of CSFs that will enable organizations to be effective in information security.

Research Approach

To start the exploration into CSFs, a combination of literature and exploratory research was used (figure 1). A literature study was conducted to gather knowledge about the domain of the topic of interest and knowledge about relevant theories and research methods that can be applied to develop new knowledge.²⁷ An effective review creates a firm foundation for advancing knowledge. It facilitates theory development, identifies areas where a plethora of research exists and uncovers areas where research is needed. Literature review represents the foundation for research in information systems. Review articles are critical to strengthening BIS as a field of study.²⁸ Research on CSFs related to information security, however, is rare. CSFs can also be found under terms such as “challenges,” “barriers,” “motivations,” “enablers” and “obstacles.”²⁹

The initial sources of the main factors were collected from academic literature and studies about CSFs related to information security. More than 100 publications were reviewed for this research to identify CSFs. The first factors were derived from these sources. This extensive study of the academic and practitioner’s literature enabled discovery of the success factors that were described by academics as being critical for effective BIS. The contribution to the final artifact is that literature research objectivity removes the element of fear, uncertainty and doubt.

“Explorability” refers to the extent to which a research strategy encourages or enables the discovery of previously unknown or unconsidered observations or findings. This can be an attribute of some artifact designs.³⁰ This was applied in the next step, where research was done among security experts from large telecommunications companies, banks and government organizations. The methodology used for this research is a case study.³¹ This method involves intensive research on a specific case within its natural setting over a period of time.

In this case study, the view and vision of security professionals were collected in relation to success factors that are effective for information security. With this method, valuable insights were gained from the emerging topic of information security and these created a better understanding of its nature and complexity. The case study also revealed what success factors are relevant for effective BIS in practice.

In the second phase of the case study, the CSFs that were derived from the interviews with security experts were used for two sessions of validation by participants from a range of industries by using explorative research methods. This led to CSFs that were validated and further scrutinized from the original CSFs. The data were presented to IT and finance professionals to validate and score the list of CSFs on effectiveness. This was proposed to gain a more qualitative view of CSFs according to relevant BIS stakeholders.

Empirical exploration via practitioners also contributes to the validity of the proposed CSFs. Therefore, a considerably large group of participants was used to increase the reliability of the outcome. The data collected during these stages contributed to the next stage of research. In this way, a deep dive was made to arrive at a selection of CSFs combined with literature research used to scrutinize it in final research among security experts. This type of data collection is called “sequential design.” Sequential mixed methods involve collecting data in an iterative process whereby the data collected in one phase contribute to the data collected in the next.³²

The outcomes of the workshops in the second phase were combined with the literature research from the first phase, creating a combined list of 66 CSFs from practitioner and academic perspectives to be further assessed by security experts during a final group support systems (GSS) session. This was the final phase of the research.

For the three workshops, GSS were used to facilitate and get the respondents to participate actively in scrutinizing the most critical factors of success that will ensure effective BIS.³³ Figure 2 displays the flow of the GSS process toward decision-making.

In this process, the ‘‘collective brain’’ of a group of experts was mobilized during a three-hour session to explore, assess and prioritize the most critical of the 66 success factors for BIS, as selected from the workshops and interviews previously described. Before the participants started scoring the CSFs, the groups scored the seven enablers used in COBIT 5. The list of CSFs was categorized in advance (before the final session) by the enablers to add more context. This information was not shared with the participants during the session. This was done to analyze the scores of the enablers in relation to the CSFs afterward.

Involving multiple and different participants in multiple GSS sprints is referred to as “relay groups.”³⁴ The differences between relay groups and decathlon groups can be assessed by indicating that making use of multiple relay groups, which judge the outcomes of the previous group, instead of decathlon groups, where participants start from scratch, increases productivity and group satisfaction.³⁵ Both group satisfaction and an effective moderator of a GSS session increase an open atmosphere where people speak up when something is ambiguous or vague.³⁶ Making use of a predefined agenda that is shared before the GSS sessions, as well as sending the participants the data upfront, enables proper preparation and pre-questioning for clarification prior to the meeting.³⁷

Findings

Based on the literature study, validation by practitioners and the review of security experts, the following conclusions can be drawn. The most critical success factors from this research, as displayed in figure 3, are related to intangible factors. Where frameworks and rules and procedures are perceived as less effective, cultural factors are perceived as highly effective for improving BIS within organizations.

The CSFs that scored the highest are predominantly derived from security experts and not from the literature research. This is an interesting outcome that reveals that:

• Organizations are more influenced by practical input and less by theoretical input
• Theoretical frameworks require enrichment from practical-oriented views

Security Practitioners’ View on the Study

An overall conclusion of this study is that culture and behavior are essential to enable BIS, and cultural factors can improve the effectiveness of BIS. The COBIT 5 Culture, Ethics and Behavior enabler scored a 5 (top criticality score) unanimously and can, therefore, be seen as essential for the maximum chance of success. In figure 4, the scores of the experts, based on the COBIT 5 enablers, are reflected. The column variability reflects the variance between the expert opinions.

COBIT 5 does not work this out in detail. COBIT 5 recognizes the importance of the interrelation among the enablers (e.g., processes are performed by people, using information and other resources). In its appendix, the COBIT 5 framework provides a high-level overview of the attributes of the seven enablers; hence, not all enablers are detailed in publications. People are very good at putting rules and procedures in place, but they often become the goal and not the enabler for desired behavior or adding value for customers. One author wrote about the two enablers that scored highest in this research (Culture, Ethics and Behavior, and People, Skills and Competencies):

They are critical for the success of digital transformation, and the current issues relating to business and IT alignment are persistent and pervasive and were for many years. Guidance is needed to address these issues. ISACA, in my mind, would do well to further develop guidance relating to these enablers.³⁸

From the top 10 CSFs identified in this research, five are related to cultural, ethical and behavioral aspects.

Security experts had different definitions of when they felt in control and successful in BIS. The research question, “What is considered ‘successful’ with regard to BIS?” was answered by the literature review and the security experts’ survey and the results are, therefore, relevant, confirming existing insights and leading to important new insights. In this way, they can be returned to the BoK of science and used in practice by organizations.

An important response from one of the security experts (a chief information security officer [CISO] from a large telecommunications firm) to the question in the preceding paragraph was:

Being able to reduce the average time needed to resolve incidents and vulnerabilities. There is an opportunity window (being open) for hackers if you have vulnerabilities or incidents you are aware of, so they can get into your network. If you have defences up and running, then good luck! The question is: If you know about vulnerabilities and their severity, how long does it take to close this window? The shorter the time taken to resolve issues, the more mature you are.³⁹

Various success factors from this research are related to this statement, such as “Overview of the threat landscape; knowing the exact location of the business-critical assets and how to protect them,” which scored 4.5 in the group score and, therefore, was seen as highly effective. Reducing the average time needed to resolve incidents and vulnerabilities requires knowing the threat landscape as well as the organization’s (key) assets.

This requires a different approach from the definition given by a chief security officer (CSO) of a financial organization (large bank) in The Netherlands:

The highest reachable [goal] is if there is no particular security role needed anymore, and all departments/services by themselves have a high standard of safety and deliver in accordance with this standard. Security is fully embedded in the genes and business of the organization, as a natural and integral part of the business.⁴⁰

The success factor “Strong security culture; security in the genes of the whole organization” scored 4.5 in the group score and, therefore, was seen as highly effective.

The survey respondents are renowned security experts with different answers to the question about when they feel in control and successful in BIS. The factors related to their statements scored high in the final outcome and are, therefore, seen as relevant.

Some Reflections on the Research

Empirical research taught us that most subject matter experts fail at the typical governance disciplines such as regulation, policies, business continuity management or information security management.⁴¹ It was stated in 2009 that companies fail at information security because they get lost in the wide variety of frameworks and the level of detail that contributes to the perceived complexity.⁴² The trick is to combine a framework, to improve structure, with best practices from practitioners.

The 2010 publication on maturing BIS⁴³ focused on seven security principles (e.g., identifying applicable regulations, measuring and monitoring, gaining management involvement) to which companies must adhere to mature their security level. These still stand today, but they are somewhat obvious in the current cybersecurity environment. Therefore, this research into CSFs contributed state-of-the-art insights from practitioners collected through a rigorous process of collaboration via GSS and, therefore, contributes to current frameworks.

The following additional CSFs apply specifically to investment in cybersecurity to improve the organization’s maturity level, especially when the board does not believe information security should be so high on its agenda:

• Get the pertinent facts together and know why a larger budget is needed. Do not rely on “gut feeling” or vendor reports.
• Know the number of attacks the organization is undergoing every day. Is it five, 5,000 or 50,000? Knowing the numbers will help to build a story line for board members and convince them to invest in cybersecurity. (Storytelling is claimed as a CSF by other publications, but was not mentioned by the participants in this research.)

Value the Assets

It is useful to make investments in information security tangible, for example, integrating cyberprotection in the annual report. In one large government organization, the annual report had previously been strictly a financial document, but the board and chief financial officer were convinced that it was important to prove how the organization’s cybersecurity efforts protected its end customers’ assets. It was critical to make cybersecurity part of the company’s DNA and it clearly raised people’s awareness of issues relating to cybersecurity. Supporting storylines with visuals is very powerful in convincing senior management and boards. Visuals speak for themselves. (The use of visuals was not mentioned directly by the participants of this study.)

Demystify Jargon

Speaking about the necessity of logging and monitoring software to the board is likely to be ineffective. It is better to use the same language as the C-suite. Another tactic is to translate information security to a business model, such as five forces analysis.⁴⁴ Using the balanced scorecard (BSC),⁴⁵ there are four perspectives for the organization: financial, internal, external and innovation. What is the impact of cybersecurity on each perspective? How do external parties perceive the security of the company, using the tests posted on www.internet.nl?

Making use of management models grounded in other theoretical fields helps boards better understand security and its value.

Faulty Cybersecurity Impacts the Value of the Organization

Cybersecurity impacts an organization’s success, but also its failure. Sixty percent of hacked organizations will not continue to survive 18 months after a breach.⁴⁶ It also impacts the perceived value of organizations. Analyst firms increasingly rate organizations on their ability to manage security risk.

The critical factors for a successful security strategy are continuously changing. For example, the industry is currently looking at automation of manual, high fault-tolerance tasks such as access rules or firewall verification. (This was mentioned by the participants of this study.)

BIS must be embedded in organizations and maturity levels raised. This will enable better handling of breaches and will safeguard respected businesses and practitioners’ positions as well.

Key Takeaways

The following are the key takeaways from the research described herein:

• Actionable items that reflect a direct financial benefit include being able to reduce the average time needed to resolve incidents and vulnerabilities. There are two key moments at play: when a security incident is detected and when it is mitigated. The shorter the time taken to detect and resolve issues, the more mature the organization. Being able to report success in this area and back it up with financial statistics is likely to generate more support from the board.
• Intangible factors make a big difference. The most critical success factors from this research are related to intangible factors. Where frameworks and rules and procedures are perceived as less effective, cultural factors are perceived as highly effective for improving BIS within organizations. Tangible factors are also mentioned in the core set of CSFs (e.g., budget and compliance with laws and regulations), but the main conclusion of the research is that intangible factors need to be taken into account as an extension of the common frameworks, models and procedures provided by security communities and bodies.
• Responsible disclosure; on how the company deals with cyber and information security risk in the annual report indicates the tone at the top. Rating agencies, shareholders, analysts and all sorts of stakeholders that benefit from a cyberresilient organization directly influence the tone at the top, the awareness of boards and, therefore, the allocation of sufficient budgets. The CISO needs to communicate to these stakeholders to create a demand for safety among boards and senior management.
• Never waste a good incident; to create a sense of urgency, allocate budgets and collectively determine the priorities.

Hopefully, a lesson was learned on Friday, 12 May 2017. Learning from incidents, having the budget to invest in the protection of the organization, and gaining commitment and responsibility from the board for BIS—all scored highly in this research and are relevant success factors to protect an organization against sophisticated threats. But the main conclusion of this thesis is the importance of intangible factors in more effective information security.

Endnotes

¹ World Economic Forum, “The Global Risks Report 2017,” p. 72, http://www.weforum.org/reports/the-global-risks-report-2017
² Von Solms, B.; “From Information Security to…Business Security?” Computer and Security, vol. 24, iss. 4, June 2005, www.sciencedirect.com/science/article/pii/S0167404805000544
³ Postuma, S.; “Structures, Processes and Relational Mechanisms Needed for the Implementation of Business Information Security Strategy,” Antwerp Management School, Belgium, 2013
⁴ Van Grembergen, W.; S. De Haes; E. Guldentops; “Structures, Processes and Relational Mechanisms for IT Governance,” Strategies for Information Technology Governance, USA, 2006, http://www.researchgate.net/publication/314457003_Structures_Processes_and_Relational_Mechanisms_for_IT_Governance
⁵ Bobbert, Y.; Maturing Business Information Security: A Framework to Establish the Desired State of Security Maturity, The Netherlands, 2010
⁶ Papazafeiropoulou, A.; “Understanding Governance, Risk and Compliance Information Systems, The Experts’ View,” InfoSyst Front, no. 18, 2016, p. 1251-1263
⁷ Rakhorst, J.; “Structures, Processes and Relational Mechanisms Needed to Formulate a Good Business Information Security Strategy,” Antwerp Management School, Belgium, 2013
⁸ Bobbert, Y.; “Porter’s Elements for a Business Information Security Strategy,” ISACA Journal, vol. 1, 2015, http://wup.ozone-1.com/resources/isaca-journal/issues
⁹ Bobbert, Y.; H. Mulder; “A Research Journey Into Maturing the Business Information Security of Mid Market Organizations,” International Journal on IT/Business Alignment and Governance, vol. 1, iss. 4, 2010, p. 18-39, http://www.igi-global.com/article/research-journey-into-maturing-business/52061
¹⁰ V. D. Meulen, N; “Investeren in Cybersecurity,” RAND, Europe, 2015
¹¹ Hooper, V.; J. McKissack; “The Emerging Role of the CISO,” Elsevier, 2016, p. 585-591
¹² Op cit van Grembergen et al.
¹³ Op cit World Economic Forum
¹⁴ Steinbart, P. J.; R. L. Raschke; G. Gal; W. N. Dilla; ”SECURQUAL: An Instrument for Evaluating the Effectiveness of Enterprise Information Security Programs,” Journal of Information Systems 2015 Conference, vol. 30, no. 1, 2016, http://aaajournals.org/doi/abs/10.2308/isys-51257?code=aaan-site
¹⁵ Paredes, D.; “Tech Disruption and Cybersecurity Top Boardroom Agenda in NZ,” CIO, 4 February 2016
¹⁶ Siponen, M.; R. Willison; “Information Security Management Standards: Problems and Solutions,” Information and Management, no. 46, 2009
¹⁷ IT Governance Institute, Information Security Governance: Guidance for Board of Directors and Executive Management, 2^nd Edition, USA, 2006
¹⁸ Von Solms, R.; F. Steven; N. Sohabi Safa; “Information Security Policy Compliance Model in Organizations,” Computers and Security, 2016, p. 70-82
¹⁹ Ibid.
²⁰ Ibid.
²¹ Chang, S. E.; C. B. Ho; “Organizational Factors to the Effectiveness of Implementing Information Security Management,” Industrial Management and Data Systems, 2006, p. 345-361
²² Von Solms, S.; R. von Solms; Information Security Governance, Springer, USA, 2009
²³ Gordon, L. A.; M. P. Loeb; W. Lucyshyn; R. Richardson; “CSI/FBI Computer Crime and Security Survey,” Computer Security Institute, 2004
²⁴ Dhillon, G.; G. Tejay; W. Hong; “Identifying Governance Dimensions to Evaluate System Information Security in Organizations,” Proceedings of the 40^th Annual Hawaii International Conference on Systems Sciences, January 2007, p. 10
²⁵ Von Solms, B.; “The 10 Deadly Sins of Information Security Management,” Computers and Security, vol. 23, iss. 1, 2004
²⁶ Alreemy, Z.; V. Chang; R. Walters; G. Wills; “Critical Success Factors (CSFs) for Information Technology Governance (ITG),” International Journal of Information Management, vol. 36, 2016, p. 907-916
²⁷ Recker, J.; Scientific Research in information Systems: A Beginner’s Guide, Springer, USA, 2013, p. 162
²⁸ ISACA, COBIT 5 for Information Security, USA, 2013
²⁹ Op cit Alreemy et al.
³⁰ Op cit Recker
³¹ Ibid.
³² Driscoll, D. L.; A. Appiah-Yeboah; P. Salib; D. J., Rupert; “Merging Qualitative and Quantitative Data in Mixed Methods Research: How to and Why Not,” DigitalCommons@University of Nebraska—Lincoln, 2007, http://digitalcommons.unl.edu/cgi/viewcontent.cgi?article=1012&context=icwdmeea
³³ De Vreede, G. J.; D. Vogel; G. Kolfschoten; J. Wien; “Fifteen Years of GSS in the Field: A Comparison Across Time and National Boundaries,” Proceedings of the 36^th Hawaii International Conference on System Sciences, 2003, http://ieeexplore.ieee.org/document/1173646/?reload=true
³⁴ De Vreede, G. J.; R. O. Briggs; R. van Duin; B. Enserink; “Athletics in Electronic Brainstorming: Asynchronous Electronic Brainstorming in Very Large Groups,” Proceedings of the 33^rd Hawaii International Conference on System Sciences, 2000, http://ieeexplore.ieee.org/document/926627/?denied
³⁵ Ibid.
³⁶ Ibid.
³⁷ Bobbert, Y.; “Defining a Research Method for Engineering a Business Information Security Artefact,” Proceedings of the Enterprise Engineering Working Conference (EEWC) Forum, 2017, http://ceur-ws.org/Vol-1838/paper-05.pdf
³⁸ Wilkinson, P.; “COBIT 5.0 Culture, Ethics, Behavior: A Critical Enabler for Digital Transformation,” LinkedIn, 15 February 2016, http://www.linkedin.com/pulse/cobit-50-cultureethicsbehaviora-critical-enabler-paul-wilkinson/
³⁹ Papelard, T.; Y. Bobbert; Critical Success Factors for Effective Business Information Security, publication forthcoming in 2018
⁴⁰ Ibid.
⁴¹ Bobbert, Y.; H. Mulder; “Governance Practices and Critical Succes Factors Suitable for Business Information Security,” International Conference on Computational Intelligence and Communication Networks, India, 2015, http://ieeexplore.ieee.org/document/7546267/
⁴² Op cit Siponen
⁴³ Op cit Bobbert and Mulder, “A Research Journey into Maturing the Business Information Security of Mid Market Organizations”
⁴⁴ Op cit Bobbert, “Porter’s Elements for a Business Information Security Strategy”
⁴⁵ Kaplan R.; D. Norton; Using the Balanced Scorecard as Strategic Management System, Harvard Business School Press, USA, 1996
⁴⁶ Miller, G.; “60% of Small Companies That Suffer a Cyber Attack Are Out of Business Within Six Months,” The Denver Post, 23 October 2016, www.denverpost.com/2016/10/23/small-companies-cyber-attack-out-of-business/